The Pegasus Paradox: How a Spyware Investigator Became a Target of the Very Tool He Probed
In a development that has sent shockwaves through the corridors of European power, security researchers at the University of Toronto’s Citizen Lab have confirmed that a member of the European Parliament’s committee dedicated to investigating the abuse of military-grade spyware was himself a target of the software he was tasked with scrutinizing.
Stelios Kouloglou, a Greek journalist and former member of the European Parliament, was subjected to a series of intrusive digital surveillance attacks using the notorious Pegasus spyware. The revelations, which surfaced in a report released this past Friday, mark a chilling milestone in the ongoing saga of government-sanctioned digital espionage: for the first time, a lawmaker serving on the PEGA committee—the body specifically created to probe the illicit use of spyware by EU member states—has been definitively identified as a victim.
This breach has ignited a fresh, intense controversy over the erosion of privacy, the vulnerability of democratic institutions, and the persistent, murky role of NSO Group, the Israeli firm behind Pegasus, in facilitating the surveillance of journalists, politicians, and dissenters across the globe.
A Chronology of Surveillance: The Targeted Attacks
The Citizen Lab investigation provides a granular look at how Kouloglou’s digital security was dismantled. According to the report, the attacks occurred during critical windows in the PEGA committee’s operational calendar.
The October 2022 Breach
In October 2022, as the PEGA committee was engaged in high-stakes deliberations regarding the drafting of a report investigating spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain, Kouloglou’s iPhone was compromised. At the time, the lawmaker was hospitalized for a pre-scheduled surgery. The timing suggests a calculated effort by the operator to intercept not only professional correspondence but potentially sensitive private audio, including conversations with medical staff and visitors.
The March 2023 Escalation
The surveillance continued months later. On March 6 and 7, 2023, as Kouloglou traveled from Athens to Brussels for critical committee hearings, his device was compromised again by the same Pegasus operator. This period was pivotal, occurring just months before the committee was set to finalize its damning report on state-sponsored hacking.
The technical methodology used in these incursions was particularly sophisticated. The attacks utilized "zero-click" exploits—vulnerabilities in Apple’s iOS software that require no user interaction to succeed. In this case, the spyware leveraged a previously discovered flaw in Apple’s HomeKit (smart home) software. By the time the intrusion occurred, a patch for the vulnerability had been released, but because the update had not yet been applied to Kouloglou’s specific device, the window of opportunity remained open for the attackers to siphon off text messages, location data, photos, and private audio.
The Anatomy of an Invisible Threat
The implications of these attacks extend far beyond the privacy of a single politician. Citizen Lab researchers were unable to definitively attribute the hacking to a specific nation-state. However, they uncovered a vital forensic clue: the email address used to deliver the Pegasus exploit was the same one identified in previous, wide-ranging campaigns against journalists across Europe.
This suggests that the operator—a government client of NSO Group—possessed the authorization to deploy Pegasus across multiple jurisdictions. The reuse of the same infrastructure implies a level of impunity and a broad mandate to conduct surveillance that transcends national borders, effectively weaponizing the software against the very people tasked with oversight.
For Kouloglou, the experience was deeply personal and profoundly violating. "You realize that all of your personal data [was taken]—not all the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments," he stated in an interview.
The Broader Implications: A Direct Attack on the Rule of Law
The targeting of a PEGA committee member is being viewed by many in Brussels as a "direct attack on the rule of law." The committee was formed in response to the growing realization that governments were using software ostensibly designed for counter-terrorism and the prevention of serious crime to track political rivals, journalists, and activists.
By turning the lens of the spyware back onto the investigators themselves, the operators have signaled a high degree of confidence and a blatant disregard for the European Parliament’s authority. Several serving lawmakers have called on the European Commission to move beyond rhetoric and implement concrete, binding limitations on the use of spyware within the 27-member bloc.
The incident raises fundamental questions about the state of digital democracy. If the lawmakers meant to protect citizens from spyware are themselves unable to secure their own communications, what hope is there for the average citizen? The incident underscores a critical power imbalance: while legislative bodies move at the pace of debate and bureaucracy, surveillance operators utilize rapid-fire, zero-day exploits that render traditional safeguards obsolete.
Official Responses and Corporate Silence
The response from the entities involved has been characteristically muted. A spokesperson for the European Commission declined to respond to inquiries regarding the breach. Similarly, NSO Group, the Israeli company at the center of the controversy, did not provide a comment to reporters prior to the publication of the Citizen Lab report.
NSO Group has long maintained that it only sells its technology to government agencies for the purpose of fighting crime and terrorism, and that it has stringent human rights compliance protocols. However, the firm has faced a barrage of legal challenges and international scrutiny, including being effectively blacklisted in the United States. Following a Biden-era executive order that restricted the use of spyware capable of violating human rights, NSO Group has struggled to maintain its standing.
Despite these setbacks, the company remains active. Last year, it was revealed that an unnamed American investment group had injected tens of millions of dollars into NSO, a move widely interpreted as an attempt to rehabilitate the company’s damaged reputation and pave a path for its re-entry into Western markets. Critics, however, argue that no amount of rebranding can mask the underlying danger of tools that are fundamentally designed to operate in the shadows.
The Road Ahead: Accountability or Impunity?
Stelios Kouloglou has declared his intention to pursue legal action against NSO Group. While international litigation against private surveillance firms is notoriously complex—often involving jurisdictional hurdles and claims of "sovereign immunity" for the government clients—Kouloglou views his public disclosure as a moral imperative.
"Corruption concerns everybody," Kouloglou said. "I am going public for democracy, human rights, and the fight against corruption."
His decision to go public serves as a reminder that the battle against spyware is not just a technical challenge, but a political one. The vulnerability of mobile devices, while a concern for cybersecurity professionals, is now a primary front in the struggle for civil liberties. As the European Parliament continues to grapple with the fallout of the PEGA committee investigation, the hacking of one of its own members provides a stark, undeniable case study in why the unchecked proliferation of surveillance technology remains one of the most pressing human rights issues of the digital age.
Whether the European Union will find the political will to enact the "strict limits" demanded by its own members remains to be seen. In the meantime, the incident serves as a chilling testament to the fact that in the world of high-stakes digital espionage, no one—not even the investigator—is beyond the reach of the machine.