In an unprecedented breach of European institutional security, a forensic investigation has confirmed that Stelios Kouloglou, a prominent Greek politician and former member of the European Parliament (MEP), was targeted with the notorious Pegasus spyware while he was actively investigating the misuse of such technology. The discovery, published by the University of Toronto’s Citizen Lab, marks the first documented instance of a member of the European Parliament’s PEGA Committee—a special body established to probe spyware abuses—being compromised by the very tool they were tasked with scrutinizing. The revelations have reignited concerns over the vulnerability of democratic institutions and the "open season" on lawmakers within the European Union. Kouloglou, a veteran investigative journalist who served as an MEP from 2015 to 2024, was a central figure in the PEGA Committee. This committee was formed in early 2022 following global outrage over the "Pegasus Project," which revealed how governments worldwide used NSO Group’s technology to monitor activists, journalists, and heads of state. Kouloglou’s work involved interviewing victims and uncovering the clandestine networks that facilitate the sale and deployment of mercenary spyware. According to the Citizen Lab report, his own iPhone was infected multiple times during the height of these investigations, potentially allowing attackers to monitor internal committee deliberations, confidential testimonies, and sensitive documents. The Chronology of the Compromise The forensic analysis conducted by Citizen Lab identifies two distinct windows of infection. The first occurred on October 21, 2022. At the time, Kouloglou was in a hospital recovering from elective surgery. During his recovery, he was visited by Thanasis Koukakis, a Greek investigative journalist who had previously made headlines as one of the first confirmed victims of Predator spyware in Greece. The proximity of the attack to Koukakis’s visit and the committee’s subsequent schedule suggests a highly calculated effort to monitor Kouloglou’s interactions. The timing of this first infection coincided with a critical phase for the PEGA Committee. In the week following the October hack, the committee held high-stakes hearings on the human rights impact of spyware. Shortly thereafter, Kouloglou and his colleagues traveled to Cyprus and Greece for on-the-ground investigations into local surveillance scandals. The second confirmed infection took place on March 6 and 7, 2023. This period was equally sensitive, as the PEGA Committee was in the final stages of drafting its findings and negotiating recommendations for the European Parliament. MEP Hannah Neumann, a member of the Green party who served alongside Kouloglou, noted that the committee was then engaged in questioning companies within the spyware industry. The synchronization between the spyware infections and the committee’s legislative milestones indicates that the perpetrator sought real-time intelligence on the EU’s attempts to regulate the surveillance industry. Technical Context: The Power of Pegasus Developed by the Israeli firm NSO Group, Pegasus is widely considered the most sophisticated mercenary spyware in the world. It utilizes "zero-click" exploits, which allow the malware to infect a device without any interaction from the user, such as clicking a link or downloading a file. Once installed, Pegasus grants the operator near-total control over the target’s mobile device. This includes the ability to remotely activate microphones and cameras, track GPS locations in real-time, and extract encrypted messages from platforms like WhatsApp, Signal, and Telegram. Citizen Lab’s report highlighted that Kouloglou’s device received three separate threat notifications from Apple—in March 2023, August 2023, and April 2024—warning him that he was likely being targeted by state-sponsored attackers. While these notifications are a vital defense mechanism, they are often delayed and do not provide the technical specifics required for immediate remediation. Kouloglou admitted that he did not recall seeing the notifications at the time, illustrating the stealthy nature of the intrusion. The researchers at Citizen Lab also found technical overlaps between the attacks on Kouloglou and the targeting of seven Russian- and Belarusian-speaking journalists and activists between 2020 and 2023. While the researchers stopped short of naming a specific government responsible for the hack, they noted that the perpetrator would have gained access to internal information about the committee’s activities, violating both individual privacy and the confidentiality requirements of the European Parliament. The Broader Context of "Greece’s Watergate" The targeting of Kouloglou cannot be viewed in isolation from the broader surveillance crisis in Greece. Often referred to as "Greece’s Watergate," the scandal erupted in 2022 when it was revealed that the Hellenic National Intelligence Service (EYP) had wiretapped Nikos Androulakis, the leader of the PASOK opposition party. Simultaneously, forensic evidence showed that Androulakis and journalist Thanasis Koukakis had been targeted with Predator, a spyware variant produced by Intellexa, a company with significant operations in Athens. The Greek government has consistently denied purchasing or using Pegasus, maintaining that its official surveillance was conducted through legal wiretapping channels. However, the Citizen Lab report clarifies that while there is no conclusive evidence of Greek government involvement in the Pegasus attack on Kouloglou, the incident underscores a pervasive atmosphere of surveillance within the country’s political and journalistic circles. The overlap of various spyware tools—Pegasus and Predator—suggests a complex ecosystem where multiple actors may be operating with impunity. Official Reactions and Institutional Vulnerability The revelation has sparked a wave of condemnation from European lawmakers. MEP Saskia Bricmont, a member of the PEGA Committee, characterized the hack as a "direct attack on the rule of law." She emphasized that the use of spyware against investigators not only violates fundamental human rights but also compromises the integrity of parliamentary work. Hannah Neumann echoed these sentiments, calling the situation "absurd" and noting that the attackers chose to spy on the very investigation into spyware abuse. In response to inquiries, a spokesperson for the European Parliament stated that the institution has implemented a "spyware screening system" available to all MEPs. Recently, the Parliament adopted further measures to expand digital protections. However, critics argue that these measures are reactive rather than proactive. John Scott-Railton, a senior researcher at Citizen Lab, warned that European institutions remain largely unprepared for the "open spyware season." He pointed out that while some progress has been made in the United States—through sanctions, visa bans, and executive orders against NSO Group—Europe has been slower to implement concrete deterrents. Data and Implications for European Security The Pegasus Project’s 2021 data leak suggested that at least 50,000 phone numbers were selected as potential targets by NSO Group clients. Among these were at least 180 journalists and dozens of political figures. The discovery of Kouloglou’s infection adds a new layer to this data: the targeting of the investigators themselves. The failure to adopt the PEGA Committee’s recommendations has become a point of contention. The committee’s final report, completed in 2023, called for several radical changes, including: The establishment of an EU-based Tech Lab: A central forensic facility to assist MEPs and civil society in detecting spyware. A Spyware Taskforce for Elections: To protect the integrity of the democratic process from digital interference. Stricter Export Controls: To prevent EU-based companies from selling surveillance technology to authoritarian regimes. Years after the report’s completion, many of these recommendations remain unfulfilled. This legislative inertia, Scott-Railton argues, leaves Europeans vulnerable at a time when artificial intelligence is expected to lower the cost and barrier to entry for mercenary spyware, potentially "turbocharging" the threat. Analysis of Political and Democratic Consequences The hacking of Stelios Kouloglou represents a significant escalation in the use of mercenary spyware within the European Union. When a member of a parliamentary committee is surveilled while investigating that very surveillance, it creates a "chilling effect" that extends beyond the individual victim. It signals to all lawmakers, whistleblowers, and journalists that no one is beyond the reach of digital intrusion, regardless of their official status or the sensitivity of their work. Furthermore, the breach of Kouloglou’s device constitutes a violation of parliamentary privilege. In most democratic systems, the communications of lawmakers are protected to ensure they can perform their duties without intimidation or interference. By accessing Kouloglou’s messages and contacts, the attackers effectively bypassed the democratic safeguards intended to protect the independence of the European Parliament. The situation also highlights a geopolitical disparity. While the NSO Group was acquired by U.S.-based investors in 2025 in an attempt to mend its reputation and seek removal from the U.S. Entity List, the company’s technology continues to be linked to the targeting of democratic actors. The lack of a unified European response—similar to the robust sanctions seen in Washington—suggests a lack of political will among EU member states to confront the domestic and foreign entities that deploy these tools. As the European Union moves forward, the case of Stelios Kouloglou serves as a stark reminder that technological protections alone are insufficient. The "mercenary spyware" industry operates in a legal gray zone that requires a comprehensive policy response, ranging from forensic support to diplomatic pressure. Without such measures, the integrity of European democracy remains at the mercy of those who can afford to purchase its subversion. Post navigation Cybersecurity and Privacy Landscape Faces New Challenges From Spyware Scandals to Critical Vulnerabilities in Global Tech Infrastructure AI Tool Claude Assists Researcher in Breach of Major US Festival Ticketing System