In a development that has sent shockwaves through the corridors of power in Brussels and Athens, a new forensic investigation has revealed that Stelios Kouloglou, a prominent Greek politician and former member of the European Parliament (MEP), was targeted with the notorious Pegasus spyware while he was actively serving on the committee tasked with investigating such surveillance abuses. The report, published by the University of Toronto’s Citizen Lab, underscores a profound security breach within the European Union’s legislative framework, suggesting that the very individuals appointed to safeguard democratic institutions from digital intrusion are themselves vulnerable to high-level espionage.

Stelios Kouloglou, a veteran investigative journalist who served as an MEP from 2015 to 2024, was a key member of the PEGA Committee. This special body was established in 2022 to probe the proliferation of mercenary spyware following revelations that governments across the globe—including several within the EU—had used Israeli-made Pegasus software to monitor activists, journalists, and political opponents. The irony of the situation is stark: while Kouloglou was interviewing victims and drafting recommendations to curb the "wild west" of the spyware industry, his own iPhone was being systematically compromised by the same technology.

The Mechanics of the Compromise

According to the forensic data provided by Citizen Lab, Kouloglou’s device was infected with Pegasus on at least two distinct occasions. Pegasus, developed by the Israeli firm NSO Group, is a "zero-click" surveillance tool, meaning it can infect a target’s phone without the user needing to click a link or download a file. Once installed, it grants the operator total access to the device, including the ability to activate the microphone and camera, intercept encrypted messages on platforms like WhatsApp and Signal, and download photos, emails, and location data.

The first recorded infection occurred on October 21, 2022. At the time, Kouloglou was hospitalized for elective surgery. The timing is significant; while recovering, he received a visit from Thanasis Koukakis, a Greek investigative journalist who had previously been identified as a victim of "Predator," a different brand of spyware sold by the firm Intellexa. The second infection took place in March 2023, a period during which the PEGA Committee was finalizing its intensive investigation and preparing its final report for the European Parliament.

The Citizen Lab report notes that while the researchers cannot definitively attribute the attack to a specific government, they found technical overlaps between the infrastructure used to target Kouloglou and the infrastructure used in attacks against Russian- and Belarusian-speaking activists and journalists. Crucially, the report states there is no direct evidence currently linking the Greek government to this specific Pegasus infection, though Greece remains embroiled in a broader domestic surveillance scandal.

A Chronology of Surveillance and Investigation

The timeline of the attacks on Kouloglou aligns precisely with critical milestones in the European Parliament’s efforts to regulate the spyware industry.

  • July 2021: The "Pegasus Project," a collaborative investigation by major media outlets, reveals that NSO Group’s software was used to target tens of thousands of individuals worldwide, including European heads of state and MEPs.
  • March 2022: The European Parliament votes to establish the PEGA Committee to investigate these claims and the legal vacuum surrounding commercial spyware in Europe.
  • Summer 2022: Kouloglou and his colleagues begin holding hearings with tech experts, victims, and representatives from NSO Group.
  • October 2022: Kouloglou’s device is first infected with Pegasus. This occurs just days before the committee traveled to Cyprus and Greece to investigate local spyware industries and government overreach.
  • March 2023: Kouloglou’s device is infected a second time. At this stage, the committee is in the midst of heated negotiations regarding its final recommendations and the wording of its findings on EU member states.
  • June 2023: The PEGA Committee publishes its final report, calling for a moratorium on spyware use unless strict conditions are met, and identifying "systemic" issues in countries like Poland, Hungary, and Greece.
  • November 2024: Citizen Lab confirms the forensic evidence of the Kouloglou hack, revealing the MEP was under surveillance during the height of the inquiry.

Technical Analysis and the Burden of Proof

The forensic analysis of Kouloglou’s iPhone revealed that Apple had sent "Threat Notifications" to the MEP in March 2023, August 2023, and April 2024. These alerts are part of a security feature Apple introduced to notify users who may have been targeted by state-sponsored attackers. However, Kouloglou noted that he did not recall seeing these notifications at the time, highlighting a common issue where sophisticated malware can sometimes suppress system alerts or where users, overwhelmed by digital noise, overlook critical security warnings.

Citizen Lab’s senior researcher, John Scott-Railton, characterized the incident as an "open spyware season" on European lawmakers. The technical sophistication of Pegasus allows it to operate with a level of stealth that makes traditional digital hygiene—such as avoiding suspicious links—obsolete. The fact that an MEP’s device was compromised while he was engaged in sensitive committee work suggests that the perpetrator likely had access to internal deliberations, confidential testimony, and the private schedules of European officials.

Official Responses and Political Fallout

The revelation has drawn sharp condemnation from Kouloglou’s former colleagues in the European Parliament. Hannah Neumann, a German MEP for the Greens/EFA group and a member of the PEGA Committee, described the situation as "absurd," noting that the hackers were essentially "spying on the investigation into spyware itself."

MEP Saskia Bricmont echoed these sentiments, stating that the targeting of a lawmaker is a "direct attack on the rule of law." Bricmont emphasized that the breach not only violated Kouloglou’s personal privacy but also compromised the integrity of the European Parliament’s sovereign work.

For its part, the NSO Group has historically maintained that its technology is sold only to vetted government agencies for the purpose of combating terrorism and serious crime. The company did not provide a specific comment on the Kouloglou case to major news outlets. However, the firm has faced increasing pressure, including being blacklisted by the United States Department of Commerce in 2021, which restricted its access to American technology and investment.

A spokesperson for the European Parliament stated that the institution has implemented a "spyware screening system" available to all MEPs and has recently adopted further measures to bolster digital defenses. However, critics argue that these measures are reactive and insufficient given the rapid evolution of zero-click exploits.

Broader Implications for European Democracy

The hacking of Stelios Kouloglou is not an isolated incident but rather a symptom of a broader crisis in European digital sovereignty. The PEGA Committee’s investigation revealed that several EU member states have purchased and deployed spyware with little to no judicial oversight. In Poland and Hungary, the software was reportedly used to monitor opposition figures and journalists, leading to accusations of democratic backsliding.

In Greece, the "Predator" scandal—often referred to as "Greece’s Watergate"—demonstrated how domestic intelligence agencies (EYP) and private firms could work in tandem to monitor high-ranking officials, including the current Minister of Labor, Kostas Hatzidakis, and the leader of the opposition PASOK party, Nikos Androulakis.

The Kouloglou case adds a new layer of complexity to this narrative. It suggests that even when the EU attempts to exercise its oversight functions, those functions can be subverted by the very technology they seek to regulate. This creates a chilling effect on whistleblowers and lawmakers, who may fear that their communications with sensitive sources are being monitored in real-time.

The Path Forward: Regulation or Resignation?

Despite the exhaustive findings of the PEGA Committee, many of its primary recommendations remain unfulfilled. The committee called for the establishment of an EU-based "Tech Lab" to assist MEPs and citizens with forensic device analysis, as well as a centralized task force to protect elections from spyware-driven interference. To date, the European Commission has been slow to move toward a comprehensive legislative ban or a rigorous regulatory framework for the sale and use of such tools.

In contrast, the United States has taken a more aggressive stance. President Joe Biden issued an executive order in 2023 prohibiting the U.S. government from using commercial spyware that poses risks to national security or has been misused by foreign governments. This has led to a significant decoupling of the American defense and intelligence apparatus from firms like NSO Group.

The hacking of Stelios Kouloglou serves as a stark reminder that the "mercenary spyware" industry operates with a level of impunity that threatens the fundamental pillars of democratic governance. As long as these tools remain accessible and unregulated, the privacy of citizens and the confidentiality of legislative work will remain at the mercy of whoever holds the digital keys. For Kouloglou, the discovery is a personal violation, but for the European Union, it is a systemic warning that the gatekeepers of democracy are themselves under siege.

By