EU Lawmaker Investigating Spyware Was Himself Hacked by Pegasus, Researchers Find

A former European Parliament member who helped investigate abusive surveillance practices was himself a target of Israeli-made spyware, according to a Canadian technology watchdog group.

Citizen Lab released a report Friday stating that the phone of Stelios Kouloglou — a Greek television journalist who went on to serve as a lawmaker — was compromised at least three times between October 2022 and March 2023. The tool used was Pegasus spyware, a product distributed by the Israeli company NSO Group.

During the period when he was being targeted, Kouloglou was an active member of the European Parliament’s PEGA Committee, a body created in 2022 specifically to examine unlawful phone hacking across the European Union. The committee’s work centered largely on Pegasus and similar surveillance tools, ultimately concluding that EU governments had likely used spyware “in one way or another, some legitimate, some illegitimate.”

Kouloglou said he was stunned by the brazenness of whoever carried out the attacks.

“I was not expecting that a PEGA member would be spied on by Pegasus,” he told Reuters. “I was not expecting that they would be as reckless as that.”

NSO Group did not respond to requests for comment.

The European Parliament issued a statement that did not directly address Kouloglou’s situation, but noted that its IT security teams “constantly monitor cybersecurity threats as well as potential cyberattacks against its working environment.” The Parliament also said spyware screening tools have been offered to all lawmakers since 2022, and that a report adopted last month called for expanding those tools to cover all devices used for parliamentary work.

The European Commission, which serves as the EU’s executive arm, did not respond to requests for comment.

NSO has long maintained that its surveillance tools are deployed to combat serious crime and safeguard national security. However, the company has faced repeated accusations of enabling intrusive monitoring of journalists, political figures, civil rights advocates, and religious individuals around the globe. The U.S. government placed NSO on a blacklist in 2021 over concerns about human rights and national security. Last year, Meta Platforms — the parent company of WhatsApp — won a $168 million damages award against NSO for illegally hacking its platform, though that award was later significantly reduced. More recently, Meta accused NSO of violating the court’s injunction against targeting its services and sought a contempt order.

Citizen Lab said it believes the hacking was carried out through a previously unknown vulnerability in Apple software. The group noted that Kouloglou received multiple warnings from Apple in 2023 and 2024 about suspected state-sponsored hacking attempts targeting his device.

While Citizen Lab did not identify the specific party responsible for deploying Pegasus against the former lawmaker, it connected some of the hacking activity to earlier findings that Pegasus had been used to monitor Russian- and Belarusian-speaking journalists and activists living in exile.

Apple did not directly respond to questions about Kouloglou’s case, but confirmed that the vulnerability cited in the Citizen Lab report has since been patched and that the company routinely notifies individuals it believes may have been targeted.

Sophie in ‘t Veld, a former EU lawmaker who was instrumental in establishing the PEGA Committee, said the hacking of Kouloglou’s phone illustrated how the proliferation of for-hire spyware has created a surveillance environment with virtually no boundaries.

“We’re in a situation where anybody could spy on anyone and they’re spying on citizens, they’re spying on journalists, they’re spying on NGOs, on lawyers, on politicians, and nobody knows who’s behind it,” she said.