The Watcher Watched: European Lawmaker Targeted by Pegasus Spyware in Unprecedented Breach
In a chilling development that has sent shockwaves through the corridors of the European Union, security researchers have confirmed that a member of the European Parliament’s (MEP) committee tasked with investigating the abuse of state-sponsored surveillance was himself a victim of the very technology he was scrutinizing.
Stelios Kouloglou, a journalist and former politician who served on the European Parliament’s PEGA committee, had his iPhone compromised by NSO Group’s Pegasus spyware. The revelation, documented by the University of Toronto’s Citizen Lab, marks the first time a member of this investigative body has been publicly identified as a target. This breach is not merely a violation of personal privacy; it is being characterized by legal experts and fellow lawmakers as a “direct attack on the rule of law” and a calculated effort to undermine democratic oversight.
The Anatomy of an Unseen Breach
The Citizen Lab report, released Friday, details a sophisticated, multi-stage attack that leveraged “zero-click” exploits. Unlike traditional phishing attacks that require a user to click a malicious link or download a file, zero-click exploits function invisibly. In this case, the attackers abused a previously discovered vulnerability in Apple’s HomeKit—the framework used to manage smart home devices—to silently infiltrate Kouloglou’s device.
Once the spyware took root, it granted the operators virtually total control over the device. It allowed for the silent extraction of sensitive data, including encrypted text messages, location history, private photographs, and, perhaps most alarmingly, the ability to trigger the microphone to listen in on ambient conversations.
“You realize that all of your personal data [was taken]—not just the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments,” Kouloglou told TechCrunch in a candid interview.
A Chronology of Surveillance
The timeline of the attacks suggests that the targeting was not random, but rather strategic, coinciding with critical moments in the PEGA committee’s work.
The October 2022 Infiltration
The first confirmed breach occurred in October 2022. At the time, the PEGA committee was engaged in intense, high-stakes deliberations. The committee was finalizing the first draft of its comprehensive report into the use of Pegasus spyware across member states, with a specific focus on controversial deployments in Cyprus, Greece, Hungary, Poland, and Spain.
Remarkably, this breach occurred while Kouloglou was hospitalized for a pre-scheduled surgery. The timing raises the disturbing possibility that the spyware operators were not only monitoring his legislative work but were also capturing intimate audio of his medical consultations and private conversations with family members visiting him during his recovery.
The March 2023 Escalation
The surveillance did not stop with the initial breach. Citizen Lab identified at least two additional successful compromises on March 6 and 7, 2023. During this period, Kouloglou was traveling from Athens to Brussels to participate in crucial committee hearings. This second phase of attacks occurred just months before the committee was set to finalize and adopt its final report. The persistence of the operator—using the same “fingerprint” or email address utilized in previous European campaigns—suggests an entity with significant resources and a sustained interest in the committee’s internal dynamics.
Implications for Democratic Oversight
The fact that an investigator was targeted by the very tools he was investigating highlights a profound failure in the current regulatory environment. The PEGA committee was established precisely because of mounting evidence that governments were abusing surveillance software—ostensibly purchased to combat terrorism and organized crime—to silence political opponents, journalists, and activists.
A Threat to the Rule of Law
European lawmakers are now calling for a formal investigation into the breach. One serving MEP noted that the targeting of a committee member is an assault on the independence of the European Parliament. If those tasked with holding governments accountable can be silenced or monitored through digital espionage, the mechanisms of democratic oversight are effectively neutered.
The Problem of Attribution
While Citizen Lab could not definitively name the specific government behind the attack, the evidence points toward a state actor with significant reach. The attacker utilized the same Pegasus-loaded email address linked to prior campaigns targeting journalists across Europe. This indicates that the client had authorization from the NSO Group to operate across multiple jurisdictions, further complicating the search for accountability.
The NSO Group, which has long claimed its software is only sold to vetted government agencies for legitimate law enforcement purposes, has failed to comment on the specific findings of the Citizen Lab report.
The Legal and Ethical Battlefield
Kouloglou has declared his intention to pursue legal action against the NSO Group. This lawsuit is expected to become a landmark case in the ongoing struggle to hold spyware manufacturers liable for the misuse of their products.
The NSO Group’s Beleaguered Future
The NSO Group has faced relentless scrutiny in recent years. In the United States, the Biden administration issued an executive order severely limiting the government’s use of commercial spyware that threatens human rights. Despite these setbacks, the company has sought to rehabilitate its image. Reports surfaced last year that an unnamed American investment group had injected tens of millions of dollars into the firm, a move analysts believe was designed to help the company pivot and regain access to restricted markets.
Critics argue that the NSO Group’s business model is inherently incompatible with democratic values. By providing governments with the ability to penetrate the most secure devices on the planet, the company has effectively provided a “digital skeleton key” to authoritarian regimes and democratic governments alike, with little to no transparency regarding how that key is used.
The Call for Legislative Action
The breach of Kouloglou’s phone has reignited demands for the European Commission to enact strict, binding limits on the sale and use of spyware across the 27-member bloc. Currently, the regulation of such technology is fragmented, leaving loopholes that allow for the "export" of surveillance power between states.
Conclusion: A Fight for Transparency
For Stelios Kouloglou, the decision to go public with his experience was not born of a desire for personal restitution, but of a commitment to the principles he has championed throughout his career.
“Corruption concerns everybody,” Kouloglou stated, emphasizing that his decision to speak out is “for democracy, human rights, and the fight against corruption.”
The incident serves as a stark reminder of the vulnerability of our digital lives. When even the most protected individuals—those shielded by parliamentary immunity and public profiles—can be compromised, the standard for individual privacy is clearly under siege. As the European Parliament considers its next steps, the case of the “hacked investigator” will likely serve as the definitive argument for a new era of digital accountability, one where the tools of the state are finally brought under the firm control of the law, rather than being used to circumvent it.
The question remains: if the European Parliament cannot protect its own investigators from state-sponsored spyware, what hope does the average citizen have against the invisible, unblinking eye of the modern surveillance state? The answer may well lie in the outcome of the legal and legislative battles currently unfolding in the wake of this revelation.
