EU Lawmaker Who Investigated Pegasus Was Hacked With Pegasus

The Greek former member of the European Parliament who sat on the committee investigating Pegasus spyware was himself infected with the same NSO Group tool, according to a forensic investigation released Friday by Citizen Lab.

Stelios Kouloglou, a substitute member of the European Parliament’s PEGA Committee from March 2022 to July 2023, was compromised on his iPhone on or around October 21, 2022, and again on March 6 and 7, 2023, Citizen Lab reported. The dates sit inside the busiest periods of the parliamentary inquiry into how EU governments had deployed the Israeli-made surveillance tool.

Three Infections Across Two Critical Windows

Citizen Lab’s forensics team found with high confidence that Kouloglou’s iPhone was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023. The October infection came as the committee prepared hearings on Big Tech, e-privacy and fundamental rights, and as drafts of its first report circulated. The March infection struck during the final drafting phase, less than two months before the committee’s first report was adopted on May 8, 2023.

The Pegasus compromise on October 21, 2022 began with a HomeKit email lookup at 10:16 local time, followed two minutes later by Pegasus activity on mobile data. Citizen Lab identified the exploit as PWNYOURHOME, a zero-click chain that routed through HomeKit and the iOS MessagesBlastDoorService. The device was running iOS 15.5 (build 19F77) at the time. Apple later mitigated the HomeKit issue in iOS 16.3.1 and the MessagesBlastDoorService issue earlier, likely in iOS 16.1. Apple subsequently sent Kouloglou three threat notifications, on March 2, 2023, August 29, 2023 and April 10, 2024, but Kouloglou told researchers he did not recall receiving them.

The infection’s potential reach extends beyond the committee’s public hearings. Citizen Lab wrote that the spyware “could have exposed strictly confidential exchanges among PEGA Committee members and their staff, including to parties under investigation by the Committee itself.” Kouloglou told Politico the hacking had to do absolutely with his status as a member of PEGA.

Infection date Location PEGA activity at the time
October 21, 2022 Athens (hospital) Draft report circulating; Greece and Cyprus research visits scheduled for early November
March 6 to 7, 2023 Athens to Brussels Final report drafting; LIBE mission in Greece; weeks before committee’s first report adoption

What Pegasus Would Have Seen on the Device

The October 2022 infection occurred while Kouloglou was in a Greek hospital for elective surgery. Greek investigative journalist Thanasis Koukakis visited him in his hospital room that day, an encounter memorialized in a photograph in Citizen Lab’s report. Citizen Lab had confirmed in March 2022 that Koukakis was himself a target of Intellexa’s Predator spyware and was at the time pursuing legal remedies in Greece.

The hospital timing meant confidential medical information, including any conversation with medical staff or details of diagnoses and appointments, may also have been intercepted. Greek law treats health data as a special category of personal data under enhanced protections (Law 4624/2019). “I never thought that a member of the committee investigating the abuses of spyware would become a target himself,” Kouloglou said.

The second infection took a different shape. On March 6, 2023, Kouloglou traveled from Athens to Brussels and remained there through March 7. At the same time, PEGA Rapporteur Sophie in ‘t Veld was in Greece with a delegation from the LIBE Committee, the Parliament’s standing civil liberties panel, questioning Greek officials on the spyware scandal.

Citizen Lab’s timeline aligns the spyware compromise with the committee’s two most sensitive work periods. The committee’s draft report focused its allegations on Poland, Hungary, Greece, Cyprus and Spain, and the LIBE delegation’s questioning in Greece was part of the same investigative push that preceded the first report’s adoption.

A Pattern of Targeting Inside the European Parliament

Kouloglou’s case is the first publicly identified PEGA Committee member targeted with Pegasus during the inquiry. Earlier targeting of MEPs was documented before the committee was formed on March 10, 2022. Three of those earlier Catalan targets later joined PEGA and testified to it about their own infections. European Parliament President Roberta Metsola was previously identified as a Pegasus target.

Other incidents surfaced after the committee finished its work. French MEP Nathalie Loiseau, chair of the security and defence subcommittee, confirmed she was targeted with Pegasus. Bulgarian MEP Elena Yoncheva was informed by the European Parliament’s IT Services that her device had been targeted in late October 2023. German MEP Daniel Freund announced in May 2024 that he had been targeted with Candiru’s mercenary spyware.

  • Diana Riba, Pegasus, October 2019
  • Carles Puigdemont, Pegasus, October 2019 and July 2020 (via staff or family)
  • Jordi Solé, Pegasus, June 2020
  • Clara Ponsatí, Pegasus, July 2020 (via staff or family)
  • Nathalie Loiseau, Pegasus (date not specified in Citizen Lab’s report)
  • Elena Yoncheva, targeted late October 2023 (tool not specified)
  • Daniel Freund, Candiru, May 2024
  • Roberta Metsola, Pegasus (date not specified)

Why Citizen Lab Would Not Name a Government

Citizen Lab’s report stops short of attributing the infections to any specific NSO Group customer. The lab found no indications that the Greek government was responsible, and there are no public reports that Greece is or was an NSO Group customer.

While the Greek government is known to have extensively abused Intellexa’s Predator mercenary spyware, Citizen Lab is unaware of any technical indicators suggesting Greek security and intelligence services had access to Pegasus. The lab’s Greek-language record on Predator and its Pegasus forensics on Kouloglou do not overlap.

Instead, the report identifies an overlap between Kouloglou’s October 2022 infection and a previously documented Pegasus campaign targeting exiled Russian and Belarusian-speaking journalists and activists in Europe. That pattern points to a Pegasus operator authorized to deploy across multiple European countries, not to a single national customer whose geographic footprint would naturally cover Greece.

Sophie in ‘t Veld, the rapporteur who led PEGA, told Politico the real question is the European Commission’s silence. Her statement, delivered after Citizen Lab’s findings were published, put the institutional response at the center of the story.

While we’re all obsessing with the state of democracy and the rule of law in the United States, there’s complete impunity on this. If attempts to target the phone of the president of the European Parliament or members of the European Commission does not trigger sufficient reaction [and] is not enough to break the deadlock, then what is?

Sophie in ‘t Veld, the former MEP who led the PEGA inquiry as rapporteur, told Politico on July 3, 2026.

NSO Group and Its EU Customer Map

NSO Group, based in Herzliya, Israel, developed Pegasus as a tool sold exclusively to government agencies for use against terrorism and serious crime. The company has previously said it vets buyers and has terminated contracts with users found to have abused the software.

In 2021, the administration of then-US President Joe Biden blacklisted NSO Group, ruling that the company acted “contrary to the foreign policy and national security interests of the US.” A US judge last year barred NSO Group from targeting the encrypted messaging app WhatsApp, arguing that its software causes “direct harm.” NSO Group did not respond to Al Jazeera’s request for comment on the Kouloglou findings.

The PEGA Committee was established in March 2022 after reporting revealed governments in the EU bloc had used Pegasus against journalists, activists, politicians and other citizens. The committee’s draft report, delivered in November 2022 by in ‘t Veld, focused its allegations on Poland, Hungary, Greece, Cyprus and Spain.

What the PEGA Report Asked the EU to Do

The PEGA Committee adopted its first report on May 8, 2023, focused on the use of Pegasus and equivalent spyware across the EU. The European Parliament subsequently adopted a formal recommendation calling on the Commission, member states and EU bodies to act. The recommendations called for stronger regulation of commercial spyware, tighter export controls and new oversight initiatives to control the proliferation of such tools.

The European Parliament told Al Bawaba it continues to monitor cyber risks targeting its systems and has made spyware detection tools available to lawmakers since 2022. It said a recent internal report had advocated extending those protections to all devices used for parliamentary business. The European Commission did not immediately respond to requests for comment.

Spyware doesn’t make democracies safer. It weakens democratic oversight, parliamentary independence and the rule of law.

Hannah Neumann, German MEP and PEGA Committee member, in a post on X.

The Infection Now Joins the File

Citizen Lab’s report catalogs what an operator inside the same network as the committee could have read. The PEGA inquiry’s case file, which already documented abuses by EU governments, now includes the targeting of a sitting committee member. NSO Group and the European Commission did not immediately respond to requests for comment on the findings.

The infections sit alongside the documented cases of Riba, Solé, Ponsatí, Loiseau, Yoncheva and Freund as evidence that the commercial surveillance industry reaches into the European Parliament itself. The European Parliament has not announced a new investigation in response to Citizen Lab’s findings.

Leave a Reply

Your email address will not be published. Required fields are marked *