In a chilling development that has sent shockwaves through the corridors of European power, security researchers have confirmed that a member of the European Parliament’s (EP) PEGA committee—a body specifically tasked with probing the abuse of commercial spyware—was himself a target of the very technology he was investigating.
The revelation, detailed in a report by the University of Toronto’s Citizen Lab, marks the first time a sitting member of the PEGA committee has been publicly identified as a victim of Pegasus, the notorious spyware developed by the Israeli-based NSO Group. The victim, Greek journalist and former Member of the European Parliament (MEP) Stelios Kouloglou, was subjected to sophisticated digital surveillance throughout 2022 and 2023. This breach has not only reignited the fierce debate surrounding the unchecked use of surveillance technology by state actors but has also raised profound questions regarding the integrity of the European Union’s oversight mechanisms.
A Targeted Breach of Oversight
The Citizen Lab findings suggest that Kouloglou’s digital life was compromised at critical junctures of the committee’s work. Between October 2022 and March 2023, his iPhone was infiltrated using a "zero-click" exploit—a potent category of malware that requires no interaction from the user to gain full access to the device. By leveraging a previously known vulnerability in Apple’s HomeKit framework, the spyware operators were able to harvest private correspondence, sensitive location data, photos, and, potentially, ambient audio recordings.
Kouloglou, who has been a vocal critic of governmental overreach, described the intrusion as "reckless." His experience serves as a grim case study in how the tools of intelligence agencies, ostensibly marketed for the fight against terrorism and organized crime, are being pivoted toward political espionage. The incident is not merely an invasion of privacy; it is viewed by many legal experts and fellow lawmakers as a direct assault on the democratic process.
The Chronology of Surveillance
The timeline of the attacks against Kouloglou suggests a highly coordinated effort to monitor the PEGA committee’s internal deliberations.
October 2022: The Initial Infiltration
The first confirmed breach occurred in October 2022. This timing is particularly significant, as it coincided with a period of intense internal debate within the PEGA committee. Lawmakers were then finalizing the first draft of a report that would explicitly name Greece, Cyprus, Hungary, Poland, and Spain as nations where the misuse of spyware had been identified.
Compounding the severity of the intrusion, Kouloglou was hospitalized for a pre-scheduled surgery during this period. The surveillance operators, by effectively turning his phone into a remote microphone, potentially intercepted confidential medical information and private conversations with family and visitors—a move described by privacy advocates as a grotesque violation of human dignity.
March 2023: Tracking the Movement
The surveillance did not end there. Citizen Lab researchers identified further successful infiltrations on March 6 and 7, 2023. During this window, Kouloglou was traveling from Athens to Brussels to participate in crucial committee hearings. By tracking his movements and communications during these trips, the anonymous operator was able to gain real-time insight into the committee’s momentum as it moved toward finalizing its formal report.
The Technical Footprint
While Citizen Lab could not definitively attribute the hack to a specific government, the forensic evidence provided a critical clue: the reuse of a specific email address linked to the Pegasus "operator" infrastructure. This same address had been flagged in previous investigations into the hacking of journalists across Europe.
The consistency of the "attacking" infrastructure suggests that the entity behind the hack—an undisclosed government client—had been granted broad authorization by NSO Group to operate across multiple borders. This capability underscores the central problem with Pegasus: once a state actor is provided with the keys to the kingdom, there are few, if any, effective technical barriers to prevent them from misusing those keys to suppress political dissent or monitor their own citizens.
Implications for Democracy and Rule of Law
The targeting of an investigator is more than a technical failure; it is an ideological challenge. One serving European lawmaker, speaking on condition of anonymity, described the event as a "direct attack on the rule of law." The implications are clear: if those investigating the abuse of power can be silenced or monitored, then the mechanisms of accountability are effectively paralyzed.
A Call for Regulatory Reform
The incident has intensified calls for the European Commission to move beyond symbolic condemnation and implement concrete, binding regulations. Critics are demanding a moratorium on the sale and use of intrusive spyware within the 27-member bloc until strict, enforceable human rights safeguards are established.
The current landscape is characterized by a "wild west" approach, where NSO Group—despite being under scrutiny—continues to navigate complex international waters. While the United States has moved to blacklist NSO Group, citing concerns over the violation of human rights, the company’s resilience remains a point of contention. Recent reports of an American investment group funneling millions into the firm suggest that the company is actively working to rehabilitate its image and maintain its foothold in the global surveillance market.
NSO Group and the Silence of the State
As of the publication of this report, the European Commission has remained largely silent, offering no official comment on the targeting of a European lawmaker. Similarly, NSO Group has not responded to inquiries regarding the Citizen Lab report. This lack of transparency is a hallmark of the industry, where the secrecy surrounding "national security" is frequently invoked to shield both the vendors and the state clients from public scrutiny.
For his part, Kouloglou is determined to seek justice. He has announced his intention to pursue legal action against NSO Group. By going public with his ordeal, he hopes to shed light on the pervasive nature of the "spyware-for-hire" industry.
"You realize that all of your personal data [was taken]—not all the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments," Kouloglou said. "Corruption concerns everybody."
Looking Forward: The Fight for Digital Sovereignty
The case of Stelios Kouloglou is a stark reminder that in the digital age, the battlefield for democracy has shifted to the smartphone. The ability to monitor, track, and intimidate political actors with such ease represents a systemic threat to the integrity of European institutions.
As the PEGA committee’s findings continue to reverberate, the focus must shift to how governments manage their surveillance capabilities. Without rigorous oversight, transparency, and a fundamental reassessment of how these tools are deployed, the promise of security will continue to be used as a veil for the erosion of fundamental human rights.
The fight against the misuse of Pegasus is no longer just a technical issue for cybersecurity researchers; it has become a defining struggle for the future of European democracy. The question remains: will the European Union finally prioritize the privacy and safety of its citizens and representatives, or will the "spyware-for-hire" industry continue to operate in the shadows, unchallenged and unchecked?
The answer to that question will determine whether the "rule of law" is a guiding principle or merely an empty phrase in the face of the encroaching surveillance state.

