In a development that has sent shockwaves through the corridors of the European Union, security researchers have confirmed that a high-ranking European politician was surreptitiously compromised by Pegasus, the military-grade spyware developed by the Israeli firm NSO Group. The victim, Stelios Kouloglou—a former member of the European Parliament (MEP) and a veteran journalist—was targeted while serving on the very committee tasked with investigating the illicit use of such surveillance technologies by European governments.
The confirmation, provided by the University of Toronto’s renowned digital rights watchdog, The Citizen Lab, marks a chilling milestone: it is the first time a member of the European Parliament’s PEGA committee has been publicly identified as a victim of the spyware they were actively investigating. This revelation has reignited a fierce debate over the erosion of privacy, the vulnerability of democratic institutions, and the persistent misuse of state-sponsored surveillance tools to monitor political dissidents and critics.
The Anatomy of the Compromise
The Citizen Lab’s report, released Friday, details a sophisticated series of digital incursions. Kouloglou’s iPhone was targeted multiple times between late 2022 and early 2023. Forensic analysis revealed that the attacks utilized a "zero-click" exploit, a highly advanced method that allows the spyware to infiltrate a device without requiring the user to click a malicious link or take any action.
The exploit leveraged a specific, previously discovered vulnerability in Apple’s HomeKit framework. Once the security perimeter was breached, the spyware functioned as a silent, omniscient observer, granting the operator unauthorized access to the entirety of Kouloglou’s digital life. This included his encrypted text messages, location history, private photos, and even ambient audio captured by the phone’s microphone.
A Chronology of Surveillance
The timeline of the attacks appears meticulously aligned with the most sensitive phases of the PEGA committee’s work:
- October 2022: As the committee engaged in intense deliberations regarding the drafting of a report investigating spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain, Kouloglou’s device was compromised. Coincidentally, this period saw the politician hospitalized for a pre-scheduled surgery. The breach during this time likely allowed attackers to monitor private conversations regarding his health and personal affairs, as well as sensitive professional communications.
- March 2023: Months later, as the committee neared the finalization of its findings, Kouloglou was targeted again. The Citizen Lab identified two distinct hacking attempts on March 6 and 7, occurring as the politician traveled between Athens and Brussels for committee hearings.
The precision of these dates suggests that the attackers were not merely engaging in indiscriminate data collection; they were monitoring the committee’s internal strategy and the flow of information during critical legislative windows.
The "Smoking Gun" and the NSO Group Connection
While The Citizen Lab could not definitively name the specific government entity responsible for the hack, the forensic trail points to a repeat offender. Researchers observed that the hacking campaign utilized the exact same Pegasus-linked email address used in previous, documented surveillance operations against European journalists.
The reuse of this specific digital signature implies that the customer operating this instance of Pegasus held broad authorization from NSO Group to conduct surveillance across multiple European jurisdictions. This raises uncomfortable questions for the Israeli firm, which has consistently claimed that its software is sold exclusively to vetted government agencies for the sole purpose of fighting terrorism and major crime.
The incident involving Kouloglou suggests a significant disconnect between NSO Group’s stated "ethical" safeguards and the reality of how their tools are wielded in the field. When asked about the report, NSO Group did not provide a comment, maintaining its characteristic silence in the face of mounting evidence regarding the misuse of its technology.
A Direct Attack on the Rule of Law
The fallout from the investigation has been swift and condemnatory. Kouloglou, speaking to TechCrunch, did not mince words, describing the intrusion as "reckless" and a gross violation of his fundamental rights.
"You realize that all of your personal data—not just the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments, were taken," Kouloglou remarked. His frustration is palpable, and he has signaled his intent to initiate legal action against NSO Group, seeking to hold the company accountable for the systemic abuse of its product.
Other European lawmakers have characterized the breach as an existential threat to the democratic process. One sitting MEP described the hacking of a colleague as a "direct attack on the rule of law," arguing that if those tasked with oversight are themselves the targets of illegal surveillance, the entire mechanism of parliamentary accountability is compromised. These leaders are now demanding that the European Commission pivot from rhetoric to concrete action, calling for strict, legally binding limits on the procurement and use of commercial spyware across the 27-member bloc.
The Implications for Democracy and Privacy
The targeting of Kouloglou is not merely an isolated security breach; it is a symptom of a larger, systemic crisis. As governments increasingly adopt "off-the-shelf" cyber-surveillance capabilities, the line between legitimate law enforcement and political espionage has become dangerously blurred.
The fact that the Pegasus spyware was used to probe a committee designed to investigate that very spyware represents a cynical "loop" of surveillance. It serves as a deterrent against transparency and a tool for political intelligence gathering. Critics argue that the availability of such powerful tools enables governments to bypass judicial oversight, effectively turning the digital devices of journalists and politicians into instruments of state control.
The Financial and Political Context
The narrative surrounding NSO Group is further complicated by recent financial shifts. Despite being blacklisted by the U.S. government due to documented human rights abuses, the company has sought to rebrand and stabilize its operations. Last year, NSO Group confirmed that an unnamed American investment group had injected tens of millions of dollars into the firm.
Industry analysts suggest this capital infusion is part of a broader, high-stakes effort to rehabilitate NSO’s reputation and secure a foothold back into Western markets. However, the Kouloglou case provides a compelling argument for those who maintain that the underlying technology is fundamentally incompatible with democratic norms.
Conclusion: A Call for Accountability
As the European Parliament continues to grapple with the findings of the PEGA committee, the case of Stelios Kouloglou stands as a stark warning. The digital age has granted states unprecedented power, but it has also created a vacuum of accountability.
Kouloglou’s decision to go public with his experience—risking further scrutiny in the name of "democracy, human rights, and the fight against corruption"—highlights the necessity of international cooperation in regulating the spyware trade. Whether the European Commission will heed these calls and enact meaningful reform remains to be seen. In the meantime, the silent, invisible presence of Pegasus continues to loom over European politics, serving as a reminder that in an age of total surveillance, the most guarded secrets are often the most vulnerable.
For now, the investigation into the specific identity of the state actor remains ongoing. However, the chilling effect on the European Parliament is already realized. As Kouloglou aptly stated, "Corruption concerns everybody." In this case, the corruption is not just the act of spying, but the culture of impunity that allows such tools to be used against the very architects of the law.
