The Pegasus spyware hacking of a sitting European Parliament investigator, confirmed while he was actively probing the tool’s abuse by governments, has sharpened calls for the European Commission to impose binding limits on surveillance software across the bloc.
Citizen Lab, the University of Toronto’s digital rights research unit, confirmed that Stelios Kouloglou, a Greek journalist and former politician, had his iPhone compromised in October 2022 and at least twice during March 2023. Kouloglou served as a substitute member of the European Parliament’s PEGA Committee from 24 March 2022 to 18 July 2023, making him the first member of that body to be publicly identified as a Pegasus victim.
Kouloglou told TechCrunch the compromise of his device was ‘reckless.’ One serving European lawmaker described it as a ‘direct attack on the rule of law.’
The Pegasus Spyware Hacking in Detail
The attacks exploited a ‘zero-click’ vulnerability in Apple’s iPhone software, meaning no interaction from Kouloglou was required. The flaw had been patched by Apple, but the update had not yet been installed on his device. By abusing a weakness in Apple’s smart home software, the operators were able to extract text messages, correspondence, location data, and photographs without his knowledge.
The October 2022 hack coincided with intensive email and text exchanges among committee members ahead of a first draft report detailing spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. Kouloglou was hospitalised at the time for pre-scheduled surgery, a circumstance that may have given operators an opportunity to capture ambient audio from visitor conversations. According to Citizen Lab’s forensic analysis of his device, the attackers could have gained access to confidential documents and committee deliberations.
On 6 and 7 March 2023, the same Pegasus operator struck again as Kouloglou travelled from Athens to Brussels during a period of committee hearings, months before the committee finalised its written report.
Citizen Lab did not attribute the hacking to a specific government, but noted the attacker reused the same Pegasus-loaded email address deployed in an earlier campaign against journalists across Europe. The reuse implies the customer held NSO Group’s authorisation to operate the spyware across multiple countries.
‘You realise that all of your personal data [was taken], not all the professional exchanges or messages with ministers, but also the very private things, like the happy moments and the sad moments,’ Kouloglou said. He confirmed plans to sue NSO Group, the Israeli-headquartered spyware maker.
A Committee Under Surveillance
The PEGA Committee was established on 10 March 2022 in the aftermath of the 2021 Pegasus Project, the cross-border investigation that revealed European governments had deployed spyware against journalists, activists, politicians, and ordinary citizens. Chaired by MEP Jeroen Lenaers and with MEP Sophia In ‘t Veld as rapporteur, the committee spent 14 months conducting hearings, studies, and fact-finding missions to Israel, Poland, Greece, Cyprus, Hungary, and Spain before adopting its final report on 8 May 2023.
The conclusions were severe. The PEGA Committee’s final report found that in Hungary, spyware use had been ‘part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government.’ In Poland, Pegasus was described as ‘part of a system for the surveillance of the opposition and critics of the government, designed to keep the ruling majority and the government in power.’
The committee recommended that spyware deployment should only be permissible in member states where abuse allegations had been thoroughly investigated, national legislation aligned with Venice Commission guidelines and relevant European court case law, Europol was involved in investigations, and export licences that breached export control rules had been revoked. On 15 June 2023, the European Parliament adopted its formal recommendation calling on the European Commission, the Council, the European Ombudsman, Europol, and a number of member states to act.
The confirmation that Kouloglou was surveilled during the very period his committee was compiling those findings illustrates the gap between the Parliament’s recommendations and ground-level compliance. NSO Group did not respond to a request for comment before Citizen Lab published its report. NSO remains broadly banned from use by the United States government under a Biden-era executive order. Last year the company confirmed that an unnamed American investment group had funnelled tens of millions of dollars into the firm, widely interpreted as an attempt to rehabilitate its reputation.
Kouloglou said he was going public ‘for democracy, human rights, and the fight against corruption.’ Whether the European Commission converts the Parliament’s 2023 recommendations into enforceable law, or lets them gather dust, will determine whether the next committee investigator faces the same risk.
