The Pegasus spyware PEGA committee set up by the European Parliament to investigate government surveillance abuses has itself become a surveillance target: Citizen Lab has confirmed that Greek journalist and former MEP Stelios Kouloglou had his phone compromised with Pegasus during 2022 and 2023, while serving on the committee probing its misuse.
It is the first time a PEGA committee member has been publicly identified as a Pegasus victim, and the timing lands with some precision: the hacks coincide almost exactly with the committee’s most sensitive deliberative moments.
What Citizen Lab’s forensic analysis found
According to the University of Toronto’s Citizen Lab, Kouloglou’s phone was hacked in October 2022 and at least twice during March 2023. The method was a zero-click exploit, meaning no tap, click, or interaction from Kouloglou was needed. The spyware abused a flaw in Apple’s smart home software built into iPhones, a vulnerability that had been patched but not yet installed on his device at the time.
The data taken included text messages, other correspondence, location data, and photos. Researchers also found that the attackers could have accessed confidential documents and committee deliberations stored on the device.
The October 2022 compromise lines up with intense internal email and text discussions ahead of a first draft report covering spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. Kouloglou was also hospitalised that month for pre-scheduled surgery, which may have given the spyware operators access to ambient audio from conversations with hospital visitors.
The March 2023 intrusions (on 6 and 7 March) occurred while Kouloglou travelled from Athens to Brussels for committee hearings, months before the committee finalised its written report.
Pegasus spyware PEGA committee: the investigation under investigation
The PEGA committee was established on 10 March 2022, following the 2021 Pegasus Project revelations that European governments had used commercial spyware against journalists, activists, and politicians. Kouloglou served as a substitute member from 24 March 2022 to 18 July 2023, according to the Citizen Lab report.
The committee ran for 14 months of hearings, studies, and fact-finding missions before adopting its final report on 8 May 2023. The European Parliament’s Think Tank notes that on 15 June 2023, the Parliament adopted a formal recommendation calling on the European Commission, the Council, Europol, and several member states to act on the committee’s findings.
Those findings were stark. The committee’s final report concluded that in Hungary, spyware use had been ‘part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government,’ and in Poland, Pegasus served as ‘a system for the surveillance of the opposition and critics of the government, designed to keep the ruling majority and the government in power.’
Hacking the person compiling that evidence, using the tool he was compiling it about, is the kind of irony that writes its own punchline. One serving European lawmaker quoted in the Citizen Lab report called it a ‘direct attack on the rule of law’ and demanded the European Commission impose strict limits on spyware use across the 27-member bloc.
Citizen Lab did not attribute the hacking to a specific country. The researchers noted, though, that the government customer used the same Pegasus-loaded email address deployed in a previous campaign that compromised journalists’ phones across Europe. The reuse suggests the customer held NSO Group’s authorisation to operate Pegasus across multiple European countries.
Kouloglou told TechCrunch he did not know precisely why he was targeted but believes it was because of his committee work. His response when he learned about the hack: ‘You realize that all of your personal data [was taken] (not all the professional exchanges or messages with ministers) but also the very private things, like the happy moments and the sad moments.’ He said he plans to sue NSO Group and is speaking publicly ‘for democracy, human rights, and the fight against corruption.’
NSO Group did not respond to a request for comment before publication. The European Commission also did not respond.
NSO is already largely barred from operating in the United States following a Biden-era executive order. The company has been in discussions with a US investor group identified as Integrity Partners over a possible $300 million cash infusion, according to the Times of Israel, as it attempts to rehabilitate a brand now permanently associated with hacking journalists, dissidents, and, as it turns out, the very committee tasked with holding it to account.
The European Commission’s response, when it comes, will be the next thing worth watching.
