A new report from the University of Toronto's Citizen Lab has confirmed that former Greek Member of the European Parliament Stelios Kouloglou was repeatedly hacked with NSO Group's Pegasus spyware while serving on the very committee tasked with investigating the abuse of such tools across Europe. The case marks the first publicly confirmed instance of a PEGA committee member being infected with Pegasus during their tenure on the inquiry.
Who Is Stelios Kouloglou?
Kouloglou is a prominent Greek investigative journalist who was elected to the European Parliament in 2015. From March 24, 2022 to July 18, 2023, he served as a substitute member of the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) — the parliamentary body established to investigate revelations from the 2021 Pegasus Project about European governments using commercial spyware to target journalists, activists, lawyers, and politicians.
In short: a committee created to investigate spyware had one of its own members hacked with the spyware they were investigating.
Three Confirmed Infections
Citizen Lab's forensic analysis of Kouloglou's iPhone documented three successful Pegasus infections, all occurring during critical periods of committee activity:
| Date | Location | Committee Context |
|---|---|---|
| October 21, 2022 | Greece (hospitalized) | Preceding major committee hearings; initial report drafting on spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain |
| March 6, 2023 | Brussels | Traveling from Athens for committee hearings; final report drafting phase |
| March 7, 2023 | Brussels | Consecutive infection during same Brussels trip |
The timing is significant. Both the October 2022 and March 2023 infections fell during windows of maximum sensitivity for the committee — when confidential deliberations, draft findings, and internal communications would have been most valuable to any party under investigation.
What Data Could Have Been Exposed?
Once installed, Pegasus provides near-total access to a target's device. In Kouloglou's case, the infections could have exposed:
- Confidential communications between PEGA committee members and staff
- Non-public draft findings on spyware abuse in specific EU member states
- Internal deliberations about committee strategy and evidence
- Source identities if Kouloglou was communicating with journalists or whistleblowers
- Contact lists and metadata of other investigators, witnesses, and officials
As Citizen Lab noted, the attacker "could have had access to confidential documents and committee deliberations" — potentially including information about parties who were themselves under investigation by the committee.
Attribution: No Conclusion, But Notable Overlap
Citizen Lab explicitly stated it did not attribute the hacking to a particular government and found "no indications that the Greek Government is responsible." However, researchers identified a significant overlap between the first October 2022 infection and a previously identified Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.
This suggests the attacker is "a Pegasus customer with authorization to spy in multiple European countries" — narrowing the field of possible operators while stopping short of naming one.
The Profound Irony
The PEGA Committee was established specifically because European governments had been found to have weaponized commercial spyware against citizens. Its mandate was to shine a light on these abuses and propose legislative remedies. The revelation that one of its members was simultaneously being surveilled — potentially by a government the committee was investigating — strikes at the legitimacy of European parliamentary oversight itself.
As one analyst summarized: "Someone infected a spyware probe overseer with spyware."
NSO Group Response and Kouloglou's Plans
NSO Group declined to comment on the Citizen Lab report. The company has historically maintained that it licenses Pegasus only to vetted government customers for lawful purposes and terminates contracts with abusive operators — though critics note the company has limited ability to enforce these claims after sale.
Kouloglou told TechCrunch that he plans to sue NSO Group, stating he believes he was targeted because of his committee work. He said he did not know specifically which government was responsible.
Broader Context: PEGA Committee's Track Record
The PEGA Committee was not the first EP body to experience member targeting. European Parliament President Roberta Metsola and other MEPs have previously been targeted with Pegasus and similar tools. The committee's final report, adopted in May 2023, called for an EU-wide ban on spyware used against EU citizens and called out Greece, Hungary, Spain, and Poland by name for documented abuses.
The revelation that the committee was itself surveilled during its work raises serious questions about whether its investigation was compromised and whether the evidence or conclusions it gathered were ever shared with the parties under scrutiny.
References
- Citizen Lab — Espionage Against the European Parliament
- The Hacker News — European Parliament Member Investigating Spyware Was Hacked With Pegasus
- TechCrunch — Politician who investigated spyware abuses had his phone hacked with Pegasus
- The Record — Spyware found on phone of European Parliament member probing it
- Security Affairs — Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds