Key Takeaways

- Greek journalist and MEP Stelios Kouloglou was hacked with Pegasus spyware in 2022 and 2023 while serving on the EU committee investigating spyware abuses
- The timing of the hacks coincided with critical committee discussions and draft report preparations
- Kouloglou plans to sue NSO Group and is calling for strict EU-wide limits on government spyware use
A Greek MEP investigating government spyware abuses was himself hacked with Pegasus, the very surveillance tool his committee was probing. Security researchers at The Citizen Lab confirmed Friday that Stelios Kouloglou's phone was compromised at least three times between October 2022 and March 2023, while he served on the European Parliament's PEGA committee.
The irony is sharp, but the implications are sharper. This marks the first confirmed case of a PEGA committee member being publicly identified as a spyware victim. Someone with access to NSO Group's Pegasus tool decided that monitoring the people investigating spyware was worth the risk of exposure.
When were the attacks and what did they access?
Citizen Lab documented three separate intrusions. The first occurred in October 2022, during intense committee discussions about a draft report covering spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. Kouloglou was in the hospital for a pre-scheduled surgery at the time, meaning the spyware operators may have captured ambient audio of his healthcare conversations and visitor interactions.
The second and third attacks hit on March 6 and 7, 2023, as Kouloglou traveled from Athens to Brussels for committee hearings. This was months before the committee finalized its written report.
All three attacks exploited a zero-click vulnerability in Apple's iPhone software. The flaw existed in Apple's HomeKit smart home framework. Apple had released a patch, but Kouloglou hadn't installed it yet. The exploit required no action from him. No suspicious link, no fake login page. The spyware simply broke in and began extracting text messages, location data, photos, and other correspondence.
Who ordered the surveillance?
Citizen Lab did not attribute the attack to a specific government. But researchers noted that the same Pegasus-loaded email address used against Kouloglou had previously targeted journalists across Europe in an earlier campaign. The reuse suggests a single NSO customer with authorization to operate across multiple European countries.
That detail matters. NSO Group has long claimed it sells Pegasus only to vetted government clients for legitimate law enforcement purposes. If one customer can target journalists in multiple countries and then pivot to surveilling a European Parliament investigator, the vetting process isn't working as advertised.
NSO Group did not respond to TechCrunch's request for comment. Neither did the European Commission.
What does the target say?
Kouloglou called the compromise "reckless" in a phone interview with TechCrunch. He believes his committee work made him a target, though he said he doesn't know why he was specifically chosen.
“You realize that all of your personal data was taken — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments.”
— Stelios Kouloglou, Greek MEP and journalist
He plans to sue NSO Group. He also wants the European Commission to impose strict limits on spyware use across all 27 member states. One serving European lawmaker described the hacking as a "direct attack on the rule of law."
NSO Group's troubled position
NSO Group remains largely banned from U.S. government use following a Biden-era executive order that prohibited spyware tools posing human rights risks. The company has tried to rehabilitate its image. Last year, an unnamed American investment group reportedly funneled tens of millions of dollars into NSO, presumably betting the company can outlast its current pariah status.
The Citizen Lab has documented Pegasus operations in at least 45 countries. The 2021 Pegasus Project investigation identified over 50,000 phone numbers in a leaked database of potential targets. At least 14 EU member states have reportedly purchased the spyware, according to PEGA committee findings.
Licensing Pegasus reportedly costs governments around $8 million per year, with individual phone hacks priced at roughly €1 million each. These aren't tools for investigating petty crime. They're designed for high-value targets, which increasingly includes the people investigating the tools themselves.
The defense problem
Zero-click exploits are particularly difficult to defend against because they require no user mistake. John Scott-Railton, a senior researcher at Citizen Lab, has noted that "there is no way to protect yourself against Pegasus. It's not like other malware where if you're careful you're safe."
Apple has released Lockdown Mode, an optional iPhone setting that disables many features Pegasus exploits, but it comes with significant usability tradeoffs. Most users, including most politicians, don't enable it.
Logicity's Take
The timing of these hacks wasn't coincidental. Hitting a committee investigator during sensitive drafting periods and travel to hearings suggests the attacker wanted real-time intelligence on the investigation's direction. For CTOs and security leaders, the lesson is grimmer than usual: even if your organization isn't a spyware target, your employees who serve on industry boards, regulatory committees, or standards bodies might be. Mobile device management tools from vendors like Jamf, Microsoft Intune, or Kandji can enforce faster patch deployment, but zero-click exploits often outpace available fixes. The only reliable mitigation is assuming compromise and compartmentalizing sensitive communications accordingly.
Frequently Asked Questions
What is Pegasus spyware?
Pegasus is a military-grade surveillance tool developed by Israel-based NSO Group. It can remotely access smartphones, extracting messages, emails, photos, location data, and ambient audio without the user's knowledge or interaction.
What was the PEGA committee investigating?
The European Parliament's PEGA committee was established to investigate how EU member state governments used Pegasus and similar spyware to target journalists, politicians, and critics, particularly in Greece, Hungary, Poland, and Spain.
How can organizations protect against zero-click exploits?
There is no foolproof defense. Best practices include enabling Apple's Lockdown Mode on iPhones, installing security updates immediately, and using separate devices for sensitive communications. Assume compromise is possible and compartmentalize accordingly.
Is Pegasus legal to use?
NSO Group claims it sells only to government clients for lawful purposes. However, documented abuses have led to U.S. government bans and ongoing litigation. Legality varies by jurisdiction and intended use.
Need Help Implementing This?
If your organization needs to assess mobile security posture or develop incident response plans for executive devices, reach out to security consultants who specialize in mobile threat defense. The threat model for senior leaders differs significantly from standard enterprise security.
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.


