The Investigation That Became the Target

Stelios Kouloglou spent months digging into the darkest corners of European digital surveillance. As a member of the European Parliament’s PEGA committee, his job was to expose how governments were using military-grade spyware to monitor journalists, activists, and political rivals. He didn't realize that while he was investigating the tool, the tool was investigating him.

Security researchers at the University of Toronto’s Citizen Lab have confirmed that Kouloglou’s iPhone was compromised by Pegasus spyware on at least three separate occasions between 2022 and 2023. It is the first time a member of the committee tasked with policing these abuses has been publicly identified as a victim of the very technology they were probing. The discovery transforms a policy debate into a direct confrontation between state-sponsored surveillance and the rule of law.

A Zero-Click Breach

The attacks were surgical. Citizen Lab found that the spyware utilized a "zero-click" exploit, a sophisticated method that requires no interaction from the user to breach a device. By leveraging a previously known vulnerability in Apple’s HomeKit software, the attackers gained total access to Kouloglou’s private life.

They didn't just see his emails. The spyware could pull location data, photos, and text messages. In October 2022, the breach occurred while Kouloglou was hospitalized for surgery. The timing suggests the operators may have been listening to ambient audio, capturing private conversations with doctors and family members during a moment of personal vulnerability. The subsequent hacks in March 2023 coincided with high-stakes committee hearings in Brussels, just as the group was finalizing its report on spyware abuses in countries like Greece, Poland, and Hungary.

The Fingerprints of a State Actor

While Citizen Lab could not definitively name the government behind the attack, the digital breadcrumbs are telling. The hackers used the same Pegasus-loaded email address that had been linked to previous campaigns targeting journalists across Europe. This reuse of infrastructure implies that the operator was not a rogue actor, but a government customer with broad authorization from NSO Group to conduct surveillance across multiple borders.

For Kouloglou, the realization was jarring. "You realize that all of your personal data [was taken]—not all the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments," he told TechCrunch. He is now preparing to sue NSO Group, the Israeli-headquartered firm that develops the software. NSO has remained largely silent, failing to respond to requests for comment regarding the Citizen Lab report.

Key Takeaways

  • Unprecedented Oversight Breach: This is the first confirmed case of a member of the European Parliament’s PEGA committee being targeted by the very spyware they were investigating.
  • Zero-Click Vulnerability: The attackers used a sophisticated exploit targeting Apple’s HomeKit, allowing them to siphon data without the victim ever clicking a link or opening a file.
  • Systemic Impunity: The reuse of specific attack infrastructure suggests a government customer with wide-reaching authorization to deploy Pegasus, raising urgent questions about how the EU can regulate its own member states.

The Road Ahead for EU Regulation

The incident has sent shockwaves through the European Parliament. One lawmaker described the hack as a "direct attack on the rule of law," intensifying calls for the European Commission to move beyond rhetoric and impose strict, binding limits on spyware usage across the 27-member bloc.

Despite a U.S. executive order that effectively blacklisted NSO Group from American government use, the company continues to operate in other jurisdictions, bolstered by recent infusions of private investment. As Kouloglou prepares his legal challenge, the focus shifts to whether the European Commission will finally treat these intrusions as a systemic threat to democracy rather than an isolated technical failure. The next committee session will be the first test of whether the Parliament can protect its own members from the tools they are sworn to regulate.