Stelios Kouloglou, a journalist-turned-European Parliament member, discovered that his iPhone fell victim to NSO Group's notorious Pegasus spyware on at least two separate occasions during 2022 and 2023, precisely when he was actively investigating the surveillance technology's proliferation across Europe. The revelation, published by the University of Toronto's Citizen Lab on July 3, exposes a stark irony at the heart of Europe's ongoing battle against state-sponsored digital surveillance: those attempting to curb the technology's abuse have themselves become targets.
The Israeli firm NSO Group, which declined to comment on the findings, markets Pegasus exclusively to government and law enforcement bodies, ostensibly for tracking terrorism and serious criminal activity. Once deployed on a target device, the spyware grants operators sweeping access to the phone's contents—voice calls, encrypted messages, and stored data can all be monitored remotely. The technology represents the cutting edge of digital espionage tools, capable of operating with extraordinary stealth through sophisticated methods that require no user interaction to succeed.
Yet repeated investigations and journalistic exposés have documented systematic abuse of this capability. Governments have weaponized Pegasus against journalists, human rights activists, and political rivals far more frequently than against any terrorist cells. The pattern represents a perversion of the tool's stated purpose, transforming it into an instrument of political control and information gathering on domestic opponents. Kouloglou's own experience exemplifies this troubling reality with particular clarity.
At the time his device was compromised, Kouloglou served on the European Parliament's PEGA Committee, specifically tasked with examining the trade in surveillance technologies and their impact on democratic freedoms. The committee's investigation culminated in a 2023 report that characterised such tools as fundamental threats to democracy and human rights, recommending strengthened European Union regulations on their sale and deployment. The targeting of an active member engaged in this oversight work suggests either deliberate intimidation or a reckless disregard for the political independence of those examining state conduct.
Kouloglou's hacked device contained sensitive materials that extend well beyond parliamentary work. The compromised iPhone held correspondence with Alexis Tsipras, Greece's former prime minister, alongside private medical records and contact information for journalists. The breadth of exposed material indicates not a narrowly targeted counter-terrorism operation but rather a comprehensive intelligence-gathering exercise on a political figure and his professional networks. While Kouloglou has stated his intention to identify the responsible party, he acknowledges uncertainty about which government orchestrated the attack.
Citizen Lab's technical analysis reveals that one intrusion employed a zero-click exploit, among the most sophisticated infiltration methods available in the digital espionage arsenal. Such techniques require neither user deception nor accidental clicks on malicious links; the device simply becomes compromised through passive exposure to the exploit. The operational complexity and resource intensity of zero-click attacks indicate involvement by a state actor with substantial technical capability and resources. The choice to deploy such advanced methods against a European politician suggests either exceptional perceived importance or deliberate intimidation through a show of technological prowess.
Although NSO executives maintain that Pegasus targets only serious criminals and extremists, the Citizen Lab report documents that the entity responsible for Kouloglou's hacking also targeted seven Russian and Belarusian-speaking independent journalists and opposition activists living across Europe. This clustering of targets—a European Parliament investigator alongside Russian and Belarusian dissidents—points toward state-level adversaries with geopolitical motivations rather than ordinary law enforcement operations. The pattern implicates either Eastern European state actors or their Western counterparts acting with impunity.
Kouloglou's case marks a watershed moment in Europe's spyware crisis, though not the first documented targeting of MEPs. Four Catalan lawmakers faced NSO infiltration between 2019 and 2020, while a French representative experienced compromise in 2023. These earlier incidents, however, involved former or politically marginal figures. Kouloglou's hacking stands unique as the first confirmed breach of an active PEGA committee member—an individual officially responsible for investigating the very surveillance technology that targeted him. The symbolic resonance amplifies the scandal's significance.
John Scott-Railton of Citizen Lab characterised the situation as constituting "the ultimate irony of Europe's spyware crisis," highlighting that a continent struggling to regulate digital surveillance has failed to protect those tasked with oversight. The European Commission has responded with measured language about addressing illegal spyware use through various legislative and administrative mechanisms, yet such statements ring hollow when active investigators remain unprotected. The Commission's assertion that illegally accessing citizen data is "unacceptable" contradicts the reality that such access continues systematically and with apparent impunity.
Sophie in 't Veld, the Dutch former MEP who led the PEGA committee's investigation, rejects framing Kouloglou's case as isolated. Instead, she characterises it as symptomatic of a broader "system" of abuse sustained by institutional paralysis. For five years, she notes, those responsible for spyware misuse have faced zero accountability or consequences. No meaningful enforcement action has followed documented abuses; no governments have faced serious penalties; no executives or state officials have been prosecuted. The absence of consequences perpetuates the abuse cycle, ensuring that surveillance capabilities will continue flowing to authoritarian regimes and democracies alike, deployed against journalists and dissidents with equal abandon.
For Southeast Asian observers, Kouloglou's experience carries sobering implications. The region's own struggles with surveillance technology, digital repression, and the targeting of journalists and activists suggest that NSO's Pegasus and similar tools may already operate within national security frameworks across Asia. If European states deploy such technology against their own political oversight mechanisms, the likelihood of restraint in Southeast Asia—where democratic institutions remain more fragile—appears minimal. The case underscores that no individual or institution, regardless of position or resources, remains safe from state surveillance once such capabilities enter a government's arsenal.
