Pegasus spyware hacked Greek lawmaker Stelios Kouloglou

A Greek politician who spent two years investigating government abuse of phone spyware is himself a victim of it. A new report from Citizen Lab found Pegasus spyware on his phone. It is the first confirmed case of a European Parliament committee member becoming a target of the tool he was investigating.

Stelios Kouloglou, a Greek journalist and former member of the European Parliament, served on the Parliament’s PEGA committee. Lawmakers formed the committee to investigate how European governments used Pegasus spyware against journalists, lawmakers, and political critics. Citizen Lab, the digital rights research unit at the University of Toronto, found Pegasus infected his phone in October 2022 and twice more in March 2023.

How the Pegasus spyware breached his phone

Citizen Lab traced the intrusions to a zero-click exploit. It abused a flaw in Apple‘s smart home software on iPhones. Apple had already patched the vulnerability, but the fix had not yet reached Kouloglou’s device. The exploit needed no interaction from him. It pulled his text messages, location data, and photos without leaving an obvious trace.

Researchers did not attribute the hacking to a specific government. They did find that the attacker reused Pegasus-linked email infrastructure. The same infrastructure had shown up in a separate campaign against journalists elsewhere in Europe, suggesting the customer behind both operations held NSO Group‘s authorization to run Pegasus across multiple countries.

Timing lines up with hearings and a hospital stay

The October 2022 hack occurred as PEGA committee members exchanged messages ahead of a draft report on spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. Kouloglou spent that stretch in the hospital for a pre-scheduled surgery, raising the possibility the spyware also captured ambient audio from conversations with doctors or visitors.

The March hacks hit his phone while he traveled from Athens to Brussels during committee hearings, months before PEGA adopted its final report. Kouloglou told TechCrunch he has no direct evidence of who ordered the surveillance. Still, he believes it stemmed from his work on the committee. “You realize that all of your personal data [was taken], not all the professional exchanges or messages with ministers, but also the very private things, like the happy moments and the sad moments,” he said.

One serving member of the European Parliament called the hacking of a PEGA investigator a direct attack on the rule of law. That lawmaker urged the European Commission to impose strict limits on spyware use across the bloc’s 27 member states. The Commission did not respond to a request for comment. Neither did NSO Group, the Israeli company behind Pegasus.

Kouloglou called the surveillance reckless. He said he plans to sue NSO Group, which remains largely barred from operating in the United States under a Biden-era executive order restricting government use of spyware capable of violating human rights. Last year, the company confirmed an unnamed American investment group had funneled tens of millions of dollars into the business. Many read the move as an attempt to rehabilitate NSO’s reputation after years of association with abuses against journalists and dissidents.

Kouloglou said he chose to share his story for democracy, human rights, and the fight against corruption. “Corruption concerns everybody,” he said.