Jul 05, 2026 · 5 min read
Pegasus Hacked the EU Lawmaker Investigating It
Citizen Lab found forensic evidence that Stelios Kouloglou, a substitute member of the European Parliament's own committee investigating Pegasus spyware abuse, was infected with Pegasus twice while that committee was drafting its findings.
The European Parliament created the PEGA Committee in 2022 for one purpose: investigate how NSO Group's Pegasus spyware was used against politicians, journalists, and activists across the EU. According to a July 3, 2026 report from Citizen Lab, one of the people who served on that committee was himself infected with Pegasus, twice, while the investigation was underway.
Key Takeaways
- Citizen Lab confirmed Stelios Kouloglou, a Greek journalist and former MEP who sat on the PEGA Committee investigating Pegasus abuse, was infected with Pegasus on October 21, 2022, and again on March 6 to 7, 2023.
- Both infections used PWNYOURHOME, a zero click exploit that required no action from Kouloglou and targeted an iPhone running iOS 15.5.
- The October 2022 infection occurred while the PEGA Committee was actively drafting its findings on European spyware abuse.
- Researchers found technical overlap with a separate campaign targeting exiled Russian and Belarusian journalists, pointing to a well resourced government operator rather than a random client.
- Kouloglou says the stolen data included personal messages and photos, not just professional communications, and plans to sue NSO Group.
Who Is Stelios Kouloglou and Why Was He Targeted?
Stelios Kouloglou is a Greek investigative journalist and former member of the European Parliament with Greece's SYRIZA party. Between March 2022 and July 2023, he served as a substitute member of the PEGA Committee, the body the European Parliament stood up specifically to investigate how governments across Cyprus, Greece, Hungary, Poland, and Spain deployed Pegasus and similar spyware against their own citizens, journalists, and political opposition.
That role makes Kouloglou an unusually pointed target. He was not a bystander to Europe's spyware scandal; he was one of the people the European Parliament tasked with exposing it. Citizen Lab's forensic analysis, published as Report #194, found that his iPhone was compromised through the same Pegasus infrastructure his committee existed to scrutinize.
How Did the Pegasus Infection Happen?
Citizen Lab documented two separate infections. The first occurred on October 21, 2022, while Kouloglou was hospitalized in Greece. The second happened March 6 to 7, 2023, while he was traveling from Athens to Brussels, coinciding with committee hearings. Both used PWNYOURHOME, a zero click exploit chain that targeted a vulnerability tied to Apple's HomeKit and an associated email address, requiring no click, download, or interaction from Kouloglou to succeed.
Forensic traces showed the device, running iOS 15.5 at the time, received Pegasus processes over mobile data. Apple separately sent Kouloglou three official threat notifications warning his device may have been targeted by state sponsored spyware, dated March 2, 2023, August 29, 2023, and April 10, 2024 — meaning Apple's own detection systems flagged the activity on three distinct occasions over roughly 13 months.
Who Is Behind the Attack?
Citizen Lab was careful not to attribute the infections to a specific NSO Group government customer. What its researchers did find is technical overlap between the infrastructure used against Kouloglou and a separate Pegasus campaign that targeted exiled Russian and Belarusian journalists living in Europe. That overlap suggests a single operator with the ability to deploy Pegasus against targets across multiple European countries, rather than a narrowly scoped domestic surveillance program.
Neither the European Commission nor NSO Group responded to requests for comment from TechCrunch. NSO Group has consistently maintained that it only sells Pegasus to vetted government clients for use against serious criminals and terrorists — a claim that is difficult to square with a sitting member of the EU's own spyware oversight committee ending up as a target while that committee was actively working.
What Happens Next?
Kouloglou has said he plans to sue NSO Group, and has gone public with the findings citing democracy, human rights, and the fight against corruption as his reasons for speaking out. Describing what the spyware exposed, he told TechCrunch: "You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things."
This is not an isolated finding. Poland has separately charged its own former intelligence chiefs for using Pegasus against 600 political targets, and Hungary has moved in the opposite direction, charging a journalist with espionage after she exposed domestic Pegasus ties. Kouloglou's case adds a new data point to the same pattern: the institutions and people tasked with holding spyware vendors accountable keep turning out to be targets themselves.
Why This Matters Beyond One Lawmaker
The PEGA Committee's entire premise was that European institutions could investigate and rein in spyware abuse by European governments. A member of that committee being hacked with the exact spyware under investigation, while the investigation was happening, is close to the strongest possible demonstration that self policing has not worked. If Pegasus operators can reach a sitting EU parliamentary investigator, the assumption that elected office or institutional standing offers any protection does not hold up.
For journalists and activists with far less institutional protection than a former MEP, the lesson is blunter: zero click exploits like PWNYOURHOME require no mistake on the target's part to succeed. WhatsApp has separately caught NSO deploying a new Pegasus campaign and gone to court over it, and the same forensic patterns Citizen Lab used to catch Kouloglou's infections are the same tools used to expose spyware attacks on dissidents and activists elsewhere in Europe. There are concrete steps that reduce exposure even against zero click attacks: install iOS and Android security updates the day they ship rather than waiting, enable Apple's Lockdown Mode or Android's equivalent hardening if you work in journalism, politics, or activism, watch for official threat notifications from Apple or Google and treat them as credible rather than spam, and reboot your phone daily, since several zero click exploits, including Pegasus variants, do not survive a restart without a fresh delivery.