
Security researchers have confirmed that a Greek journalist and former European politician had his phone hacked with Pegasus spyware while he was actively sitting on a committee investigating abuses of that exact surveillance tool. The case has reignited serious concerns about how governments use powerful spying software against the very people trying to hold them accountable.
According to TechCrunch, researchers at the University of Toronto’s Citizen Lab confirmed that Stelios Kouloglou, a Greek journalist and former member of the European Parliament, had his phone compromised during 2022 and 2023. Kouloglou was serving on the PEGA committee at the time, a body specifically set up by the European Parliament to investigate phone spyware attacks carried out by European governments. He is the first PEGA member to be publicly identified as a spyware victim.
Kouloglou told TechCrunch by phone that the hacking of his device was “reckless.” One sitting European lawmaker called it a “direct attack on the rule of law” and urged the European Commission to impose strict limits on spyware use across the 27-member bloc. The European Commission did not respond to a request for comment, and NSO Group, the Israeli company behind Pegasus, also declined to comment before publication.
Citizen Lab’s report says Kouloglou was hacked at least three times. The first breach happened in October 2022, and he was hacked at least twice more in March 2023. Each time, attackers used a “zero-click” exploit targeting a vulnerability in Apple’s iPhone software. A zero-click attack requires no interaction from the target at all. The victim does not tap a link or open a file. The spyware just gets in.
The vulnerability exploited a flaw in Apple’s smart home software built into iPhones. Once inside, the spyware could silently pull data from Kouloglou’s phone, including:
- Text messages and private correspondence
- Location data
Photos and personal files
The October 2022 hack is particularly striking in its timing. It coincided with intense email and text discussions among committee members in October and November of that year, ahead of the delivery of a first draft report focusing on spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. It also happened while Kouloglou was in the hospital for a pre-scheduled surgery, which may have given attackers a window to capture ambient audio from conversations with visitors or medical staff.
The March 2023 hacks happened on the 6th and 7th of that month, while Kouloglou was traveling from Athens to Brussels during a period of committee hearings. That was several months before the committee finalized and adopted its written report.
Citizen Lab did not name a specific country as responsible for the attack. But researchers noted that the government customer behind the hack used the same Pegasus-linked email address previously seen in an earlier campaign that targeted journalists across Europe. The reuse of that address suggests the customer had authorization from NSO Group to deploy Pegasus across multiple countries on the continent.
When Kouloglou learned his phone had been compromised, his reaction was one of anger. “You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments,” he told TechCrunch. He said he believes he was targeted because of his work on the PEGA committee, though he does not know for certain who ordered the hack.
Kouloglou has said he plans to sue NSO Group. He added that he is going public with his story “for democracy, human rights, and the fight against corruption.”
This case lands at an interesting moment for NSO Group. The company remains largely banned from working with the US government following a Biden-era executive order that prohibited the use of spyware capable of violating human rights. Last year, an unnamed American investment group poured tens of millions of dollars into NSO, widely seen as an attempt to repair the company’s damaged reputation.
Spyware attacks on elected officials are rare, but not unheard of. What makes this case stand out is the directness of the irony. A committee created to investigate Pegasus was itself penetrated by Pegasus. The timing of the hacks, aligned closely with key moments in the committee’s work, points to an effort to monitor or disrupt that investigation from the inside. It is a reminder that the tools governments use to surveil criminals can just as easily be turned on journalists, lawmakers, and critics with few meaningful guardrails in place.