Citizen Lab says former European Parliament member Stelios Kouloglou was infected with NSO Group’s Pegasus spyware while serving on the committee created to investigate the use of Pegasus and similar surveillance tools in Europe.
The University of Toronto research group reported on July 3 that Kouloglou’s iPhone was compromised in October 2022 and again in March 2023, during periods when the Parliament’s PEGA committee was preparing hearings, missions, and written recommendations on spyware abuse. The finding is especially sensitive because Kouloglou was not just another political target. He was part of the body scrutinizing the same class of commercial spyware used against him.
Citizen Lab did not attribute the operation to a specific government. Its forensic analysis linked the activity to a Pegasus operator associated with earlier attacks against Russian and Belarusian journalists and civil society figures in Europe, but the report stops short of naming the customer behind the targeting. TechCrunch reported that NSO Group did not respond to a request for comment before publication.
Why the timing matters
The PEGA committee was established in March 2022 after a series of revelations about spyware use against journalists, activists, lawyers, business figures, and politicians. Kouloglou was appointed as a substitute member later that month. According to Citizen Lab’s timeline, the first Pegasus infection landed on October 21, 2022, while he was in the hospital and days before committee hearings on big tech, e-privacy, fundamental rights, democracy, and electoral processes.
The committee then traveled to Cyprus and Greece in early November 2022, with Kouloglou participating in interviews. In March 2023, Citizen Lab found additional infections as the committee moved toward finalizing its report. The Record noted that the committee released its recommendations in May 2023 and that some lawmakers have criticized the European Commission for not acting more aggressively on spyware reform.
That sequencing is the core of the story. A spyware operator did not merely compromise a retired official’s old phone. The intrusions happened while a parliamentary committee was handling politically sensitive information about spyware vendors, government customers, victims, possible reforms, and country-specific abuse allegations.
The technical lesson is not exotic
Pegasus is often discussed as if it belongs in a different category from ordinary security operations because it is expensive, targeted, and typically sold to governments. But the defensive lesson from this case is mundane: high-risk users still depend on patching, device telemetry, warning delivery, and a fast path from suspicion to forensic review.
Citizen Lab said the compromise used a zero-click exploit against Apple iPhone software. TechCrunch reported that the vulnerability had already been patched, but the fix was not installed on Kouloglou’s phone. That detail matters because zero-click attacks remove the usual user-training defense. The victim does not need to tap a malicious link, open an attachment, or approve a prompt. If the device is exposed and unpatched, the attack can happen silently.
The report also found that Kouloglou had received multiple Apple threat notifications in recent years but did not see them. Citizen Lab’s recommendation to technology companies is therefore not just “send warnings.” It is to make sure warnings reach the right person, explain the risk clearly, and trigger an understandable next step. A warning that never changes behavior is closer to a log entry than a protective control.
Parliaments need spyware response capacity
Citizen Lab’s recommendations are directed at institutions as much as individuals. The group urged the European Parliament to investigate spyware attacks targeting members and parliamentary processes, commission regular reporting on cyber and surveillance threats, and expand screening for members and staff. It also recommended that the European Commission screen commissioners and staff for mercenary spyware.
Those recommendations point to a broader operating model. A parliament, court, election authority, anti-corruption body, newsroom, or human-rights organization should treat spyware exposure as an institutional risk, not only as a personal device problem. The people most likely to be targeted often hold the least replaceable communications: witness outreach, source conversations, draft policy language, legal strategy, travel plans, and internal political negotiations.
For these groups, mobile security cannot be limited to issuing managed phones and hoping automatic updates do the rest. The minimum credible program now includes rapid OS updates, Lockdown Mode or comparable hardening for the highest-risk users, documented handling of Apple and Google threat notifications, periodic forensic screening, and a clear rule for when a device is taken out of service. It also means making sure staff know whom to contact without first proving the warning is “real.”
The policy fight is still unresolved
The Kouloglou case lands in the same unresolved space that has defined the spyware debate for years. Governments argue that tools such as Pegasus are needed for serious crime and national-security investigations. Researchers, journalists, and civil society groups keep documenting cases where the same market is used against political figures, reporters, dissidents, and people scrutinizing state power.
Europe has already seen spyware scandals tied to Greece, Hungary, Poland, Spain, and other jurisdictions. The new report adds a sharper institutional concern: if an investigator on a spyware-abuse committee can be infected during the inquiry itself, oversight bodies may be exposed at the exact moment when their communications are most valuable.
The practical implication is not that every public official faces the same risk as a spyware investigator. It is that high-risk democratic work now needs security processes that assume commercial spyware is available, quiet, and operationally patient. Screening and rapid response may not stop every exploit, but they can shorten the time between compromise and discovery. In spyware cases, that time gap is often where the damage happens.