Summary
- Citizen Lab says former MEP Stelios Kouloglou was infected with Pegasus while serving on the European Parliament’s PEGA spyware committee.
- The researchers do not attribute the operation to a specific government and say they found no indication that Greece was responsible.
- The case puts parliamentary confidentiality, democratic oversight, and spyware accountability back into Europe’s operational security debate.
Citizen Lab says a former Member of the European Parliament was repeatedly hacked with NSO Group’s Pegasus spyware while serving on the committee created to investigate spyware abuse across Europe.
The Canadian research group said forensic analysis of former Greek MEP Stelios Kouloglou’s iPhone showed successful Pegasus infections on or around 21 October 2022, and again on 6 and 7 March 2023. At the time, Kouloglou was a substitute member of the European Parliament’s PEGA committee, which examined the use of Pegasus and equivalent surveillance spyware in contravention of EU law.
The compromise creates a direct institutional concern for Brussels because Citizen Lab said the attacker could have accessed confidential documents, committee deliberations, messages, emails, and other non-public material linked to the inquiry. The first known infection date fell during preparation for the committee’s first draft report and before planned country visits to Greece and Cyprus. The March 2023 infections came during final drafting work before the committee report was adopted.
Citizen Lab does not attribute the operation to a particular government or NSO customer. The researchers said they found no indication that the Greek government was responsible, while noting overlap with a previously identified Pegasus campaign that targeted Russian and Belarusian-speaking exiled journalists and activists in Europe. That distinction should hold in any coverage. The established facts show spyware reaching a lawmaker involved in oversight of the spyware market; they do not establish who ordered the targeting.
The PEGA committee was created after earlier research and reporting exposed spyware use against journalists, politicians, activists, and civil society figures. Its work examined whether member states had deployed commercial surveillance tools outside legal boundaries, and whether EU law provided sufficient safeguards. A committee member being compromised while that work was underway points to a gap between parliamentary scrutiny and the practical security of the people carrying it out.
Pegasus-class spyware can give an operator access to messages, documents, calls, photos, location data, and microphones. When used against elected officials, parliamentary staff, lawyers, journalists, or witnesses, the exposure reaches into privilege, source protection, medical confidentiality, democratic oversight, and the integrity of investigatory work. Kouloglou was in hospital on the date of the first infection, creating a separate risk around health-related information and in-room conversations.
European institutions have treated spyware as a rule of law and fundamental rights issue, but the Kouloglou case gives the debate an operational security dimension. Oversight committees, national parliaments, regulators, courts, and cross-border investigations depend on trusted communications. If those communications are vulnerable to commercial spyware operators, institutional accountability can be weakened before it produces any legal or political result.
The response cannot rest on general device hygiene. High-risk public officials need repeatable device inspection, fast notification routes, secure meeting practices, compartmentalised communications, and clear escalation when spyware indicators are found. Institutions also need policies for preserving evidence, protecting contacts, and assessing whether sensitive proceedings were compromised.
The unresolved issue is who operated or ordered the infection. Until that is known, the case remains partly technical and partly constitutional. A spyware inquiry appears to have been placed under surveillance, and the unanswered attribution point does not reduce the institutional exposure.





