A Greek politician working to regulate controversial surveillance technology discovered his own mobile phone fell victim to the very spyware he was investigating. Stelios Kouloglou, a journalist and former member of the European Parliament, had his iPhone compromised by Pegasus—sophisticated spyware developed by Israeli firm NSO Group—on at least two separate occasions during 2022 and 2023, according to research released on July 3 by the University of Toronto's digital watchdog Citizen Lab.
The timing of the intrusions underscores an uncomfortable irony for European policymakers. Kouloglou was actively serving on the European Parliament's PEGA Committee, a body specifically created to scrutinise the commercial sale and deployment of Pegasus and similar surveillance tools by governments across the continent. The committee's 2023 report had concluded that such technologies posed a fundamental "threat to democracy and fundamental rights," and recommended stricter controls on how governments could purchase and deploy these systems within the European Union. Yet while Kouloglou participated in this oversight work, his personal communications remained vulnerable to precisely the technology his committee sought to constrain.
The nature of the compromise reveals the technical sophistication deployed against the politician. In at least one instance, Citizen Lab found evidence that attackers used a zero-click exploit to penetrate Kouloglou's device. Unlike conventional hacking methods that trick users into clicking malicious links, zero-click techniques silently compromise phones without any user interaction whatsoever. Such methods represent the cutting edge of mobile device exploitation and typically require significant technical expertise and financial resources to deploy.
Kouloglou's compromised phone contained highly sensitive material. The device held confidential communications with Alexis Tsipras, Greece's former prime minister, alongside private medical information and contact details for journalistic sources. The breadth of personal data accessible to attackers through the hack raises serious questions about the vulnerability of political figures and journalists across Europe, particularly those engaged in oversight of government surveillance capabilities. Kouloglou acknowledged uncertainty about which government might have targeted him, stating only that he would "do my best to find out who is responsible."
Citizen Lab's investigation, while unable to conclusively identify the responsible state actor, uncovered a disturbing pattern. The same entity that hacked Kouloglou also targeted a network of seven independent journalists and opposition activists from Russia and Belarus who operate from European locations. The coordinated nature of these attacks suggests a systematic campaign rather than opportunistic targeting, raising the possibility that specific state actors sought to monitor both European oversight activities and independent voices critical of their governments.
Kouloglou's case marks a significant escalation in a broader pattern of Pegasus abuse across Europe. While four Catalan legislators fell victim to the spyware between 2019 and 2020, and a French parliamentarian was targeted in 2023, Kouloglou represents the first confirmed instance of a sitting PEGA Committee member being compromised. The targeting of someone actively investigating the tool's misuse amplifies concerns that oversight mechanisms lack adequate protection and enforcement capacity.
NSO Group maintains that Pegasus is exclusively licensed to governments and law enforcement agencies for combating terrorism and serious criminal activity. The company claims it implements strict controls over which state actors receive access and how the technology may be deployed. Yet repeated documented cases of the spyware being used against journalists, civil rights activists, and political opposition figures contradict these assurances. NSO declined to comment on Kouloglou's situation, maintaining silence even as evidence mounts of systematic abuse of its tools.
John Scott-Railton, a senior researcher with Citizen Lab, characterised the incident as emblematic of Europe's failure to address a deepening crisis. "This case is the ultimate irony of Europe's spyware crisis," he observed, highlighting that someone tasked with investigating Pegasus became infected by it, yet the European Commission has largely ignored the committee's recommendations. Scott-Railton's assessment points to a troubling disconnect between investigative findings and policy action at the highest levels of EU governance.
The European Commission, which oversees EU-wide legislation and enforcement, has offered only vague commitments. A commission spokesperson stated that the body is "working to address the illegal use of spyware from various angles of EU law," emphasising that data breaches targeting citizens, journalists, or political opponents are "unacceptable." However, this rhetorical position has not translated into concrete enforcement mechanisms or new legislative frameworks with meaningful teeth.
Sophie in 't Veld, a Dutch former MEP who served as rapporteur for the PEGA Committee, characterised the situation more bluntly. She rejected the notion that Kouloglou's targeting represents an isolated incident, instead viewing it as symptomatic of a broader pattern she described as "part of a system." According to in 't Veld, five years of documented spyware abuse have proceeded without meaningful consequences, with state actors operating under conditions of "complete impunity." The absence of enforcement action, she contended, signals to governments across Europe that deploying sophisticated surveillance tools against opposition figures and civil society faces no serious penalty.
For Southeast Asian observers, Kouloglou's experience carries uncomfortable implications. The region has witnessed growing adoption of surveillance technologies, and the Pegasus case demonstrates that even robust parliamentary oversight mechanisms prove insufficient to prevent abuse when enforcement capacity remains weak. The European experience suggests that legislation alone provides limited protection without accompanying investigation, enforcement, and willingness to impose genuine consequences on governments that abuse surveillance capabilities against political opponents and journalists.
