MEP Investigating Spyware Hacked by Pegasus While on Committee
A new report from **Citizen Lab** reveals that former Member of the European Parliament, **Stelios Kouloglou**, was repeatedly targeted with **Pegasus** spyware. The attacks occurred while he served on a committee investigating the abuse of commercial surveillance tools within the European Union, raising significant concerns about the integrity of such inquiries and the reach of sophisticated spyware.
Former Member of the European Parliament, **Stelios Kouloglou**, had his mobile device repeatedly compromised with the notorious **Pegasus** spyware, according to a recent report by the **Citizen Lab**. This revelation is particularly alarming as the attacks took place while Kouloglou was serving on a committee specifically tasked with investigating the misuse of commercial surveillance tools within the EU.
Forensic analysis of Kouloglou's device indicated that attackers could have accessed confidential documents and committee deliberations, as stated by **Citizen Lab** researchers **John Scott-Railton**, **Bill Marczak**, **Bahr Abdul Razzak**, **Kate Pundyk**, **Siena Anstis**, and **Ron Deibert**.

### Overlap with Prior Campaigns
While a specific government has not been attributed to the infections, and there's no direct evidence linking the Greek government, **Citizen Lab** noted an overlap between the initial infection and a previous campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe. This suggests that a **Pegasus** customer with authorization to operate in multiple European countries is likely responsible.
Kouloglou was a member of the European Parliament's **"Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware" (PEGA Committee)** from March 24, 2022, to July 18, 2023. The **PEGA Committee** was established to probe alleged misuses of commercial spyware under EU law, focusing on the extent to which member states and other countries violate regional rights and freedoms through such tools.
### Infection Details and Exploits
Forensic analysis of Kouloglou's **iPhone** in May 2026 revealed compromises with **Pegasus** spyware on or around October 21, 2022, and again on March 6 and 7, 2023.
Researchers explained that on October 21, 2022, a lookup for a **HomeKit** email address (`[email protected]`) was observed. Two minutes later, a **Pegasus** process utilized mobile data. It is believed that a zero-click exploit in **Apple**'s smart home software, codenamed **PWNYOURHOME**, was used to deliver the spyware. **Apple** subsequently addressed this vulnerability in **iOS 16.3.1**.
The subsequent **Pegasus** activity in March 2023 is also thought to have leveraged the same exploit. At both times, Kouloglou's device was running **iOS 15.5**. Further analysis showed that Kouloglou received **Apple** threat notifications about being targeted with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024.
### Suspicious Timing
Notably, the first compromise in October 2022 occurred when Kouloglou was hospitalized for elective surgery and was visited by Greek investigative journalist **Thanasis Koukakis**. Koukakis had previously had his own phone compromised with **Intellexa**'s **Predator** spyware and had testified before the **PEGA Committee** a month prior.
Similarly, the second infection in March 2023 coincided with intense discussions related to the final drafting process of the **PEGA Committee** report, followed by a series of hearings. This incident took place two months before the adoption of the first **PEGA Committee** report. This marks the first time a member of the **PEGA Committee** has been publicly identified as a **Pegasus** victim while serving on the committee.
### Broader Implications of Surveillance
The connection between Kouloglou's case and the campaign targeting Russian and Belarusian-speaking journalists and activists is based on the shared use of the email address `[email protected]`. **Citizen Lab** believes these emails are unique to specific operators, suggesting a single **Pegasus** customer with a license enabling infections across multiple EU jurisdictions.
These findings reignite concerns about governments' use of spyware, tools ostensibly designed for combating serious crimes like terrorism, being instead deployed against journalists, lawmakers, dissidents, and critics.
### Other Recent Surveillance Revelations
This development follows other recent **Citizen Lab** revelations. Days prior, they disclosed that Russian authorities used **Cellebrite**'s **UFED** forensic tools to access the **iPhone** of detained opposition activist **Andrey Pivovarov** in June 2021. This occurred three months after **Cellebrite** announced it would cease offering its tools and services to Russia and Belarus. Authorities searched Pivovarov's devices for key organizations and contacts, including **Mikhail Khodorkovsky** and **Anastasiya Burakova**.
Some of these individuals, including Burakova, were later targeted in a phishing campaign by the Russian hacking group **COLDRIVER**, suggesting that the use of **Cellebrite**'s tools might have facilitated reconnaissance for further targeting.
In April, **Citizen Lab** also uncovered two distinct, long-running spying campaigns exploiting weaknesses in global telecommunications infrastructure to track individuals' locations. These attacks do not require malware deployment, making them particularly stealthy. One campaign used malicious hidden SMS commands to turn devices into covert tracking beacons, while the other exploited weaknesses in **Signaling System No. 7 (SS7)** and **Diameter** signaling protocols to track whereabouts without device access.
These campaigns reportedly abused three specific telecom providers: **019Mobile**, **Airtel Jersey** (part of **Sure Group**), and **Tango Networks U.K.**. These providers acted as "surveillance entry and transit points" allowing threat actors to leverage private operator networks and conduct covert location tracking operations that can persist undetected for years.