A significant revelation from security researchers confirms that a European politician, actively serving on a parliamentary committee investigating the widespread misuse of surveillance technology, had his personal mobile phone compromised by the notorious Pegasus spyware. This alarming development, identified by The Citizen Lab at the University of Toronto, spotlights a critical vulnerability in democratic oversight and reignites intense debate over the clandestine use of powerful digital tools against those tasked with upholding human rights and the rule of law. The victim, Greek journalist and former politician Stelios Kouloglou, was subjected to surveillance by the sophisticated spyware throughout 2022 and 2023, marking an unprecedented instance where a member of the European Parliament’s PEGA committee has been publicly exposed as a target.
The Shadowy World of Pegasus Spyware
To fully grasp the gravity of this incident, it is essential to understand the nature of Pegasus spyware and its creator, NSO Group. Pegasus is a highly advanced, covert surveillance tool developed by the Israeli cyber-arms company. It is designed to be installed remotely and secretly on mobile phones running iOS and Android, turning the device into a comprehensive spying tool. Once active, Pegasus can extract virtually all data from a phone, including text messages, call logs, contacts, photos, videos, and browsing history. Critically, it can also activate the phone’s microphone and camera to record conversations and surroundings, track the user’s location, and access encrypted communications from apps like WhatsApp and Signal.
NSO Group has consistently maintained that its technology is sold exclusively to vetted government clients for the sole purpose of combating terrorism and serious crime. However, a deluge of investigations and reports over the past several years has painted a different picture, revealing widespread abuse. Journalists, human rights activists, lawyers, political dissidents, and even heads of state have been identified as targets globally, raising profound ethical and legal questions about the unchecked proliferation of such potent surveillance capabilities. The company’s business model, based on providing powerful hacking tools to state actors, exists in a legal and ethical grey zone, often operating with minimal transparency or accountability.
Europe’s Struggle with Digital Surveillance
The continent of Europe, often seen as a bastion of privacy rights with its robust General Data Protection Regulation (GDPR), has found itself surprisingly susceptible to the widespread deployment of Pegasus and similar spyware. Revelations concerning the use of these tools against citizens within the European Union have triggered a series of political crises and investigations.
A pivotal moment arrived in 2021 with the "Pegasus Project," a collaborative investigation by Amnesty International and Forbidden Stories, which exposed a massive, global network of potential Pegasus targets. This project brought to light hundreds of phone numbers believed to have been selected for surveillance by NSO clients worldwide, including a significant number within the EU. Cases emerged from countries like Hungary, where journalists and opposition figures were targeted; Spain, where Catalan independence leaders and politicians had their phones compromised; and Poland, where the spyware was reportedly used against opposition politicians during election campaigns. Greece itself has been embroiled in a scandal, known as "Predatorgate," involving the use of another sophisticated spyware, Predator, against journalists and political opponents.
In response to these alarming disclosures, the European Parliament established the PEGA committee — officially the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware. Formed in March 2022, its mandate was clear: to investigate alleged breaches of EU law in connection with the use of Pegasus and similar spyware by member states, and to propose recommendations for regulatory or legislative action to protect fundamental rights and democracy. Kouloglou’s role on this committee placed him at the heart of efforts to uncover and address these abuses, making his targeting particularly audacious and provocative.
Targeting the Investigator: Stelios Kouloglou’s Ordeal
The confirmed hacking of Stelios Kouloglou’s phone between 2022 and 2023 represents a direct challenge to the integrity of democratic institutions and the very process of oversight. Citizen Lab, a leading authority in identifying and analyzing state-sponsored digital threats, meticulously documented the attacks. Their findings indicate Kouloglou’s device was first compromised in October 2022 and then again on at least two occasions in March 2023.
These attacks exploited a "zero-click" vulnerability in Apple’s iPhone software, specifically an unpatched flaw related to the smart home feature. A zero-click exploit is particularly insidious because it requires no interaction from the target – no suspicious link clicked, no malicious attachment opened. The spyware can infiltrate the device silently, without any discernible user action, making detection exceedingly difficult. Once installed, Pegasus could exfiltrate all private data, including text messages, correspondence, location data, and photographs. Moreover, the timing of one of the hacks, coinciding with Kouloglou’s hospitalization for a pre-scheduled surgery, raises the chilling possibility that the operators were able to activate his phone’s microphone, potentially listening in on sensitive conversations about his healthcare or private discussions with visitors.
The timing of the initial October 2022 hack aligns precisely with a period of intense committee activity, specifically ahead of the delivery of a preliminary draft report detailing spyware abuses in several EU member states, including Cyprus, Greece, Hungary, Poland, and Spain. The subsequent hacks in March 2023 occurred as Kouloglou traveled from Athens to Brussels for further committee hearings, just months before the committee finalized its critical written report. This strategic timing strongly suggests that the perpetrators sought to gain insight into the committee’s internal deliberations, potential findings, and the individuals involved, indicating an attempt to preemptively counter or influence its work.
Kouloglou himself described the deliberate compromise of his device as "reckless." He conveyed profound anger upon learning of the intrusion, emphasizing the violation of his deepest privacy. "You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments," he articulated, highlighting the profound personal toll of such pervasive surveillance. While Citizen Lab refrained from attributing the attack to a specific country, they noted that the government customer responsible utilized the same Pegasus-loaded email address previously linked to campaigns targeting journalists across Europe. This detail suggests a coordinated, cross-border surveillance operation authorized by an NSO Group client with broad operational reach.
A Direct Assault on Democratic Oversight
The targeting of a parliamentarian actively investigating spyware abuses represents a brazen assault on the principles of democratic oversight and the rule of law. As one serving European lawmaker observed, this incident constitutes a "direct attack on the rule of law." It undermines the very foundations of accountability by attempting to compromise the individuals and processes designed to hold power in check. If those tasked with scrutinizing government actions can themselves be subjected to state-sponsored surveillance, a chilling effect on legitimate inquiry and dissent becomes inevitable.
This incident is not merely an individual privacy violation; it’s an attack on the institutional integrity of the European Parliament. It sends a dangerous message that critical oversight functions are not immune to clandestine interference, potentially eroding public trust in democratic institutions and their ability to protect citizens from government overreach. The incident highlights a fundamental tension: governments claim such tools are indispensable for national security, yet their demonstrated misuse against political opponents, journalists, and even their own overseers suggests a disturbing drift towards authoritarian surveillance practices.
The Broader Ripple Effect: Society, Privacy, and Trust
The implications of this incident extend far beyond the immediate political sphere. On a societal level, the pervasive threat of sophisticated digital surveillance chips away at the bedrock of individual privacy, a fundamental human right. When citizens, journalists, and even elected representatives fear that their most private communications and personal data can be intercepted without their knowledge, it fosters an environment of self-censorship and distrust. This "chilling effect" can stifle investigative journalism, discourage whistleblowing, and ultimately undermine the free flow of information essential for a healthy democracy.
Culturally, the normalization of such surveillance risks a desensitization to digital privacy. As technology advances, the line between legitimate security measures and intrusive snooping becomes increasingly blurred, making it harder for the public to discern and resist state-sponsored intrusions. The market for surveillance technology, often referred to as a "grey market," operates with limited transparency, allowing powerful tools to fall into the hands of actors willing to abuse them. NSO Group’s attempts to rehabilitate its image, including securing tens of millions of dollars from an unnamed American investment group, underscore the lucrative nature of this industry despite its controversial reputation and legal challenges, such as the US government’s ban on federal agencies using NSO products.
Regulatory Labyrinth and Calls for Action
The European Union faces a complex regulatory challenge in addressing the pervasive threat of spyware. While GDPR provides a strong framework for data protection, the covert nature of Pegasus attacks and the involvement of state actors complicate enforcement. The cross-border nature of these operations, as implied by Citizen Lab’s findings of a single Pegasus customer targeting multiple European countries, demands a coordinated, bloc-wide response.
Calls for stricter limits on spyware use within the 27-member state bloc are growing louder. Lawmakers and civil society groups are urging the European Commission to take concrete action, potentially through new legislation that imposes stringent conditions on the sale, export, and deployment of surveillance technologies. However, achieving consensus among member states, many of whom are keen to maintain their national security prerogatives, remains a significant hurdle. The debate often pits national sovereignty and security interests against fundamental rights and EU-level oversight.
The Path Forward: Securing Democracy in the Digital Age
Stelios Kouloglou, undeterred by the personal invasion, has announced his intention to sue NSO Group, declaring his resolve to go public "for democracy, human rights, and the fight against corruption." His statement, "Corruption concerns everybody," encapsulates the broader struggle against unaccountable power in the digital age.
This incident serves as a stark reminder that the battle for privacy and democratic integrity is increasingly fought in the digital realm. The sophistication of tools like Pegasus demands an equally sophisticated and robust defense, not just in terms of technical countermeasures but also through strengthened legal frameworks, enhanced accountability mechanisms, and unwavering political will. As the European Parliament continues its inquiry, the world watches to see if this direct challenge to democratic oversight will catalyze decisive action, ensuring that those who investigate abuses are not themselves silenced by the very tools they seek to expose. The future of digital rights and democratic governance in Europe, and indeed globally, hinges on effectively reining in the shadow industry of state-sponsored surveillance.





