Imagine spending your workdays investigating how brutal cyber weapons infiltrate the phones of activists, journalists, and politicians. You sit on a high-profile parliamentary committee, pore over technical documents, and draft rules to stop these digital violations. Then, you find out your own phone was hacked by the exact spyware you were investigating.
It sounds like a paranoid Hollywood plot. Instead, it is the exact reality for Stelios Kouloglou, a former Member of the European Parliament (MEP) from Greece.
A forensic report dropped by digital watchdog group Citizen Lab confirms that Kouloglou’s iPhone was compromised multiple times with NSO Group's notorious Pegasus spyware. The kicker? The hacks happened between October 2022 and March 2023. That was the precise window when he was serving on the European Parliament's PEGA Committee—a body explicitly set up to probe the rampant abuse of mercenary spyware across the European Union.
This isn’t just an embarrassing security blunder. It is a loud, flashing red light proving that commercial spyware makers and the governments that hire them feel completely untouchable.
The Ultimate Irony of the European Spyware Crisis
Kouloglou is a veteran investigative journalist who transitioned into politics, serving as an MEP from 2015 to 2024. When global reporting exposed how EU governments were buying military-grade malware to spy on their own citizens, the European Parliament panicked and launched the PEGA Committee in March 2022. Kouloglou joined the fight to draft strict legislative recommendations.
The hackers did not wait for the committee to finish its paperwork.
According to the Citizen Lab forensic breakdown, the first successful Pegasus infection hit Kouloglou's device on October 21, 2022. This date directly aligned with an intense surge of committee activity, right as lawmakers were hashing out their first major draft report.
The spyware struck again on March 6 and 7, 2023. During this second breach, Kouloglou was traveling between Athens and Brussels while the PEGA Committee engaged in frantic, sensitive negotiations over its final regulatory recommendations.
The strategic timing of these attacks tells you everything you need to know. The culprits weren't just randomly casting a net; they wanted real-time insight into the very laws designed to shut them down. By turning Kouloglou’s phone into a pocket spy, the attackers gained access to unreleased draft documents, confidential emails, internal political strategies, and private conversations with other investigators. The committee’s targets were effectively spying on the committee itself.
Who is Behind the Screen
Citizen Lab has not formally attributed the hack to a specific government client, noting there are no direct indicators tying this to the Greek administration. However, the forensic footprints reveal a fascinating, messy picture.
The researchers discovered that the attack on Kouloglou shares a distinct digital signature—including a specific, unique Apple ID email—with a series of Pegasus campaigns exposed in May 2024. Those campaigns targeted exiled Russian and Belarusian independent journalists and opposition figures living inside Europe.
Because NSO Group only sells its zero-click software to sovereign states and limits geographical licensing for most buyers, the pool of potential culprits is small. It points to a government entity operating with staggering cross-border access, completely unbothered by national boundaries or diplomatic norms.
What went missing from Kouloglou's device? The former MEP points out that his phone held 15 years of personal history. Photos, encrypted notes, and private text exchanges with prime ministers, political party leaders, and high-ranking journalists were instantly laid bare.
The technical execution relied on a zero-click exploit. You don't have to click a sketchy link or download an infected PDF anymore. Your phone just silently processes an invisible, malicious data packet, and your data belongs to someone else.
Apple did send out threat notifications to Kouloglou on three occasions, spanning from early 2023 to April 2024. But threat alerts are notoriously lagging, and Kouloglou stated he never saw them in time to mitigate the damage.
Why Regulatory Inaction is Destroying Democratic Oversight
The PEGA Committee wrapped up its work in May 2023, delivering a sweeping set of policy recommendations aimed at curbing commercial spyware within the EU bloc.
The response from the European Commission? Absolute silence. They essentially buried the proposals.
National governments continuously push back against spyware bans because their intelligence agencies and police forces love the technology. They hide behind the shield of "national security" to protect their access to intrusive tools.
But this excuse collapses under its own weight. When a foreign or domestic actor can turn over the phone of an active lawmaker crafting European policy, national security isn't being protected—it's being completely eroded.
As John Scott-Railton, a senior researcher at Citizen Lab, bluntly observed after the data went public, the next chapter of this saga is entirely predictable. More politicians will be hacked. Right now, there are undoubtedly high-level officials walking into sensitive briefings with zero clue that their microphones are live streaming to a foreign adversary.
Commercial spyware turns the fundamental concept of democratic oversight into a joke. If lawmakers cannot investigate corporate and state overreach without having their entire private lives vacuumed up by attackers, real oversight ceases to exist.
How to Protect Your Own Device From Zero-Click Threat Models
Most everyday users aren't going to be targeted by a million-dollar state-backed operation like Pegasus. If you are an investigative journalist, a political organizer, an attorney handling sensitive human rights cases, or an executive with corporate secrets, you need to treat your commercial phone as hostile territory.
Relying on standard antivirus apps won't save you from zero-click exploits. You need aggressive, proactive operational security habits to limit the attack surface.
- Activate Apple Lockdown Mode: If you run an iOS device and operate in a high-risk environment, turn this on immediately. It strips out complex web technologies, blocks most message attachments, and shuts down the specific pathways zero-clicks use to compromise iPhones.
- Force Daily Reboots: Pegasus and similar mercenary malware often live in the device's volatile memory (RAM) to avoid detection by persistent storage scanners. Powering down your device completely every single day can flush out the infection, forcing the attacker to burn another expensive exploit to get back in.
- Decouple Your Communications: Stop keeping 15 years of institutional memory on a single mobile device. Archive old messages, delete expired data, and move highly sensitive discussions off commercial cellular networks entirely. Use dedicated, single-purpose hardware for high-risk communications.
Kouloglou has announced plans to sue NSO Group. While court battles might offer a sliver of accountability, the fundamental market for unregulated commercial espionage continues to thrive. Until international bodies enforce real, economic penalties on the states that buy these tools, the people making the rules will continue to be the targets.