Mon 06 Jul 2026 / 14:13 ET
Kernel
Security 3 min read

Pegasus found on phone of EU lawmaker investigating spyware abuse

Citizen Lab says Stelios Kouloglou was hacked twice while serving on the European Parliament committee examining commercial spyware.

Dana Voss

By Dana Voss / Security Correspondent

Pegasus found on phone of EU lawmaker investigating spyware abuse
img: The Record

Stelios Kouloglou, a former member of the European Parliament who helped investigate commercial spyware, had his own phone infected with Pegasus during that work, according to a report released Friday by Citizen Lab.

The University of Toronto research group said forensic analysis showed Pegasus infections on Kouloglou’s device in October 2022 and March 2023. At the time, Kouloglou was serving on the European Parliament’s PEGA Committee, which was examining the misuse of spyware and preparing recommendations meant to curb abuse across Europe.

Pegasus, made by NSO Group, is a zero-click surveillance tool, meaning a target does not have to tap a malicious link or open a booby-trapped attachment for the compromise to work. Once installed, spyware of this class can give an operator access to highly sensitive phone data. NSO Group did not respond to a request for comment, according to Recorded Future News.

Kouloglou, who represented Greece in the European Parliament from 2015 to 2024 and previously worked as an investigative journalist, told Recorded Future News that he believes the Greek government was behind the hacking. Citizen Lab said it has no evidence supporting that allegation.

Greece has been at the center of a separate spyware scandal, though those cases involved technology from Intellexa rather than NSO Group’s Pegasus, according to the reporting. Kouloglou said he plans to sue NSO Group.

Citizen Lab links the case to other Pegasus attacks

Citizen Lab said it believes the same Pegasus customer was responsible for both attacks on Kouloglou and a set of infections it disclosed in May 2024 involving seven Russian and Belarusian-speaking journalists and opposition figures. Those attacks took place between August 2020 and January 2023, according to the lab.

The report said the same email address used in the Kouloglou operation also appeared in the Russian and Belarusian cases during the same period. Citizen Lab said targeting emails are specific to operators, which led the researchers to assess that the same government customer was almost certainly behind both clusters of attacks.

The lab also said only some Pegasus customers are licensed to conduct operations across multiple countries, a detail that narrows the list of possible operators but does not publicly identify one.

Kouloglou brought his phone to Citizen Lab for analysis in May 2026. Researchers including John Scott-Railton found signs that Apple had sent Kouloglou three threat notifications about possible spyware in recent years, though Kouloglou told them he had not seen the alerts, according to the report.

Hack landed during sensitive committee work

The timing matters. Citizen Lab said the first infection occurred less than a week before a series of PEGA Committee hearings and as members were preparing a draft report. The second attack came while committee members were discussing the final version of their recommendations.

The committee released those recommendations in May 2023. Scott-Railton and other politicians and experts have criticized the European Commission for doing little with them.

Hannah Neumann, a German Green Party member of the European Parliament and the PEGA Committee’s negotiator, told Recorded Future News that the attack showed contempt for lawmakers’ oversight role. She said the responsible country “spied on a member of the European Parliament while that member was investigating spyware abuse.”

Neumann argued that the Commission has failed to act because national governments still prize spyware for intelligence and law enforcement. She said the claim that spyware improves security is false, because it instead weakens it.

Kouloglou described the contents of the phone as broad and sensitive, including years of photos and messages with prime ministers, political leaders, lawmakers and journalists. For a committee investigating spyware abuse, that is about as clean a demonstration of the problem as the industry could have provided.

This story draws on original reporting from The Record.

More Security/

view all ↗