Citizen Lab says Pegasus hacked an EU lawmaker investigating Pegasus

Stelios Kouloglou's iPhone was infected in 2022 and 2023 while he sat on the European Parliament's spyware inquiry committee.

By · Published

Why it matters

Citizen Lab's report puts NSO Group's core defense under pressure: Pegasus is sold as a controlled government tool, but it allegedly reached a lawmaker overseeing spyware abuse inside the European Parliament.

Citizen Lab says Pegasus hacked an EU lawmaker investigating Pegasus — Stelios Kouloglou's iPhone was infected in 2022 and 2023 while he sat on the European Parliament's spyware inquiry committee.

Citizen Lab said Friday that Stelios Kouloglou, a Greek investigative journalist and former Member of the European Parliament, was repeatedly hacked with NSO Group's Pegasus spyware while he sat on the European Parliament committee created to investigate Pegasus and similar surveillance tools.

The finding turns a years-old infection into a current institutional problem for Brussels. Citizen Lab said its May 2026 forensic analysis of artifacts from Kouloglou's iPhone found with high confidence that the device was successfully infected on or around October 21, 2022, and again on March 6 and March 7, 2023. Those dates fall inside Kouloglou's March 24, 2022 to July 18, 2023 tenure as a substitute member of the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware, known as PEGA.

Kouloglou is not a random victim in the spyware record. Citizen Lab describes him as a former MEP and a journalist who reported for Greek radio and television from Paris, Moscow and Yugoslavia before founding Television Without Borders, or TVXS, in 2008. He was elected to the European Parliament in 2015 on Syriza's list, won another term in 2019, continued to write and report while serving as an MEP, and left Parliament in July 2024.

The committee he joined was formed after the Pegasus Project and other reporting showed that spyware sold for government use had been turned against journalists, activists, politicians and other civil society targets. The European Parliament launched the inquiry in April 2022 after voting in March to examine whether Pegasus and other spyware had breached EU law and fundamental rights.

Citizen Lab said the infections likely exposed non-public committee material. The report says Pegasus could have captured confidential documents, messages and deliberations among PEGA members and staff, including material tied to the committee's draft report and country visits. That is the core problem: a commercial spyware operator appears to have gained access to a lawmaker's phone while that lawmaker was helping examine the commercial spyware market.

The first known infection, on October 21, 2022, came during a heavy period for the committee. Citizen Lab said the committee was preparing hearings on Big Tech and spyware, spyware and e-privacy, and spyware and fundamental rights. Drafts of the committee's first report were circulating among members and staff, and PEGA members were preparing visits to Greece and Cyprus scheduled for November 1 to November 4, 2022. Kouloglou told Citizen Lab that the period involved intense exchanges over texts and email.

Citizen Lab said the October infection used PWNYOURHOME, a zero-click exploit chain involving HomeKit and MessagesBlastDoorService. The forensic trail included a lookup for the HomeKit email address rauharepo888[@]gmail.com at 10:16 on October 21, followed two minutes later by mobile data use by a Pegasus process. Citizen Lab said Apple's later HomeKit change in iOS 16.3.1 mitigated one part of that exploit path, while Apple likely fixed the MessagesBlastDoorService issue earlier, around iOS 16.1.

The same day, Kouloglou was in a Greek hospital for elective surgery. Greek investigative journalist Thanasis Koukakis, who had himself been confirmed by Citizen Lab in 2022 as a Predator spyware target and had testified to PEGA, visited him in the hospital room. Citizen Lab said the timing means the infection could have exposed medical information or conversations in the room, in addition to political communications.

The second infection window, March 6 and March 7, 2023, overlapped with PEGA's final drafting process. Kouloglou traveled from Athens to Brussels during that period. Citizen Lab said the device showed Pegasus activity from the morning of March 6 until the morning of March 7, and that both the 2022 and 2023 infection dates occurred while the phone was running iOS 15.5.

Citizen Lab also found that Kouloglou received Apple mercenary-spyware threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024. The lab noted that Apple's warnings are often sent in batches months after targeting rather than in real time. Kouloglou told the researchers he did not recall receiving the notifications they observed.

Attribution remains the sharpest unanswered question. Citizen Lab said it was not attributing the infections to a specific government and found no indication that the Greek government was responsible. The lab said Greece is known to have abused Intellexa's Predator spyware, but it is not aware of technical indicators showing that Greek security or intelligence services had access to NSO Group's Pegasus.

The stronger lead is elsewhere. Citizen Lab said the October 2022 infection overlapped with a prior Pegasus campaign it had identified against Russian and Belarusian-speaking exiled journalists and activists in Europe. The same HomeKit email address, rauharepo888[@]gmail.com, appeared in both cases. Citizen Lab said it understands those emails to be unique to specific Pegasus operators, though it could not say whether the March 2023 infection was tied to the same operator.

The geography narrows the picture without naming the customer. Citizen Lab said infections appeared to have been present on Kouloglou's phone in Greece and Belgium. Based on its understanding of NSO licensing, the lab said that would likely indicate a customer with authorization to infect devices in multiple EU jurisdictions.

The report also places Kouloglou in a broader pattern of European parliamentary targeting. Citizen Lab said this is the first time a member of the PEGA Committee has been publicly identified as a Pegasus victim while serving on the committee. Other MEPs have been publicly tied to Pegasus or comparable spyware cases, including Catalan MEPs whose devices or close contacts were targeted before PEGA's creation, and later cases involving lawmakers outside the committee.

NSO Group, the Israeli company behind Pegasus, is part of the commercial spyware industry that PEGA was created to examine. TechCrunch reported in 2025 that NSO was originally founded by Niv Karmi, Shalev Hulio and Omri Lavie, and that Francisco Partners acquired the spyware maker in 2014. The company has long argued that Pegasus is sold for lawful government use against serious crime and terrorism, a claim repeated in coverage of this case by Al Jazeera, which also reported that NSO has previously said it vets buyers and terminates customers found to have abused its software.

That defense has not stopped governments and courts from treating NSO as a risk. The U.S. Commerce Department added NSO Group and Candiru to the Entity List in November 2021, saying the companies developed and supplied spyware to foreign governments that used it to maliciously target officials, journalists, activists, academics and others. Al Jazeera also reported that a U.S. judge last year barred NSO from targeting WhatsApp.

Citizen Lab's recommendations are aimed at institutions rather than the spyware vendor. The lab urged the European Parliament to investigate spyware attacks against MEPs and parliamentary processes, increase screening rates through its Directorate-General for Information Technologies and Cybersecurity, and preserve devices that may still contain forensic traces. It also urged the European Commission and other parliamentary bodies to screen commissioners, staff and lawmakers for spyware.

The timing matters. The infections happened in 2022 and 2023, during PEGA's work, but Citizen Lab's public report landed on July 3, 2026, after Kouloglou himself contacted the lab in May 2026. The delay makes the breach harder to scope. Citizen Lab said there is no way to know whether other committee members or staff were similarly infected without comprehensive screening.

For the spyware industry, the Kouloglou case is a business-model problem disguised as a forensic finding. Pegasus depends on government clients, export permissions and a promise of controlled deployment. Citizen Lab's report describes the opposite outcome: spyware allegedly built for lawful security work was found on the phone of a lawmaker investigating whether that same market had escaped democratic control.

Reader comments

Conversation for this story loads after sign-in.