The irony cuts deep in Brussels: a member of the European Parliament tasked with investigating the misuse of sophisticated Israeli spyware fell victim to that same technology while conducting his oversight work. Stelios Kouloglou, a journalist and former MEP, discovered his iPhone had been repeatedly compromised by NSO Group's Pegasus surveillance tool between 2022 and 2023, according to research published in July by the University of Toronto's Citizen Lab. The targeting represents a striking failure of institutional safeguards and raises uncomfortable questions about which government might have weaponised the surveillance technology against a European lawmaker.
Kouloglou's compromised device contained sensitive materials that paint a troubling picture of how much information attackers obtained. His communications included correspondence with Greece's former prime minister Alexis Tsipras, confidential medical records, and contact details for journalistic sources. The breadth of data accessible through his phone underscores why such breaches matter beyond the individual victim—they potentially compromise entire networks of political figures, healthcare providers, and media networks. For a journalist and politician simultaneously, the breach represented a fundamental violation of professional privilege and personal privacy.
The technical sophistication employed to compromise Kouloglou's device speaks to the capabilities now available to state actors. At least once, attackers deployed what security researchers call a "zero-click exploit," a method so advanced it requires no user interaction whatsoever. The target need not click a suspicious link or open a compromised attachment; the device simply becomes infected silently. Such techniques represent the cutting edge of offensive cyber capability and remain extraordinarily expensive to develop and deploy, suggesting only well-resourced intelligence agencies typically employ them. This technological reality narrows the field of potential suspects, even as the Citizen Lab report declines to name any specific government.
NSO Group, the Israeli firm that developed Pegasus, maintains that its spyware exists solely to combat terrorism and serious crime, sold exclusively to law enforcement and intelligence agencies with government approval. The company did not respond to requests for comment regarding the Kouloglou case. However, the gulf between NSO's stated purpose and actual deployment has become impossible to ignore. Investigations across the Middle East, North Africa, Europe, and Asia have repeatedly documented the technology being weaponised against journalists, human rights activists, and political dissidents—precisely the groups democratic governments should protect rather than surveil.
Kouloglou's membership in the PEGA Committee (European Parliament's special committee on foreign interference) positioned him at the centre of European efforts to understand and regulate surveillance technology proliferation. That committee's 2023 report concluded unambiguously that Pegasus and similar tools posed existential threats to democracy and fundamental rights, recommending stringent new controls on their export and domestic use within the European Union. The report's findings seemed to generate considerable concern among EU officials publicly, yet translating that concern into enforcement mechanisms has proven remarkably difficult.
The Citizen Lab investigation uncovered patterns suggesting a coordinated campaign targeting multiple victims. Beyond Kouloglou, the same attacking entity had also targeted a network of seven Russian and Belarusian-speaking independent journalists and opposition activists living in various European countries. This pattern suggests either a single state actor running a sustained espionage operation or, less likely, multiple actors employing the same NSO infrastructure. The clustering of targets—a European politician investigating surveillance combined with Russian and Belarusian opposition figures—hints at possible Kremlin involvement, though Citizen Lab stopped short of naming any culprit.
Kouloglou himself acknowledged the uncertainty surrounding his attackers, stating he would endeavour to identify the responsible party. This admission reflects the technological and political complexity of attribution in the cyber domain. Even advanced research organisations often cannot definitively prove which government operated specific attack infrastructure, particularly when multiple nations possess similar capabilities and when the targeted equipment has been compromised beyond reliable forensic analysis. The uncertainty leaves victims in a liminal space where they know they have been attacked but cannot publicly accuse or seek redress from any specific nation.
Historically, NSO spyware targeting European politicians has occurred sporadically but repeatedly. Four Catalan lawmakers fell victim to Pegasus attacks between 2019 and 2020, their compromise apparently linked to Spanish government concerns about Catalan independence movements. A French representative was targeted in 2023. Yet Kouloglou's case represents an unprecedented escalation: he was the first known member of the very committee investigating Pegasus to himself become a target. This progression suggests either contempt for European oversight mechanisms or miscalculation by whoever deployed the spyware.
John Scott-Railton, the senior Citizen Lab researcher who conducted the investigation, characterised the case as emblematic of European institutional failure. He argued the European Commission possessed both the authority and responsibility to implement stronger protections against spyware but had not done so. The irony he highlighted—that someone investigating Pegasus became infected by Pegasus—underscores how the continent's regulatory framework lags behind the technological reality of surveillance capabilities now routinely deployed against sitting lawmakers and journalists.
The European Commission's response, delivered through spokesperson Antoine Lomba, acknowledged the problem in measured language while offering limited concrete commitments. The commission stated it was "working to address the illegal use of spyware from various angles" and that any unauthorised access to citizen data "is unacceptable." Yet this formulation, emphasising that illegal spyware use violates EU law, sidesteps the more difficult question: when governments themselves authorise spyware deployment against journalists and political opponents within EU borders, what legal and diplomatic tools can Brussels deploy to stop them?
Sophie in 't Veld, the Dutch former MEP who served as rapporteur for the PEGA Committee, offered a more damning assessment. She characterised Kouloglou's targeting not as an isolated incident but as part of a systemic pattern of abuse that has operated with complete impunity for five years. No consequences have materialised for any government deploying spyware against journalists or opposition figures within Europe. She argued that the scandal lay not merely in the spyware attacks themselves but in the absolute absence of political will to enforce accountability, suggesting that without meaningful enforcement mechanisms, regulatory frameworks and parliamentary investigations amount to little more than theatrical gestures.
The broader implications extend beyond Europe and into Southeast Asia, where several nations have been linked to spyware purchases and deployments against journalists and opposition politicians. The Kouloglou case demonstrates how even sophisticated democratic institutions with investigative capacity and legal frameworks struggle to protect their own members from state-sponsored surveillance. For smaller democracies with fewer resources to counter sophisticated cyber threats, the message is troubling: if the European Parliament cannot secure the communications of its own oversight committee members, what protections can ordinary citizens expect?
The incident crystallises a fundamental tension in contemporary governance. Surveillance technologies developed ostensibly for counterterrorism purposes have become tools for silencing dissent and controlling information, yet the technical barrier to deployment remains so high that only governments and the wealthiest private actors can effectively utilise them. Until political and legal consequences attach to misuse, the technological capability will almost certainly continue to outpace democratic constraints.
