Skip to main content
LATEST Why This Family Rift Over a Baby Girl Went Too Far What It Means When an Indian Startup Is Finally Ready to Launch The Real Risk in AI Is Bad Governance, Not Hype Pegasus Spyware Lands on an EU Politician’s Phone How Developers Are Experimenting With LLMs Beyond Simple Code Completion
Tech

Pegasus Spyware Lands on an EU Politician’s Phone

Rare Ivy
Rare Ivy Staff Writer ·
11 min read
Pegasus Spyware Lands on an EU Politician’s Phone

The investigator who became the target

There’s a certain brutal elegance to the story: while Stelios Kouloglou was serving on the European Parliament’s committee looking into Pegasus and other spyware abuses, his own iPhone appears to have been hit by Pegasus too. That’s not a cybercrime footnote. It’s the kind of detail that makes the whole affair feel less like a technical mess and more like a power and politics scandal with a very bad sense of humor.

In 2022, Kouloglou was deep in the committee’s work. He was meeting people who said they had been surveilled, comparing notes on high-profile cases, and trying to piece together how commercial spyware had spread through European public life without anybody seeming able to put a firm lid on it. The committee’s mandate was already messy enough. It had to sort through allegations involving journalists, opposition figures, and state-linked operators across several countries. Then, sometime in the middle of that work, his own phone was compromised.

When the people investigating abuse end up inside the same file, the problem is no longer theoretical.

That detail lands especially hard because Kouloglou wasn’t a random backbench MEP dabbling in tech news for a week and moving on. He had spent years as an investigative journalist before entering the European Parliament in the mid-2010s, where he served until 2024. He knew how to ask awkward questions and, just as important, how power tends to answer them. Not always with a clean denial. Sometimes with a hidden tap on your device.

He later described the discovery as shocking and infuriating, which seems like a restrained reaction, honestly. If you spend months listening to alleged victims describe how spyware tears through private life, then discover the same software on your own phone, the insult goes well beyond invasion of privacy. It suggests somebody was willing to watch the watchers, and to do it while a parliamentary inquiry was still active.

That’s the part that makes this story more than another entry in Europe’s long spyware headache. It touches the machinery of democratic oversight itself. A lawmaker assigned to investigate abuse may have been monitored in the course of doing that job. If true, that is not just a bad day for one politician’s phone. It raises the much uglier question of who gets to see inside parliamentary work, and how far some operators will go to keep their secrets out of reach.

For Kouloglou, the irony was obvious. For everyone else in Brussels, it should have been a warning.

The intrusions, mapped out

The intrusions, mapped out

The timeline is messy in the way these cases often are, which is to say: it only looks tidy after a forensic team has spent months pulling at the seams. The first compromise appears to have landed in late October 2022, when Stelios Kouloglou was in hospital recovering from elective surgery. That detail matters because it places the infection in a stretch when his guard would have been lower, his movements limited, and his phone likely doing what phones do best when no one is looking, which is quietly sitting there as if nothing sinister could possibly be happening.

Around that same visit, Greek reporter Thanasis Koukakis came by to see him. Koukakis is no stranger to this territory, having already been targeted with Predator spyware, so the overlap carries a grim sort of irony. Two people connected to the same spyware investigation were in the same room while one of their devices was likely being compromised. The whole setup sounds absurd until you remember that surveillance operators tend to prefer convenience over subtlety. If a device is available, they try to take it. If the target is vulnerable, all the better.

The chronology then starts to line up with the committee’s work. The following week, the European Parliament’s spyware inquiry held hearings. After that, the committee traveled to Cyprus and Greece as part of its investigation. Those were not casual field trips. They were part of the machinery of the inquiry, where lawmakers were trying to piece together how Pegasus spyware and related tools had been used across Europe. Kouloglou was in the middle of that process, moving between testimony, meetings, and the slow grind of drafting findings, while his phone may already have been under someone else’s control.

Spyware doesn’t wait for a convenient calendar slot. It shows up when access is easiest and the target is busiest.

A second Pegasus infection appears to have hit in early March 2023. By then, the committee was closing in on its conclusions and haggling over final language. That timing is hard to ignore. Even if the exact purpose of the intrusion can’t be pinned down from the outside, the overlap with the drafting phase raises an obvious question: was someone trying to watch the inquiry from inside the room, or simply gathering whatever it could from a member’s device? Either way, the idea that a Parliament investigation into espionage was itself being watched has the sort of bureaucratic comedy no one wants on the record.

The later alerts from Apple make the story even stranger. Kouloglou says he received spyware warning notices in three waves, first in spring 2023, then again in late summer 2023, and once more in 2024. Apple’s threat notifications have become a familiar feature in high-risk cases, but they’re not exactly a cheerful bell to get in your inbox. They usually mean the company thinks a mercenary spyware campaign may have targeted the device, and they can arrive long after the damage has been done. In Kouloglou’s case, he says he never saw them in real time, which leaves him with the least satisfying kind of postscript: confirmation, but no immediate chance to react.

That gap between intrusion and warning is part of what makes Pegasus spyware so slippery. The attacker gets the early advantage. The target may not learn anything until months later, and by then the trail has often cooled. For Kouloglou, the sequence looks roughly like this: surgery, a visit from a fellow reporter, hearings and field visits, another infection while the committee was finalizing its findings, then Apple warnings spaced across the next year and beyond. It’s a neat chronology only in hindsight. At the time, it would have felt like ordinary parliamentary work, punctuated by hospital quiet and committee business, not a surveillance case unfolding in the background.

A fuller breakdown of the case has been mapped out in detail, and the broader committee angle has also been tracked in coverage of the PEGA inquiry member’s targeting. What those timelines make plain is simple enough: the spying did not happen in a vacuum. It shadowed the exact period when Kouloglou was doing the work that made him a target in the first place.

What the forensic report does and doesn’t prove

The forensic picture is cleaner than the politics, but only just. A report from the University of Toronto’s Citizen Lab says this is the first identified case of a member of the European Parliament’s PEGA Committee inquiry being targeted with Pegasus while still working on the investigation. That detail matters because it moves the story beyond a private-device intrusion and into the middle of parliamentary oversight. Someone, somewhere, was watching the people doing the watching.

In spyware cases, the evidence can tell you what happened and when, but not always who paid for the job.

Citizen Lab’s researchers were able to reconstruct the infections on Stelios Kouloglou’s iPhone and tie them to Pegasus, the mercenary spyware sold by NSO Group. What they could not do was pin the operation on a specific government or private client. That’s not a weak result. It’s the normal limit of this kind of work. Spyware operators spend a great deal of effort hiding the purchase order, not just the payload.

The report is careful on that point. It does not name a culprit, and it does not claim a neat chain of command. It also says there was no indication that the Greek government was behind the attacks. That does not clear every local actor in the vicinity, but it does remove one of the obvious suspects from the frame. In a case this politically charged, that restraint matters. It would have been easy to leap from “Greek politician” to “Greek state.” The evidence did not support that jump.

What Citizen Lab did find was a pattern that seems to stretch beyond one lawmaker and one committee. The targeting of Kouloglou overlaps with Pegasus campaigns that hit several Russian- and Belarusian-speaking journalists and activists over a multi-year period. That overlap does not prove a single operator, yet it does suggest that the same surveillance infrastructure, or at least the same commercial tooling, was being used against a wider circle of people whose work touched sensitive political and media networks. In spyware investigations, those overlaps can be more revealing than a clean attribution claim. They show habit. They show method. They show who gets treated like a problem.

The report also raises a more awkward possibility: whoever was behind the infection may have seen internal committee material. That is the sort of line no parliament wants to read in a technical appendix. If true, the breach would not be limited to Kouloglou’s private communications. It could have touched drafts, talking points, names of witnesses, scheduling details, or other material meant to stay inside the institution. The authors do not say exactly what was viewed, and that uncertainty is important. Still, the warning is plain enough. A device compromised at the wrong time can turn a confidential inquiry into an open book.

That is where the privacy issue and the parliamentary issue start to merge. Kouloglou was not just any phone owner. He was a sitting MEP during the period when the infections appear to have happened, and he was working on a committee meant to scrutinize spyware abuse across Europe. If internal material was exposed, then the intrusion was not merely about one person’s messages or call logs. It may have reached into the mechanics of legislative oversight itself.

The uneasy part is how ordinary this can look once it’s mapped out. A hospital stay. A committee hearing. A spyware alert that arrives later from Apple and is only seen in hindsight. None of those moments screams “institutional breach” on its own. Put them together, and the picture sharpens fast.

What the report proves, then, is narrower than the headlines might suggest and still grim enough: Kouloglou’s phone was hit with Pegasus while he was doing committee work, the attackers remain unidentified, Greece has not been shown to be the source, and the possibility of exposure inside Parliament can’t be waved away. That leaves Europe with the part nobody enjoys. The forensic trail exists. The responsibility does not.

Europe’s spyware problem is bigger than one MP

The European Parliament didn’t end up here because one lawmaker had a bad week with his iPhone. The push for a formal inquiry grew out of the wider Pegasus spyware scandal, the one that came into public view after the parliamentary Pegasus probe and the broader Pegasus Project leak laid out how mercenary spyware was being bought, sold, and used across borders. That leak put more than 200 journalists on the map as targets or potential targets, which is a pretty grim way for a spreadsheet to make history.

Around the same period, Greece was dealing with its own mess. Predator spyware had turned up in cases tied to journalists, government officials, and military figures, and the whole affair had a distinctly familiar smell: secret surveillance, denials, and a lot of people discovering their phones had been doing things they never asked them to do. Different tool, same basic problem. Once that kind of phone hacking is in circulation, it doesn’t politely stop at one ministry or one newsroom.

Europe already had the warning label. The awkward part is that it still needed someone to read it out loud.

That was the logic behind the PEGA committee’s work. Members kept coming back to the same point: technical fixes matter, but they won’t solve mercenary spyware abuse on their own. A stronger passcode and a cleaner operating system can help, sure. They can also be brushed aside when the problem is political, legal, and commercial at the same time. If governments can buy spyware, if procurement happens in the shadows, and if oversight is patchy, then the software is only half the story. The other half lives in EU politics, procurement offices, and the uncomfortable gap between what officials say they won’t do and what turns up on victims’ phones anyway.

The committee’s final report laid out a stack of practical ideas, including an EU-based forensic tech lab and a spyware taskforce focused on elections. The lab idea made sense because many targets never had the money, staff, or expertise to run a serious forensic check on their own. The election taskforce made sense for a more obvious reason: spyware and campaigns have always had a messy relationship, and election seasons give snoops a long menu of incentives. The committee put those ideas on paper, but that paper hasn’t turned into policy. The PEGA report exists. The adoption part is where things get sticky.

The European Parliament says it now offers a spyware screening system and has widened some protections, which is better than shrugging and hoping for the best. Still, the response feels limited compared with the scale of the problem the institution itself documented. It’s one thing to warn people their devices may be compromised. It’s another to build a system that can keep pace with suppliers who treat surveillance like a normal line of business. That gap is where the rest of this story starts to bite, because Brussels has had the evidence for years and still seems to be arguing with its own paperwork.

The unanswered question Brussels still has to face

The uncomfortable part of this story is not just that an EU lawmaker was targeted. It’s that a committee set up to examine spyware abuse may itself have been watched while doing the job. That makes the whole thing feel less like a bad coincidence and more like a grim little loop.

Saskia Bricmont put the problem in plain language: when spyware is used against elected officials, parliamentary work gets warped, and the rule of law takes a direct hit. That sounds formal, but the meaning is pretty blunt. If lawmakers think their phones are safe only until someone decides they aren’t, every call, meeting, draft note, and whispered complaint becomes a potential liability. Who wants to hold frank conversations under that kind of pressure?

Hannah Neumann took the absurdity one step further. The investigation into spyware abuse was itself spied on. That’s the sort of detail that would get rejected in a satire pitch for being too on-the-nose, yet here we are. The joke, if anyone is still in the mood for one, is that Brussels spent time studying the fire and then found scorch marks on its own curtains.

Kouloglou and other lawmakers have a more practical worry: he may not have been the only one. If one member of the committee was hit, the question becomes whether colleagues, aides, or people in their orbit were also watched. The shadow cast by a Greek spyware scandal doesn’t stop neatly at one phone screen. It spreads through trust, which is harder to measure and slower to repair.

John Scott-Railton of Citizen Lab gets to the heart of the policy problem. Europe has already collected a mountain of evidence. It has heard the testimony. It has seen the technical reporting. It has also produced recommendations, committees, hearings, and more than enough alarm bells to outfit a small parade. What it has not done, at least not consistently, is follow through with the kind of enforcement that changes behavior.

The evidence is no longer the mystery. The mystery is why the reaction keeps lagging behind it.

That gap matters because the spyware market does not wait around for legislators to catch up. The report points to a future in which AI could make mercenary spyware cheaper to build and easier to deploy. That does not mean every new model suddenly turns into a spy tool, of course. It does mean the barriers to abuse may drop, while detection stays messy and attribution stays politically awkward.

So Brussels has a choice, and it isn’t a glamorous one. It can keep treating spyware as a scandal that flares up, gets condemned, and then drifts off into the filing cabinet. Or it can act like an institution that expects hostile surveillance, plans for it, and actually enforces the rules it keeps writing. The second option sounds less dramatic. It also sounds a lot more like the job.

Newsletter

Stay in the loop

Join our newsletter and get resources, curated content, and inspiration delivered straight to your inbox.