Security researchers have confirmed that a European politician had his phone hacked with Pegasus spyware while he was part of an investigative committee investigating abuses of the notorious surveillance tool. This has reignited a new controversy over the abuse of spyware by governments to gather information on their critics.
Researchers at the University of Toronto’s digital rights unit, The Citizen Lab, say the confirmed phone hacking of Greek journalist and former politician Stelios Kouloglou during 2022 and 2023 marks the first time a member of the European Parliament’s PEGA committee, tasked with investigating phone spyware attacks by European governmentshas been publicly identified as a spyware victim.
Kouloglou told TechCrunch in a phone call that the deliberate compromise of his phone was “reckless.” A serving European lawmaker described the hacking of Kouloglou’s phone as a “direct attack on the rule of law” and called on the European Commission to take concrete action by imposing strict limits on the use of spyware across the bloc of 27 member states.
While spyware attacks on lawmakers are rare, the timing and targeting of a committee investigator using the same spyware under his investigation suggests an intense focus on the committee’s inner workings ahead of a widely anticipated report detailing its findings. The attacks raise new questions about how governments use spyware seemingly necessary to identify serious crimes, but then are caught spying on the communications of journalists, lawmakers and critics.
Citizen Lab researchers did not attribute the phone hacking to a specific country, but said the government client used the same email address uploaded to Pegasus that was used in a previous campaign that hacked the phones of journalists across Europe. The identity of the client is unknown, but the reuse of the same attacking email address implies that the client had authorization from NSO Group to use its Pegasus spy software to spy on phones in several countries in Europe.
A European Commission spokesperson did not respond to TechCrunch’s request for comment. NSO Group also did not respond to a request for comment on the Citizen Lab report before its publication.
In Your report comes out on Friday.Citizen Lab said Kouloglou was hacked in October 2022 and at least twice during March 2023 using an exploit that compromised a security vulnerability in Apple’s iPhone software. This vulnerability had been patched but the fix was not yet installed on Kouloglou’s phone. The feat was a “Zero click” errormeaning that the spyware broke in and stole your data without requiring any interaction on your part.
the mistake abused a previously discovered flaw in Apple’s smart home software used in iPhones. It allowed the spyware to capture private data from Kouloglou’s phone without his knowledge, such as his text messages and other correspondence, location data and photographs.
The timing of the October 2022 hack coincides with intense email and text message discussions throughout October and November 2022, prior to the delivery of a first draft outlining spyware abuses centered on Cyprus, Greece, Hungary, Poland and Spain.
The hack also comes at the exact time Kouloglou was in the hospital for a previously scheduled surgery, which may have allowed spyware operators to listen to ambient audio about his medical care or other conversations he had with visitors at the time.
Months later, on March 6 and 7, Citizen Lab said Kouloglou’s phone was hacked again by the same Pegasus operator while Kouloglou was traveling from Athens to Brussels, during a period of committee hearings and months before the committee finalized and adopted its draft written report.
In a call, Kouloglou told TechCrunch that he didn’t know why he was targeted specifically, but that he believes it was due to his work on the European Parliament committee investigating Pegasus abuses.
He described his anger when he found out his phone had been hacked.
“You realize that all your personal data (was taken), not all professional exchanges or messages with ministers, but also very private things, like happy moments and sad moments,” he told TechCrunch.
Kouloglou said he plans to sue NSO Group, the Israel-based spyware maker. The use of NSO remains largely banned in the United States following a Biden-era executive order that banned government use of spyware that could violate people’s human rights.
Last year, the spyware maker confirmed that an anonymous US investment group channeled tens of millions of dollars in the company, probably as part of an effort to rehabilitate the beleaguered NSO brand associated with allowing human rights abuses.
Kouloglou said he would make his story public “for democracy, human rights and the fight against corruption.”
“Corruption affects everyone,” he said.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.




