There’s a certain dark irony in discovering that Pegasus spyware was used to hack the phone of a European Parliament member who was, at that very moment, sitting on the committee set up to investigate Pegasus spyware abuses. But that’s exactly what the Citizen Lab at the University of Toronto has confirmed — and the implications for EU institutional security are serious.
- Pegasus spyware infected the iPhone of MEP Stelios Kouloglou at least twice while he investigated spyware abuses in the EU.
- The Pegasus spyware infections occurred during critical PEGA committee periods, potentially exposing confidential parliamentary deliberations.
- Citizen Lab found no evidence implicating the Greek government, pointing instead to a Pegasus customer operating across multiple European countries.
- Apple sent Kouloglou three separate mercenary spyware threat notifications — in March 2023, August 2023, and April 2024.
Table of Contents
Pegasus Spyware Hits the Committee Investigating It
Stelios Kouloglou, a Greek investigative journalist turned politician who served as a Member of the European Parliament from 2015 to 2024, contacted Citizen Lab in May 2026. Researchers conducted a forensic examination of his iPhone and concluded with high confidence that the device had been successfully compromised with Pegasus spyware across two infection periods: on or around October 21, 2022, and again on March 6 and 7, 2023.
At the time of those infections, Kouloglou was a substitute member of the PEGA Committee — the European Parliament’s formal Committee of Inquiry tasked with investigating the use of Pegasus spyware and equivalent tools across EU member states. He sat on that body from March 2022 to July 2023. The timing of the hacks wasn’t random. It aligned almost precisely with some of the most consequential moments in the committee’s work.

The Exploit: Zero-Click, No Chance to Resist
Citizen Lab assessed that the October 2022 infection used a zero-click exploit called PWNYOURHOME — an attack vector that requires absolutely no action from the victim. No suspicious link to tap, no file to open. The attacker sends a specially crafted payload that first lands in Apple’s HomeKit service, followed by malicious content routed through MessagesBlastDoorService. Forensic logs show a lookup for the email address rauharepo888@gmail.com through HomeKit at 10:16 on October 21, 2022, with a Pegasus process using mobile data just two minutes later. That sequence is the digital fingerprint of the exploit in action.
Kouloglou’s device was running iOS 15.5 at the time — a version that was already behind Apple’s latest releases. Apple has since mitigated the HomeKit component of PWNYOURHOME in iOS 16.3.1, with the MessagesBlastDoorService issue believed to have been addressed earlier, in iOS 16.1. The March 2023 infections appear linked to the same exploit chain. It’s a reminder that even security-aware public figures often run outdated software, and that Pegasus spyware zero-click attacks leave users with essentially no defensive recourse on unpatched devices.
Why the Timing Matters So Much
The dates of these Pegasus spyware infections aren’t just technically significant — they’re politically explosive. The October 21, 2022 infection came days before a cluster of major PEGA committee hearings covering Big Tech and spyware (October 26), e-privacy and surveillance (October 26), and spyware’s impact on fundamental rights (October 27). More critically, the committee was in the final weeks of drafting its first major report. Draft versions were circulating among members and staff — primarily via text message and email, Kouloglou confirmed to Citizen Lab. Those are exactly the channels Pegasus spyware is designed to silently monitor.
The first draft of the PEGA Committee report, delivered by MEP Sophie in ‘t Veld on November 8, 2022, examined spyware allegations against Poland, Hungary, Greece, Cyprus, and Spain. An attacker with access to Kouloglou’s device in the weeks before that publication would have had a window into the committee’s non-public findings, sources, and deliberations. That’s not just a personal privacy violation — it’s a potential breach of EU parliamentary confidentiality and privilege frameworks that protect the integrity of legislative inquiries.

The second round of infections, across March 6–7, 2023, fell during another active stretch of committee operations. Citizen Lab notes that its forensic analysis can’t rule out additional infections that may have gone undetected, given the inherent limitations of mobile forensic data — Pegasus spyware is specifically engineered to leave as few traces as possible.
Apple’s Threat Notifications and a Troubling Gap
Separately from the forensic evidence, Citizen Lab found records showing that Apple sent Kouloglou threat notifications warning him of mercenary spyware targeting on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024. Apple sends these notifications as a way to alert users it believes have been targeted by state-sponsored or commercial surveillance tools.
There’s a critical caveat here. These notifications are not real-time alerts. Apple sends them in batches, sometimes months after the suspected targeting occurred. Kouloglou told Citizen Lab he had no recollection of receiving any of them — a troubling detail that raises questions about how effectively these warnings reach their intended recipients, particularly for users who may not know what to look for or may have missed the notifications among everyday app alerts.
Who Did This — and What Citizen Lab Won’t Claim
Citizen Lab is being careful here, and deliberately so. The report does not attribute the infections to any specific government, and explicitly states there’s no evidence pointing to the Greek government as responsible. That’s a meaningful distinction — Greek intelligence services have previously been linked to separate domestic surveillance scandals, and Kouloglou is a Greek national. But Citizen Lab isn’t drawing that line.
Instead, researchers flagged something potentially more alarming: the timing and characteristics of Kouloglou’s first Pegasus spyware infection overlap with a previously documented campaign that targeted Russian and Belarusian-speaking journalists and activists living in exile across Europe. The implication is that a single Pegasus operator — one licensed by NSO Group to conduct surveillance across multiple European countries simultaneously — may be responsible for both campaigns. That points to a customer with considerable geographic reach and a clear interest in both dissident communities and EU legislative processes.
NSO Group licenses Pegasus exclusively to government clients and maintains that its technology is intended for lawful counterterrorism and law enforcement use. But the body of evidence accumulated by Citizen Lab, Amnesty International’s Security Lab, and others over the past several years tells a different story: Pegasus spyware has been used repeatedly against journalists, opposition politicians, lawyers, and human rights defenders across dozens of countries. The EU’s own PEGA committee reached similar conclusions before its mandate ended.
The Broader Stakes for European Institutional Security
This case is a specific, documented instance of something that’s been a background concern in European security circles for years: that commercial spyware may have been used not just against civil society, but against the EU’s own democratic institutions. If an attacker with a Pegasus license can silently monitor a sitting MEP’s communications during an active parliamentary inquiry, no pre-publication report, no internal deliberation, and no whistleblower contact can be considered genuinely secure.
The PEGA committee itself concluded in 2023 that several EU member states had used Pegasus spyware in ways that violated EU law and fundamental rights standards — and recommended a moratorium on the use of such tools pending proper oversight frameworks. But recommendations are not binding, enforcement remains fragmented across national jurisdictions, and the commercial spyware industry has continued to operate. NSO Group itself has faced US sanctions and legal action from Apple, but the technology hasn’t disappeared — it’s proliferated.
Kouloglou’s case is a data point that European institutions can’t easily dismiss. When the committee investigating spyware abuses gets hacked with the very Pegasus spyware it’s investigating, that’s not an edge case — it’s a stress test that the current oversight architecture clearly failed. Whatever the EU’s next legislative response to commercial surveillance looks like, it needs to start with the recognition that parliamentary privilege and institutional confidentiality are only as strong as the devices lawmakers carry in their pockets.
Source: Hacker News
Frequently Asked Questions
What is Pegasus spyware and who makes it?
Pegasus spyware is surveillance software developed by NSO Group. It can silently infect devices to capture sensitive information. NSO Group licenses the tool to government clients.
How was Stelios Kouloglou infected with Pegasus spyware?
Citizen Lab assessed that Kouloglou’s iPhone was compromised using the PWNYOURHOME zero-click exploit, which requires no interaction from the target. The attack involved a malicious payload sent through Apple’s HomeKit and MessagesBlastDoorService. The device was running iOS 15.5 at the time of infection.
Who is responsible for hacking Kouloglou’s phone?
Citizen Lab has not attributed the infections to a specific government. However, researchers noted an overlap between the first infection and a known Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe, suggesting a single Pegasus operator active across multiple EU countries.
What was the PEGA committee investigating?
The European Parliament’s PEGA Committee, established in March 2022 and led by MEP Sophie in ‘t Veld, was tasked with investigating how EU member states used Pegasus and equivalent spyware against journalists, activists, politicians, and other citizens in potential violation of EU law.

