NSO offices.

Former EU spyware investigator allegedly hacked with Pegasus

A Citizen Lab report alleges an Israeli-made surveillance tool hacked the phone of a lawmaker investigating spyware abuse.

A former member of the European Parliament who served on a committee investigating the misuse of commercial spyware was himself targeted with an Israeli-made surveillance tool, according to a report released Friday by the Canadian cybersecurity watchdog Citizen Lab.
Citizen Lab said the phone of Stelios Kouloglou, a Greek journalist-turned-lawmaker, was infected at least three times between October 2022 and March 2023 with Pegasus, spyware developed by the Israeli company NSO Group.
1 View gallery
משרדי NSO באזור התעשייה ספיר בערבה
משרדי NSO באזור התעשייה ספיר בערבה
NSO offices.
At the time, Kouloglou was serving on the European Parliament's PEGA Committee, established in 2022 to investigate the use of illegal spyware across the European Union. The committee focused largely on Pegasus and similar surveillance tools, concluding that governments across the EU had likely used commercial spyware "in one way or another, some legitimate, some illegitimate."
Kouloglou said he was shocked by the apparent willingness of whoever carried out the attack to target a member of the very committee investigating spyware abuses.
"I was not expecting that a PEGA member would be spied on by Pegasus," he told Reuters. "I was not expecting that they would be as reckless as that."
NSO Group did not respond to Reuters' requests for comment.
In a statement to Reuters, the European Parliament did not comment directly on Kouloglou's case but said its IT security services "constantly monitor cybersecurity threats as well as potential cyberattacks against its working environment."
The Parliament added that spyware screening tools have been available to all lawmakers since 2022 and noted that a report adopted last month recommended extending those protections to all devices used for parliamentary business.
The European Commission did not immediately respond to requests for comment.
NSO has consistently maintained that its spyware is sold exclusively to government agencies to combat serious crime and terrorism. However, the company has repeatedly faced allegations that Pegasus has been used to target journalists, political opponents, human rights activists, lawyers, and religious figures around the world.
The U.S. government placed NSO on its Entity List in 2021, citing national security and human rights concerns.
Last year, Meta Platforms, the parent company of WhatsApp, won a $168 million damages award against NSO after a U.S. court found the company had unlawfully exploited WhatsApp's systems to deploy Pegasus. Last month, Meta accused NSO of violating a court injunction restricting such activity and asked the court to hold the company in contempt.
Citizen Lab said it believes Kouloglou's phone was compromised through an Apple software vulnerability that was unknown at the time of the attacks. According to the report, Apple sent Kouloglou multiple notifications in 2023 and 2024 warning that he had been targeted by state-sponsored attackers.
The researchers did not identify the government or entity responsible for deploying Pegasus against Kouloglou. However, they said some of the activity shared technical characteristics with earlier Citizen Lab investigations that linked Pegasus to surveillance campaigns targeting Russian- and Belarusian-speaking journalists and activists living in exile.
Apple did not comment specifically on Kouloglou's case but said the vulnerability identified in the Citizen Lab report has since been patched. The company added that it continues to notify users it believes have been targeted by state-sponsored spyware.
Sophie in 't Veld, a former European Parliament member who championed the creation of the PEGA Committee, said the findings underscore how the rapid spread of commercial spyware has eroded traditional safeguards against unlawful surveillance.
"We're in a situation where anybody could spy on anyone, and they're spying on citizens, journalists, NGOs, lawyers and politicians, and nobody knows who's behind it," she said.