A Spyware Investigator Got Spied On: Pegasus Hit an EU Lawmaker Probing Pegasus
Forensic analysis of Stelios Kouloglou's phone shows repeated Pegasus infections while he sat on the European Parliament's own spyware inquiry.

Key points
- The Citizen Lab confirmed that former Member of the European Parliament Stelios Kouloglou was infected with Pegasus spyware while serving on the EU committee investigating that exact tool.
- Pegasus is commercial spyware sold by Israeli firm NSO Group that can read messages, listen through the microphone and pull data from a target's phone.
- The infections happened while Kouloglou was actively helping lead the parliamentary inquiry known as PEGA into the abuse of such surveillance tools across Europe.
- Citizen Lab's forensic examination of the device found the attackers could have had broad access to its contents.
- The case adds to a growing list of European politicians, journalists and lawyers whose phones have been hit by mercenary spyware in recent years.
A lawmaker whose job was to investigate spyware abuse in Europe was himself being spied on with the very tool he was investigating.
That is the finding from the Citizen Lab, the University of Toronto research group that studies digital surveillance. Its analysis, picked up this week by The Hacker News, shows that former Member of the European Parliament Stelios Kouloglou had his phone repeatedly infected with Pegasus.
Pegasus is a piece of commercial spyware — software sold to governments that quietly takes over a phone and turns it into a listening device. It is made by the Israeli company NSO Group. Once installed, it can read texts, open encrypted chats, switch on the microphone and copy files, usually without the owner noticing a thing.
Kouloglou was not a random target. He sat on PEGA, the European Parliament's special committee set up in 2022 to look into exactly this kind of abuse across EU member states.
So the person helping write Europe's report on spyware misuse had spyware on his own pocket.
How did they get onto his phone?
Citizen Lab's forensic work on the device points to Pegasus infections that would have given the attackers deep access to what was on the handset. The researchers have not publicly named which government client of NSO Group was behind the intrusions.
That matters, because Pegasus is not sold on the open market. NSO says it only licenses the tool to vetted government agencies for serious crime and counter-terrorism work. Every confirmed case of a journalist, activist or politician being hit therefore points back to a state customer somewhere.
Modern Pegasus attacks often use what security researchers call zero-click exploits — flaws in apps like iMessage or WhatsApp that let the spyware land on a phone without the target tapping anything at all. There is no dodgy link to avoid. The phone simply receives a message and is infected.
This is worth being honest about: standard advice like "turn on two-factor authentication" or "do not click strange links" would not have stopped this. Multi-factor authentication protects your accounts from someone guessing a password. It does nothing when the attacker owns the operating system on your device.
What does this mean for ordinary people?
For most readers, the direct risk is low. Pegasus licences reportedly cost millions and are aimed at specific high-value targets, not the general public.
The wider point is about oversight. If a sitting European lawmaker investigating spyware can be hacked with that same spyware, the guardrails around who gets to use these tools are clearly not working. That is a political problem, not a personal one.
Still, some practical habits help anyone who worries they might be a target:
- Keep your phone's operating system updated the day patches arrive. Apple's Lockdown Mode and Google's Advanced Protection Program are designed for people at elevated risk and shut down many of the entry points spyware relies on.
- Restart the phone regularly. Some spyware strains do not survive a reboot, though determined attackers will simply reinfect.
- If you are a journalist, lawyer, activist or politician, Citizen Lab and Amnesty International's Security Lab both offer free forensic help.
The PEGA committee's own final report concluded that several EU governments had used commercial spyware against critics. Kouloglou's phone, it turns out, was evidence of that all along.



