Former MEP Investigating Spyware Abuses Hacked With Pegasus
Key Takeaways Stelios Kouloglou, a former Member of the European Parliament (MEP) on the PEGA committee, was infected with NSO Group’s Pegasus spyware multiple times. This marks the first...
Key Takeaways
- Stelios Kouloglou, a former Member of the European Parliament (MEP) on the PEGA committee, was infected with NSO Group’s Pegasus spyware multiple times.
- This marks the first public confirmation of a PEGA committee member being targeted while actively participating in the spyware inquiry.
- The infections occurred during sensitive periods of the committee’s work, including report drafting and international delegations.
- One infection used the PWNYOURHOME zero-click exploit, linked to a HomeKit-associated email address also seen in attacks on exiled journalists.
Former MEP Investigating Spyware Abuses Hacked With Pegasus
Stelios Kouloglou, a former Member of the European Parliament (MEP) who actively participated in the committee investigating the misuse of Pegasus spyware, was himself repeatedly compromised by NSO Group’s sophisticated surveillance tool. New forensic analysis conducted by the Citizen Lab revealed that Kouloglou’s devices were infected with Pegasus during his tenure on the committee.
Table Of Content
This revelation marks a significant moment, as it is the first instance where a member of the European Parliament’s Committee of Inquiry into Pegasus and equivalent surveillance spyware (PEGA Committee) has been publicly identified as a victim of Pegasus while actively serving on the inquiry itself.
Infections Coincide with Critical Committee Work
Kouloglou served as a substitute member of the PEGA Committee from March 2022 to July 2023. After he reached out to Citizen Lab in May 2026, a forensic examination of his iPhone uncovered that his device had been compromised on multiple occasions, precisely during some of the committee’s most sensitive discussions and activities.
Specifically, Kouloglou’s device was infected with Pegasus on October 21, 2022, and again between March 6 and 7, 2023. The initial compromise utilized the PWNYOURHOME zero-click exploit. Evidence for this included a lookup for a HomeKit-linked email address ([email protected]), which was followed just two minutes later by Pegasus network activity.
Apple issued threat notifications to Kouloglou on three separate dates: March 2, 2023, August 29, 2023, and April 10, 2024. However, Kouloglou stated he did not recall seeing these alerts.
Both infection periods directly align with intense phases of the PEGA Committee’s work, encompassing preparations for hearings, the circulation of draft reports, and visits by international delegations.
The October 2022 infection occurred ten days prior to a PEGA delegation trip to Cyprus and Greece, a visit Kouloglou helped organize and personally attended. This timing also coincided with the committee’s initial report drafting, much of which was being discussed among members and staff via text and email.
Notably, the exact date of this first infection found Kouloglou hospitalized for elective surgery. On that same day, he received a visit from Greek investigative journalist Thanasis Koukakis, who had previously testified before the PEGA Committee about his own targeting with Intellexa’s Predator spyware.
Citizen Lab highlighted the potential implications of this hospital-based infection, noting that the spyware could have accessed confidential medical information, which might raise concerns regarding Greek data protection laws.
The second infection, in March 2023, took place while Kouloglou was in Brussels for the final negotiations on the committee’s report. This period also coincided with a separate PEGA-linked delegation visit to Greece by rapporteur Sophie in ‘t Veld.
Attribution and Broader Context
Citizen Lab stopped short of attributing the cyberattack to a specific government, explicitly stating that no evidence implicating the Greek government was found, nor any indication that Greece has ever been an NSO Group customer.
However, researchers identified a significant overlap: the same HomeKit-linked email address implicated in Kouloglou’s first infection also appeared in a 2024 joint report with Access Now. This report detailed Pegasus targeting of Russian and Belarusian-speaking exiled journalists and activists across Europe.
Kouloglou is not the first MEP confirmed to have been targeted by mercenary spyware. Catalan MEPs Diana Riba, Jordi Solé, and Carles Puigdemont were previously identified as Pegasus targets, and Greek MEP Nikos Androulakis was targeted with Predator spyware.
More recently, French MEP Nathalie Loiseau and German MEP Daniel Freund confirmed spyware targeting in 2024. Nevertheless, Kouloglou holds the distinction of being the first PEGA Committee member confirmed to have been compromised by spyware while actively involved in the very inquiry investigating such abuses.
What You Should Do
- Regularly update your mobile operating system and applications to the latest versions.
- Enable two-factor authentication (2FA) on all accounts, especially for email and cloud services.
- Be wary of suspicious links or attachments, even from known contacts, as spear-phishing remains a common vector.
- Consider using a reputable mobile threat defense (MTD) solution to detect and prevent advanced mobile attacks.
- If you receive threat notifications from your device vendor (e.g., Apple), take them seriously and seek expert forensic analysis.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.