Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with Pegasus - The Citizen Lab
Pangram verdict · v3.3
We believe that this document is fully human-written
AI likelihood · overall
HumanArticle text · 1,555 words · 5 segments analyzed
Key Findings
Former Member of the European Parliament, Stelios Kouloglou, was repeatedly hacked with NSO Group’s Pegasus spyware while on the committee investigating Pegasus spyware abuses.
Kouloglou was infected during key periods of PEGA committee activity, and the spyware would have likely captured non-public information about committee activities, possibly breaching EU parliamentary confidentiality and privilege frameworks.
We are not attributing these infections to a particular government at this time, and found no indications that the Greek Government is responsible. Instead, we note an overlap between the first infection and a previously identified Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe, suggesting a Pegasus customer with authorization to spy in multiple European countries is responsible.
Background
Stelios Kouloglou is a prominent Greek investigative journalist who was elected as a Member of the European Parliament in 2015. He reported for Greek radio and TV from Paris (1983-84), Moscow (1989-93), and Yugoslavia (1992-95). He later founded and reported for Television Without Borders (TVXS) starting in 2008.
Kouloglou was elected to the European parliament as an independent in the Syriza party’s electoral list (affiliated with the Left). He was elected to the next parliamentary term in the 2019 European elections.
Kouloglou was a substitute member of the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) from March 24, 2022 to July 18, 2023. The PEGA Committee was established on March 10, 2022 following the 2021 publication of the Pegasus Project and other reporting which revealed European governments used spyware to surveil journalists, activists, politicians, and other citizens. Led by MEP Sophie in ‘t Veld, the PEGA Committee was tasked to investigate the scope of spyware usage in contravention of EU law, focusing on “Pegasus and equivalent surveillance spyware.”
While sitting as an MEP, Kouloglou continued to write opinion pieces and report for TVXS.
He left the Syriza party in October 2023 and sat as an independent until the elections of June 2024, after which he served as a member of the New Left. His parliamentary term ended in July 2024.
Kouloglou Infected with Pegasus Spyware
In May 2026, Kouloglou contacted the Citizen Lab and we conducted a forensic analysis of artifacts from his iPhone. We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.
On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888 [@]gmail.com. Two minutes later, a Pegasus process used mobile data. We assess that the phone was hacked with the PWNYOURHOME zero-click exploit at this point. PWNYOURHOME appeared to first involve the attacker sending a specially crafted NSKeyedArchive that landed in HomeKit, followed by malicious content that landed in MessagesBlastDoorService. Apple mitigated the first issue with a change to HomeKit in iOS 16.3.1, though we assess that they fixed the MessagesBlastDoorServiceissue earlier, likely in iOS 16.1.
We additionally saw Pegasus activity on Kouloglou’s device between 2023-03-06 09:49 and 2023-03-07 07:30 that we assess is likely linked to the same exploit. On the 2022 and 2023 dates, we assess that the device was running iOS 15.5 (19F77).
These findings do not preclude the possibility of additional infections that we have been unable to capture due to limitations of available forensic data.
Apple Notifications
Further validating our finding of targeting, our forensic analysis shows Kouloglou received multiple Apple threat notifications about targeting with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024.
It is important to note that threat notifications from Apple and other companies are not real-time alerts. They are typically sent to users in batches, often months or more after targeting takes place.
Kouloglou reports to us that he did not recall receiving the Apple notifications we observed.
Targeting Context and PEGA Committee Activities
Kouloglou helped the Citizen Lab reconstruct his activities during the periods when he was targeted with Pegasus spyware (see the detailed timeline in the Appendix). Throughout the period under consideration, Kouloglou wrote numerous articles and gave frequent interviews about spyware abuses. We summarize the key contextual details in the following sections.
First Pegasus Infection Period: PEGA Hearing Prep, Country Visits
The date of the first known Pegasus infection of Kouloglou’s device – October 21, 2022 – aligns with a particularly intense period of activity around the PEGA Committee’s deliberations and investigations.
First, a series of PEGA Committee hearings were about to commence following the infection date, including “Big Tech and Spyware” (October 26), “Spyware and e-privacy” (October 26), and spyware and fundamental rights (October 27).
Importantly, the PEGA Committee was also in the midst of preparations for the publication of its first draft report. Drafts of the report were being discussed and circulating among PEGA Committee members and their staff in the weeks leading up to this publication. Kouloglou confirms that the first infection date (October 21, 2022) coincided with a period of intense discussion and exchange that primarily took place over text messages and email. The first draft of the PEGA Committee Report was delivered by MEP in ‘t Veld on November 8, 2022. The draft focused on allegations of spyware in Poland, Hungary, Greece, Cyprus, and Spain.
In addition to the hearing and report drafting, PEGA Committee members had visited several European countries as part of their mission. Throughout October, the PEGA committee was planning its research visits to Greece and Cyprus scheduled for November 1 to 4, 2022. Kouloglou helped with planning and participated in both visits as part of the PEGA Committee deliberations.
Kouloglous’ device was hacked ten days prior to the start of this trip, at a time when communications were being exchanged about the visits.
Meeting with Thanasis Koukakis
On October 21, 2022, the exact date of the infection, Kouloglou was in the hospital for elective surgery. He was visited in his hospital room by Greek investigative journalist Thanasis Koukakis, who has worked closely on mercenary spyware issues in Greece, and had testified to the PEGA Committee the previous month. In March 2022, the Citizen Lab had confirmed Koukakis was himself targeted with Intellexa’s Predator spyware and he was at this time pursuing legal remedies and formal complaints with relevant authorities in Greece about the spying. Koukakis memorialized his meeting with Kouloglou with a photograph (Figure 2).
Given that the infection took place while Kouloglou was a patient at a Greek hospital, it is possible that confidential medical information could have been intercepted from his device, including discussions going on in his room. If the spyware captured conversations between Kouloglou and medical staff, or details stored on the phone concerning appointments, medical results, diagnoses, and other health related information, then the hacking of his device may implicate Greece’s laws concerning confidentiality of health-related data, which are considered a special category of personal data and are subject to enhanced protections (Law 4624/2019 under the Greek Penal Code).
Second Pegasus Infection Period: Intense PEGA Deliberations
Kouloglou’s device was hacked with Pegasus spyware a second time, on March 6 and 7, 2023. According to Kouloglou, during this time frame, the PEGA committee was engaged in intense discussions related to the final drafting process. On March 6, 2023 Kouloglou traveled from Athens to Brussels and was in Brussels on March 6 and 7 during the timeframe of the infection.
It may also be significant that, at this time, PEGA Rapporteur MEP in ‘t Veld was in Greece as part of a mission with the LIBE Committee (Committee on Civil Liberties, Justice and Home Affairs), which is a standing committee of the European Parliament primarily responsible for drafting legislation and providing democratic oversight around issues concerning human rights, data protection, asylum, immigration, and anti-discrimination. On that mission, the LIBE delegation questioned the Greek Director of the National Transparency Authority and other officials on the Greek spyware scandal (report para 183).
As with the previous infection dates, the date of this infection was also followed by a string of PEGA hearings and a research trip to Spain (although Kouloglou did not participate in that trip himself). This infection took place approximately two months prior to the adoption of the first PEGA Committee report (May 8, 2023).
Separately, Kouloglou and Thanasis Koukakis had made tentative plans over WhatsApp to meet on or around March 6 and 7, 2023, but ultimately their in person meeting did not take place.
The European Parliament Under Surveillance
This is the first time a member of the PEGA Committee has been publicly identified as a victim of Pegasus spyware while serving on the Committee.
There have been a few public cases of MEP targeting prior to the creation of the PEGA Committee. Four Catalan MEPs were either directly or indirectly targeted with Pegasus: MEP Diana Riba’s devices were infected in October 2019. Catalan MEP Jordi Solé was targeted in June 2020, just prior to taking his seat in the European Parliament. Two other Catalan MEPs were targeted through their staff or family members: Clara Ponsati (July 2020) and Carles Puigdemont (October 2019 and July 2020). Riba, Solé, and Puigdemont all joined the PEGA Committee: Riba as Vice-Chair, Puigdemont as a member, and Solé as a substitute. They testified about their experiences to the PEGA Committee, alongside Antoni Comín and Nikos Androulakis (whose device was targeted with Predator spyware).