Technology News

The Watcher Watched: European Lawmaker Targeted by Pegasus in Unprecedented Breach

In a chilling development that has sent shockwaves through the corridors of Brussels, security researchers have confirmed that a member of the European Parliament’s committee investigating spyware abuses was himself a victim of the very technology he was tasked to regulate. The incident involving Greek journalist and former politician Stelios Kouloglou represents a watershed moment in the ongoing battle between digital privacy advocates and the shadowy world of state-sponsored surveillance.

The confirmation, provided by the University of Toronto’s renowned digital rights laboratory, The Citizen Lab, marks the first time a sitting member of the European Parliament’s PEGA (Pegasus) committee has been publicly identified as a target of high-end, military-grade spyware. This revelation has reignited fierce controversy over the unchecked proliferation of surveillance tools, which are ostensibly marketed for counter-terrorism and crime prevention but are frequently repurposed to monitor political dissenters, journalists, and elected officials.

A Chronology of Surveillance: The Targeted Compromise

The infiltration of Kouloglou’s digital life was not a singular event but a calculated, multi-stage operation. According to the comprehensive report released by Citizen Lab, the breaches occurred in late 2022 and early 2023, utilizing sophisticated "zero-click" exploits that require no user interaction to execute.

The October 2022 Incursion

The first confirmed breach occurred in October 2022. This period was critical for the PEGA committee, as it was deep in the throes of drafting its preliminary findings on the use of surveillance software across several European nations, including Cyprus, Greece, Hungary, Poland, and Spain. Kouloglou, acting as an investigator, was heavily involved in the exchange of sensitive intelligence via encrypted messaging and email.

Compounding the severity of the intrusion, the October attack coincided with a period when Kouloglou was hospitalized for a pre-scheduled surgery. The timing suggests the perpetrators may have sought to capture highly personal audio—including private conversations with family and medical staff—or simply exploited his distraction to gain a foothold in his digital ecosystem.

The March 2023 Follow-up

The surveillance did not cease. Citizen Lab identified at least two additional instances of infection on March 6 and 7, 2023. During this time, Kouloglou was traveling between Athens and Brussels, coordinating with colleagues in the lead-up to the finalization of the committee’s report. The persistence of the attacks suggests that the operators were not merely gathering intelligence on a one-off basis but were engaged in a sustained campaign to monitor the committee’s internal deliberations as they neared their final conclusions.

The Technical Vector

The spyware, identified as Pegasus—a product of the Israeli-based NSO Group—exploited a known but unpatched vulnerability in Apple’s HomeKit smart home framework. By leveraging this flaw, the operators were able to bypass standard security measures, granting them full access to Kouloglou’s text messages, location data, photographs, and ambient microphone audio. While Apple had issued a patch for the vulnerability, it had not yet been applied to Kouloglou’s device, a common reality in the "cat-and-mouse" game of mobile cybersecurity.

The Architecture of the Attack: Who is Behind the Screen?

While Citizen Lab has stopped short of explicitly naming a specific nation-state actor, their forensic analysis points to a familiar pattern. The attacks utilized an email address previously linked to spyware campaigns targeting journalists across Europe.

The reuse of this specific digital infrastructure is a critical clue. It implies that the customer operating the software had the broad authorization of NSO Group to conduct surveillance across multiple jurisdictions. This raises an uncomfortable question: which European government, or group of governments, possesses the capability and the political mandate to deploy such an intrusive weapon against a representative of the European Union?

The NSO Group has long maintained that it only sells its products to vetted, "responsible" governments. However, the targeting of a European lawmaker actively investigating those very sales directly contradicts the company’s stated ethical safeguards.

Implications for Democracy and the Rule of Law

The compromise of Kouloglou’s device is viewed by many in the European Parliament as an existential threat to democratic oversight. One fellow lawmaker described the hacking of a colleague as a "direct attack on the rule of law," arguing that if a committee member investigating abuse cannot be protected from that very abuse, the entire mechanism of parliamentary accountability is compromised.

The Personal and Professional Fallout

Kouloglou himself has been vocal about the violation. In a recent interview, he characterized the breach as "reckless" and expressed deep personal distress over the exposure of his private life. "You realize that all of your personal data [was taken]—not all the professional exchanges or messages with ministers—but also the very private things, like the happy moments and the sad moments," he noted.

The psychological toll of knowing that one’s most intimate conversations—from family discussions to strategic political planning—were being harvested by an unknown third party is immense. Yet, Kouloglou remains defiant. He has confirmed his intent to pursue legal action against NSO Group, seeking to force a reckoning for the company’s role in the erosion of digital privacy.

A Call for European Regulation

The incident has catalyzed calls for the European Commission to enact strict, bloc-wide limitations on the sale and use of spyware. Currently, member states often operate under varying national security exemptions, creating a fragmented regulatory landscape that allows spyware vendors to "forum shop" for the most permissive environments. Proponents of reform argue that the EU must move toward a unified, high-bar regulatory framework that explicitly prohibits the targeting of journalists, lawyers, and elected officials under any circumstances.

The Global Context: NSO Group’s Beleaguered Reputation

The controversy surrounding Kouloglou’s hack occurs against a backdrop of increasing international scrutiny for NSO Group. The company has been effectively blacklisted in the United States following a Biden-era executive order that restricts the use of spyware linked to human rights abuses.

Despite this, the company has shown resilience. Reports from late last year revealed that an American investment group injected tens of millions of dollars into NSO, an effort industry analysts suggest is part of a "rehabilitation" strategy designed to clean the company’s image and re-enter the lucrative US market. Critics, however, argue that such investment is merely putting a fresh coat of paint on a flawed business model that is fundamentally incompatible with modern human rights standards.

Conclusion: The Fight for Accountability

As the European Parliament continues to grapple with the fallout of the PEGA committee investigation, the hacking of Stelios Kouloglou serves as a stark reminder of the power imbalance in the digital age. When tools designed for the protection of the state are turned against the architects of the law, the line between governance and surveillance dissolves.

Kouloglou’s decision to go public is a strategic move to ensure that the investigation does not end in a vacuum. "Corruption concerns everybody," he stated, framing his ordeal as part of a larger, global struggle for transparency. Whether this incident leads to substantive legislative change or remains another cautionary tale in the annals of the digital rights movement remains to be seen. What is clear, however, is that the era of "invisible" state surveillance is reaching a breaking point, and the guardians of democracy are no longer willing to remain silent while their privacy is compromised.

As of the time of publication, neither the European Commission nor the NSO Group has provided a substantive response to requests for comment regarding the specific findings of the Citizen Lab report. The silence from the former, in particular, has left many in Brussels wondering whether the political will exists to truly hold the purveyors of spyware accountable.