NSO Group's Pegasus spyware was repeatedly used against a member of the European Parliament while he was investigating spyware abuses in Europe, according to a new report from the Citizen Lab at the University of Toronto.
Attack on MEP Stelios Kouloglou
Researchers said they could not attribute the attacks against Stelios Kouloglou, a Greek former MEP and journalist, to any specific government operator. However, the attack bore hallmarks of a previous hacking campaign targeting exiled Russian and Belarusian journalists in Europe.
"When you realise your private life is scrutinised by very bad people, you become angry," Kouloglou said. "It's a big issue having to do with corruption, justice and democracy."
Pega Committee Investigation
Kouloglou's work for the special European parliamentary committee known as Pega, established in March 2022 after the Pegasus Project revelations, was at the heart of the report. The Pegasus Project, published by the Guardian and media consortium, exposed how governments used Pegasus to target journalists, activists, and politicians. Pega's mission was to investigate spyware use contravening EU law.
Kouloglou joined Pega in March 2022. His mobile device was first infected on 21 October 2022, during a "particularly intense period of activity" in the committee's deliberations, including drafting its first report. NSO Group did not respond to a request for comment.
Hacking Details and Connections
The hacking coincided with Kouloglou's hospital admission for elective surgery, where he was visited by Greek investigative journalist Thanasis Koukakis. Koukakis was working on mercenary spyware stories in Greece following the "Greek Watergate" scandal, which involved illegal targeting of over 80 people, including politicians and journalists. Koukakis, a targeted victim, had testified before Pega.
Kouloglou's device was hacked again on 6 and 7 March 2023, when Pega was finalizing its report. The hacking occurred while he traveled from Athens to Brussels.
Citizen Lab said this marks the first known targeting of a Pega committee member with spyware. John Scott-Railton, a senior researcher, noted the irony: "This case is the ultimate irony of Europe's spyware crisis. Someone on the very committee tasked with investigating Pegasus gets infected by it." He warned that ignoring abuses would lead to more hacked parliamentarians.
Attribution and Implications
While Citizen Lab could not pinpoint the government client, researchers believe the same operator targeted seven Russian and Belarusian-speaking independent journalists and opposition activists in Europe. A unique Apple ID email used in the attacks suggests a common government client, likely with licenses to operate in Belgium and Greece.



