Citizen Lab finds Pegasus on the phone of the EU's Pegasus investigator
A former member of the European Parliament's spyware inquiry was repeatedly hacked with Pegasus during his tenure, with no one in the institution aware of it.
A former member of the European Parliament's spyware inquiry was repeatedly hacked with Pegasus during his tenure, with no one in the institution aware of it.
The European Parliament built a committee to investigate the use of Pegasus spyware. For at least part of its mandate, the committee included a member whose phone had already been compromised by Pegasus, and the Parliament did not know.
A Citizen Lab forensic investigation published this week documents repeated infections of Stelios Kouloglou, a former Member of the European Parliament, with NSO Group's Pegasus spyware during the time he served on the PEGA Committee of Inquiry. Kouloglou was a substitute member of the committee from March 24, 2022 to July 18, 2023. The committee was established on March 10, 2022 to examine the use of Pegasus and equivalent commercial spyware inside the EU, and it adopted its final report in May 2023.
PEGA was the Parliament's response to the 2021 Pegasus Project, a consortium investigation that documented EU member states' use of the tool against journalists, activists, and political figures. The committee's hearings covered the impact of spyware on fundamental rights and the use of spyware in Greece specifically, drawing on prior European Parliamentary Research Service analysis of the legal and technical landscape around commercial spyware652037_EN.pdf).
Citizen Lab's finding changes what that work means in retrospect. If a member of an investigative committee was compromised while the committee was active, the compromised device could have offered a window into the inquiry's non-public documents and deliberations, exactly the material the committee was supposed to use to hold EU governments accountable for the same behavior. Citizen Lab notes that the infections coincided with active phases of PEGA's work and that attackers would likely have had access to non-public committee information, possibly breaching EU parliamentary confidentiality and privilege frameworks.
Citizen Lab is explicit about what it does and does not say. It is not attributing the infections to any named government. It found no indication that the Greek government, of which Kouloglou is a national, is responsible. What it does identify is a technical overlap: the first infection timestamp falls inside a previously observed Pegasus campaign that targeted Russian and Belarusian-speaking exiled journalists and dissidents in Europe, suggesting a Pegasus operator with authorization to run intrusions in multiple EU member states. The implication is structural, not geopolitical. A commercial spyware tool, licensed country by country, reached a member of the body investigating it.
That structural fact is the part the wider coverage has not yet absorbed. Re-reporting of the Citizen Lab finding has framed the story as a confirmed new hack against a sitting official. Citizen Lab's own framing is narrower: a forensic reconstruction of past infections, a pattern consistent with targeted espionage, and a flagged risk to parliamentary privilege. Both can be true, but the second is what the institutional story is about.
PEGA was wound up after adopting its final report in May 2023. Whether the Parliament had any technical means to detect a compromised member while the committee was active is not addressed in the public record; the only forensic disclosure of the infections has come from Citizen Lab's work with Kouloglou. The open question is whether the Parliament's internal security apparatus can audit the devices of its own members at all, or whether it has to wait for an outside lab to tell it what its own members were carrying. The next test will be whether the Parliament's own services open an internal review of committee-period device handling, and whether other former PEGA members come forward to be scanned.