A former Greek politician and member of the European Parliament's special committee investigating spyware abuses has had his phone infected with the notorious Pegasus spyware, according to a report from the University of Toronto's Citizen Lab. The confirmed hacking of Stelios Kouloglou, a journalist turned politician who served on the PEGA committee, marks the first time a committee member has been publicly identified as a victim of the Israeli surveillance software. The attacks occurred in 2022 and 2023, targeting Kouloglou's iPhone through a zero-click exploit in Apple's HomeKit software.
Targeted attacks during critical phases of the investigation
Citizen Lab reports that Kouloglou was hacked in October 2022 and at least twice in March 2023, using a vulnerability that required no interaction from the victim. The exploit allowed Pegasus to silently extract messages, photos, location data, and even activate the microphone to record ambient conversations. The first hack took place while Kouloglou was hospitalized for scheduled surgery, raising suspicions that attackers aimed to intercept private discussions with visitors. The second wave hit in March 2023 as he traveled from Athens to Brussels, coinciding with committee hearings and the drafting of the final report. The timing suggests a deliberate effort to monitor the committee's internal deliberations ahead of a widely anticipated report detailing spyware abuses in several EU member states.
Sponsored Protocol
A direct attack on the rule of law
Kouloglou told TechCrunch he felt anger upon learning his phone had been breached. "You realize that all of your personal data was taken -- not just professional exchanges, but also very private things, like happy moments and sad moments," he said. A fellow European lawmaker described the hacking as "a direct attack on the rule of law" and called on the European Commission to impose strict limits on spyware use across all 27 member states. Citizen Lab did not attribute the attack to a specific country but noted that the email address used was the same as in previous campaigns targeting journalists across Europe, pointing to a government customer authorized by NSO Group.
Sponsored Protocol
Zero-click vulnerabilities and security implications
The exploit leveraged a flaw in Apple's HomeKit software, which had already been patched but was not installed on Kouloglou's phone. This incident underscores the critical importance of installing updates promptly, especially given the silent nature of zero-click attacks. While Apple's iOS 27 introduces Trust Insights to detect real-time scams, Pegasus operates covertly without user interaction. For more on how to protect against such threats, read our article on iOS 27 Trust Insights.
Sponsored Protocol
Legal fallout and wider repercussions
Kouloglou plans to sue NSO Group, the Israeli spyware maker that has faced numerous controversies over human rights abuses. In the United States, a Biden-era executive order effectively bans government use of spyware that could violate human rights, keeping Pegasus out of federal agencies. Despite this, NSO recently secured funding from an unnamed American investment group, likely to rehabilitate its tarnished brand. The Kouloglou case adds urgency to European Union efforts to regulate surveillance technology more strictly. For further background on Pegasus, refer to the Wikipedia article on Pegasus.