Stelios Kouloglou, a journalist and former European Parliament member, experienced a bitter irony when his iPhone fell victim to the very surveillance system he was investigating. New research from the University of Toronto's Citizen Lab, released on July 3, reveals that Kouloglou's device was compromised by Pegasus spyware manufactured by Israeli firm NSO Group on at least two separate occasions between 2022 and 2023, marking a troubling escalation in the misuse of sophisticated digital weaponry against European political figures.
The discovery raises uncomfortable questions about government accountability and the capacity of surveillance technologies to undermine democratic institutions. At the time his phone was hacked, Kouloglou was actively engaged in work with the European Parliament's PEGA Committee, a body specifically established to examine the commercial trade in Pegasus and similar surveillance tools deployed by governmental authorities. The committee's investigation culminated in a 2023 report that categorically identified such technologies as posing fundamental threats to democratic governance and individual rights, subsequently recommending strengthened regulatory frameworks governing their deployment and sale across the European Union.
NSO Group, approached for commentary on the findings, declined to respond to inquiries about the incident. The company has consistently maintained that Pegasus operates exclusively under government and law enforcement licensing arrangements, with stated purposes limited to countering terrorism and serious criminal activity. The technology functions by enabling remote infiltration of mobile devices, allowing authorities to intercept voice communications, access encrypted messages, and extract stored information without the device owner's knowledge or permission.
Yet the documented reality diverges sharply from NSO's stated intentions. Researchers and investigative journalists have documented repeated instances of governments weaponising Pegasus against journalists, human rights advocates, and political opponents rather than legitimate security targets. Kouloglou's case exemplifies this troubling pattern, particularly given his position scrutinising the very systems being used against him. His compromised device contained sensitive exchanges with Alexis Tsipras, Greece's former prime minister, alongside confidential medical records and his professional journalistic sources—information of obvious political value to any hostile actor.
Crucially, Kouloglou remains uncertain which government entity orchestrated the attacks against him, underscoring a broader accountability vacuum that has enabled sustained abuse. While Citizen Lab's analysis stopped short of identifying the perpetrator, researchers did establish patterns suggesting the same threat actor simultaneously targeted a network of seven Russian and Belarusian-speaking journalists and opposition figures based throughout Europe. This coordination hints at state-level involvement, yet without transparent investigation and consequences, victims and oversight bodies operate in darkness.
The technical sophistication of the attacks warrants particular concern. In at least one instance, Kouloglou's iPhone was compromised through a zero-click exploit—an advanced attack vector requiring no user interaction whatsoever. The device was silently infected without requiring him to click malicious links or fall for social engineering tactics, representing some of the most technically refined and operationally expensive hacking methods available. This level of capability typically remains accessible only to well-resourced state actors, suggesting deliberate targeting rather than opportunistic compromise.
Kouloglou's victimisation follows a troubling pattern among European legislators. Four Catalan lawmakers experienced similar breaches between 2019 and 2020, while a French parliamentary representative was targeted in 2023. However, the Kouloglou case represents an unprecedented development: the first documented instance of an active PEGA Committee member—literally someone tasked with investigating Pegasus abuse—becoming infected by the technology they were studying. The symbolism is difficult to ignore.
John Scott-Railton, a senior researcher at Citizen Lab, articulated the fundamental contradiction embedded in this situation. The irony transcends mere coincidence; it represents a systemic failure of European institutions to protect those investigating surveillance abuses whilst simultaneously highlighting the impunity with which governments continue deploying these tools. Scott-Railton emphasised that the European Commission must elevate counteraction against continental spyware proliferation to urgent priority status. Despite the PEGA Committee's clear recommendations for regulatory action, institutional momentum appears stalled.
The European Commission's formal response, articulated through spokesperson Antoine Lomba, acknowledged the seriousness whilst essentially reiterating existing positions. The Commission claims active engagement across multiple legal frameworks to address spyware abuse, asserting an unambiguous stance opposing unauthorised data access targeting journalists and political opponents. Yet this rhetorical commitment rings hollow against the backdrop of continued attacks despite the 2023 PEGA investigation and recommendations. Lomba's reference to addressing challenges through both legislative and non-legislative mechanisms suggests a fragmented approach lacking enforcement teeth.
Sophie in 't Veld, a Dutch former European Parliament member who served as rapporteur for the PEGA committee, rejected any interpretation framing Kouloglou's case as an isolated incident. Rather, she characterised the targeting as symptomatic of systemic abuse operating entirely without meaningful consequences. Her assessment that five years of documented Pegasus misuse has generated zero accountability measures captures a fundamental governance failure. The absence of coordinated enforcement mechanisms, meaningful penalties, or political will to challenge offending governments has created an environment where surveillance abuse continues with impunity.
For Malaysian and Southeast Asian observers, the European experience carries pertinent lessons regarding the dangers of unrestricted surveillance technology proliferation. The region's experience with democratic backsliding and selective prosecution of political opponents makes NSO's products and their equivalents particularly concerning. The European case demonstrates how even sophisticated democracies with established institutional oversight struggle to prevent surveillance abuse once such technologies become available to governments. Without robust regional frameworks establishing clear restrictions on surveillance tool acquisition and deployment, Southeast Asian governments may face similar pressures to acquire and abuse sophisticated capabilities.
The Kouloglou incident underscores a fundamental tension in contemporary digital governance: surveillance technologies marketed as security necessities routinely become instruments of political suppression. The inability of democracies even to protect their own legislators from targeted attacks whilst supposedly investigating such abuses suggests that technical solutions alone cannot address institutional failures. Without political commitment to meaningful enforcement and genuine consequences for abuse, regulatory frameworks remain performative gestures rather than protective barriers.
