When Citizen Lab disclosed that a member of the European Parliament’s PEGA committee had his phone compromised, the Pegasus spyware hack instantly became the most striking example of surveillance overreach in recent memory. Stelios Kouloglou, a Greek journalist and former politician, learned that the very tool he was investigating had silently infiltrated his device in October 2022 and again in March 2023. The revelation isn’t just another data breach story; it’s a direct assault on the rule‑of‑law watchdog tasked with exposing exactly this kind of abuse.
Key Takeaways
- Citizen Lab verified that Pegasus spyware breached Kouloglou’s iPhone in October 2022 and twice more in March 2023.
- The attacks used a zero‑click exploit targeting a flaw in Apple’s smart‑home code, which had been patched but not installed on the victim’s device.
- One EU lawmaker called the intrusion a “direct attack on the rule of law,” urging the European Commission to impose strict spyware limits.
- NSO Group, the Israeli firm behind Pegasus, has not commented, and the responsible government customer remains unidentified.
- Kouloglou plans to sue NSO Group, framing his public disclosure as a fight for democracy, human rights, and anti‑corruption.
Pegasus spyware hack of EU investigator raises red flags
It’s hard to ignore the irony of a committee probing Pegasus abuses being the next target. Kouloglou told original report that the compromise was “reckless.” He’s not just a victim; he’s a whistleblower who’s now forced to confront the very technology he’s been scrutinising. The timing—right before the PEGA committee’s anticipated draft report—suggests an intense focus on silencing or intimidating the investigation.
How the hack unfolded
Citizen Lab’s researchers traced the intrusion to a zero‑click bug that let Pegasus slip into Kouloglou’s iPhone without any interaction. The exploit abused a previously discovered flaw in Apple’s smart‑home software, letting the spyware siphon text messages, location data, photos, and even ambient audio while he was recovering from a scheduled surgery. The vulnerability had been patched by Apple, but Kouloglou’s phone hadn’t received the update, leaving a window open for the attacker.
First, in October 2022, the attackers injected Pegasus while Kouloglou was in the hospital. Then, on March 6 and 7, 2023, they struck again as he travelled from Athens to Brussels for committee hearings. Both attacks used the same Pegasus‑loaded email address that had been linked to earlier campaigns against European journalists, hinting that the same government client had authorization to wield NSO’s tool across multiple borders.
What Citizen Lab uncovered
In its Friday report, Citizen Lab refrained from naming the state behind the operation, but it did note that the reuse of the same attacking email address implies a consistent customer. The lab highlighted that the exploit required no user action—a “zero‑click” vector—making it especially dangerous for high‑profile targets who might assume their devices are safe if they keep their software up to date.
- Attack dates: October 2022 and March 2023.
- Vulnerability: Apple smart‑home code flaw, patched but not installed.
- Method: Zero‑click exploit, no user interaction needed.
- Target: EU Parliament PEGA committee member investigating Pegasus.
- Attacker email: Same address used in prior European journalist hacks.
Political fallout and calls for action
One serving European lawmaker labeled the intrusion a “direct attack on the rule of law,” and urged the European Commission to impose concrete limits on spyware use across the 27‑member bloc. The commission hasn’t responded to TechCrunch’s request for comment, and NSO Group declined to speak before the report’s publication.
That silence only fuels the perception that governments are willing to weaponise spyware against critics, even as they claim the tools are meant for serious crime investigations. The fact that the same email address was used in multiple campaigns suggests a pattern of state‑backed actors using Pegasus beyond any single jurisdiction.
“You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments,” Kouloglou told TechCrunch.
Kouloglou’s anger is palpable. He said he doesn’t know why he was singled out, but he believes his work on the PEGA committee made him a target. “Corruption concerns everybody,” he added, underscoring his belief that the hack is part of a broader effort to intimidate those who shine a light on illicit surveillance.
Legal avenues and corporate response
Kouloglou plans to sue NSO Group, which has been largely barred from U.S. government use after a Biden‑era executive order prohibited spyware that could violate human rights. Last year, NSO disclosed that an unnamed American investment group funneled tens of millions of dollars into the company, likely to rehabilitate its tarnished brand after numerous abuse allegations.
Even with that funding, NSO’s silence on the Citizen Lab findings leaves a void. Without a clear accountability trail, developers and security teams are left to wonder how many other undisclosed victims might exist, especially among officials tasked with oversight.
Historical Context
Pegasus first entered public consciousness when investigative journalists linked it to a series of high‑profile intrusions across the globe. Those early reports described a tool that could infiltrate iOS and Android devices, extract encrypted messages, and activate microphones without a user’s knowledge. Over time, the same exploit chain re‑appeared in multiple campaigns, each time resurfacing after Apple or Google released patches. The pattern demonstrated a market where a single piece of software could be repurposed across borders, and where the same delivery address was often the breadcrumb left behind for analysts.
NSO Group’s business model has hinged on selling Pegasus to state actors under the premise of fighting crime. Critics have repeatedly highlighted that the same capability can be turned against journalists, activists, and opposition figures. The EU’s own internal investigations into Pegasus, embodied by the PEGA committee, represent a rare attempt to audit the technology from inside the political system. The October 2022 and March 2023 attacks on Kouloglou therefore sit at the intersection of a long‑standing controversy and a fresh push for oversight.
Competitive Landscape
While Pegasus dominates headlines, it isn’t the only surveillance platform on the market. Other vendors offer similar capabilities—remote code execution, data exfiltration, and covert audio capture. Those products often share a reliance on zero‑day vulnerabilities, meaning they all face the same patch‑race dynamic with platform owners. The reuse of a known attacker email address, as seen in Kouloglou’s case, indicates that multiple customers may be drawing from a shared pool of exploit contracts.
Governments that purchase such tools typically do so through opaque procurement channels. This opacity makes it difficult for civil‑society monitors to trace the chain of responsibility when an intrusion occurs. The EU’s call for stricter limits aims to bring transparency to a market that has traditionally operated behind closed doors.
What This Means For You
For developers building apps that handle sensitive data, the Pegasus episode is a stark reminder that even the most secure platforms can be compromised if users lag on updates. Embedding automatic update prompts and clearly communicating the security stakes can reduce the window of vulnerability.
For security professionals, the case underscores the need for continuous monitoring of emerging zero‑click exploits. Incorporating threat‑intelligence feeds that flag reused attacker email addresses can help you spot patterns before they turn into full‑blown breaches. And if you work in a regulated environment, you might want to push for stricter internal policies that enforce timely patching across the board.
Three concrete scenarios illustrate how the lessons apply today:
- Scenario 1 – Mobile banking app. A user delays the latest iOS security update. An attacker exploits the same smart‑home flaw to inject spyware, gaining access to transaction details and authentication tokens. The breach could be mitigated if the app forced an update check at each login.
- Scenario 2 – Cloud‑based collaboration suite. An organization’s security team receives an alert about a known phishing address appearing in inbound mail logs. By correlating that address with the one identified by Citizen Lab, the team blocks the malicious sender before any zero‑click payload reaches employee devices.
- Scenario 3 – Government procurement office. A procurement officer is tasked with evaluating surveillance contracts. Understanding that the same exploit chain can be licensed to multiple states informs a more cautious approach, prompting the officer to demand detailed audit logs and usage restrictions before signing any agreement.
Each example shows that the threat isn’t abstract; it can surface in everyday workflows. The key is to treat updates, threat intel, and policy compliance as non‑negotiable pillars of a strong defense.
Key Questions Remaining
Even after the Citizen Lab report, several uncertainties linger. Who authorized the specific attacks against Kouloglou? Which government client holds the Pegasus license that enabled the zero‑click exploit? How many other EU officials might have been targeted using the same email address? Answers to those questions will shape the next round of legislative proposals and could drive the EU toward a unified spyware‑use framework.
Another open issue concerns the durability of patches. Apple’s smart‑home code flaw was patched, yet the victim’s device remained vulnerable because the update never installed. This raises a broader question: how can platform owners and enterprises enforce timely installation without infringing on user autonomy? Solutions may involve tighter integration between device management tools and operating‑system update mechanisms, but the balance between convenience and security remains a moving target.
Finally, the legal pathway for victims like Kouloglou is still being charted. The lawsuit against NSO Group will test how courts interpret cross‑border spyware usage, especially when the alleged perpetrator is a private firm operating under government contracts. The outcome could set precedent for future actions against surveillance vendors, influencing both corporate strategy and international law.
As the EU’s PEGA committee finalizes its report, the tech community watches for concrete policy shifts. Will the European Commission translate rhetorical condemnation into enforceable limits? Will member states adopt a shared registry of approved surveillance tools? The answers will determine whether the Pegasus episode remains an isolated breach or becomes a catalyst for systemic change.
Sources: TechCrunch, The Citizen Lab

