European Parliament Spyware Investigator Hacked With Pegasus
What happened
Citizen Lab reported that former Member of the European Parliament Stelios Kouloglou was repeatedly hacked with Pegasus spyware while serving on the European Parliament’s PEGA Committee, which was investigating the abuse of Pegasus and similar commercial surveillance tools in the European Union. Kouloglou served on the committee from March 2022 to July 2023, and researchers said the compromise could have exposed confidential documents and committee deliberations.
Forensic analysis of Kouloglou’s iPhone found Pegasus infections around October 21, 2022, and again on March 6 and 7, 2023. The October infection appears to have used a zero-click exploit in Apple’s smart home software known as PWNYOURHOME, which Apple later addressed in iOS 16.3.1. Citizen Lab said the March activity also appeared to use the same exploit, and Kouloglou’s device was running iOS 15.5 during both infection periods.
Kouloglou also received Apple mercenary spyware threat notifications in March 2023, August 2023, and April 2024. The timing of the infections was notable because the first occurred while he was hospitalized after being visited by Greek investigative journalist Thanasis Koukakis, a previous Predator spyware victim who had testified before the PEGA Committee. The March 2023 infection also coincided with the committee’s final drafting process before its first report was adopted.
Citizen Lab has not attributed the infections to a specific government and said there is no evidence that the Greek government was behind the activity. However, researchers found infrastructure overlap with an earlier Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe, suggesting a Pegasus customer with authorization to conduct infections in multiple European countries may have been responsible.
Who is affected
Stelios Kouloglou was directly affected because his iPhone was repeatedly compromised while he was serving on a committee investigating commercial spyware abuse.
The broader risk extends to lawmakers, journalists, activists, dissidents, opposition figures, and investigators working on surveillance, spyware, human rights, and government accountability issues.
European institutions are also affected because the compromise may have exposed confidential documents and committee deliberations tied to a formal inquiry into spyware misuse.
Why CISOs should care
This incident shows how spyware can be used against the very people investigating spyware abuse. For security leaders, the case highlights the sensitivity of committee work, legal review, regulatory investigations, journalism, and civil society activity that may be targeted by commercial surveillance tools.
The zero-click nature of the suspected exploit is especially important. Users may not need to click a link, open a file, or approve a prompt for compromise to occur. That makes traditional awareness training insufficient for high-risk individuals.
The case also reinforces the importance of rapid mobile patching. Kouloglou’s device was running iOS 15.5 during the infections, while Apple later addressed the exploited issue in iOS 16.3.1. High-risk users need stronger controls around update enforcement, device monitoring, and threat notification response.
For CISOs supporting executives, board members, legal teams, public policy teams, journalists, or politically exposed staff, mobile devices should be treated as high-value endpoints that may face nation-state or commercial spyware targeting.
3 practical actions
Harden mobile security for high-risk users: Lawmakers, executives, journalists, activists, legal teams, and public policy staff should receive stronger mobile protections, including rapid OS updates, device hardening, reduced attack surface, and clear escalation processes for threat notifications.
Treat spyware alerts as serious incident triggers: Kouloglou received multiple Apple threat notifications. Organizations should have a process to preserve devices, engage mobile forensics expertise, review sensitive communications, and assess what documents or deliberations may have been exposed.
Limit sensitive work on personal mobile channels: Citizen Lab said attackers could have accessed confidential documents and committee deliberations. CISOs should reduce reliance on personal messaging, unmanaged cloud storage, and mobile-only workflows for highly sensitive investigations or governance work.
Also on the news today:


