background image blur
background image
  • Blog
    >
  • News
    >
  • The MEP Who Investigated Pegasus Was Hacked With It. That’s Not a Coincidence

The MEP Who Investigated Pegasus Was Hacked With It. That’s Not a Coincidence

Image of author
By Tech Writer and VPN Researcher Gintarė Mažonaitė
clock icon
Last updated: 3 July, 2026
An image of the binary code with the with word "spyware" in the middle

Key Takeaways

  • Researchers at Citizen Lab found that Pegasus spyware was used against Greek MEP Stelios Kouloglou while he was serving on the European Parliament's Pega committee, which was specifically established to investigate spyware abuses.
  • His device was first compromised in October 2022, during an intense period of Pega's deliberations, and hacked again in March 2023, while the committee was finalizing its report.
  • Citizen Lab couldn’t attribute the attacks to a specific government operator, but noted the campaign bore hallmarks of a previous hacking operation targeting exiled Russian and Belarusian journalists in Europe.
  • This is the first known instance of a Pega committee member being targeted with spyware, and the committee's recommendations have reportedly been largely ignored.

Researchers at the Citizen Lab at the University of Toronto have found that Pegasus spyware, made by Israeli firm NSO Group and sold to governments for the stated purpose of combating serious crime and terrorism, was used against Stelios Kouloglou, a Greek MEP who joined the European Parliament's Pega committee in March 2022. The Pega committee was established specifically to investigate how Pegasus and similar spyware tools were being used in ways that violated EU law.

Kouloglou's device was first infected in October 2022, during what Citizen Lab described as "a particularly intense period of activity" in the committee's work, including the drafting of its first report. His phone was compromised again in March the following year, while Pega was in intensive final deliberations on its conclusions. Citizen Lab said this marks the first confirmed instance of a Pega committee member being targeted with spyware. NSO Group did not respond to a request for comment.

Citizen Lab was unable to attribute the attacks to a specific government operator of Pegasus, but noted the campaign bore hallmarks of a previous operation targeting exiled Russian and Belarusian journalists based in Europe.

What Makes the Timing Significant

The dates here aren’t incidental. Kouloglou joined Pega in March 2022. His device was compromised seven months later, during a critical drafting period. It was hacked again during the committee's final report deliberations. The hacking in October 2022 also coincided with a hospital visit by Thanasis Koukakis, a Greek investigative journalist who had been illegally surveilled under Greece's "Greek Watergate" scandal and had testified before the Pega committee about his experience.

Whoever operated Pegasus against Kouloglou knew who he was, what he was working on, and when the most sensitive moments of that work were occurring. The precision of the timing is, in its own way, the most damning part of Citizen Lab's findings. This wasn’t opportunistic surveillance. It was targeted, timed, and aimed at the heart of the institution, trying to hold spyware abuse accountable.

We have written before about NSO Group's pattern of behavior, including its return to targeting WhatsApp users after years of legal pressure, and this case fits the same profile: a tool sold to governments under the banner of fighting crime, deployed against exactly the kind of people it was supposedly never meant to touch. Journalists. Activists. Politicians conducting democratic oversight. The gap between NSO's stated purpose and the documented reality of Pegasus deployments has never been narrower.

The Committee Investigated. The Recommendations Were Ignored

There’s a detail in this story that deserves more attention than it will probably receive. Citizen Lab senior researcher John Scott-Railton noted that the Pega committee's recommendations have "essentially been ignored." The committee was set up in 2022 after the Pegasus Project – the consortium investigation published by the Guardian and partner outlets – revealed systematic abuse of commercial spyware across Europe. It was investigated for two years. It produced a report. And the political institutions of the EU largely moved on.

Now we learn that the people conducting that investigation were themselves under surveillance while they worked. The implications aren’t subtle. If the investigators of spyware abuse can be hacked with the spyware they are investigating, and the results of their investigation can be shelved without consequence, then the oversight mechanisms that democratic institutions rely on to check surveillance abuse are not functioning. Not just inadequately — structurally not functioning.

This matters to anyone who uses the internet, communicates privately, or relies on the assumption that democratic governments are bound by law. Commercial spyware sold to government clients does not stay within the boundaries of its stated use cases. It never has. The Pegasus Project showed that. The Pega committee confirmed it. And now we know the committee itself was a target. At some point, the gap between what these tools are sold as and what they’re used for stops being a disclosure problem and starts being a democracy problem.


Share on
Facebook share Twitter share Reddit share Linkedin share

Be part of the resistance, quietly.

Get Mysterium VPN Arrow icon
awareness campaign banner img
Image of author
Gintarė Mažonaitė
Tech Writer and VPN Researcher

Gintarė is a cybersecurity writer at Mysterium VPN, where she explores online privacy, VPN technology, and the latest digital threats. With hands-on experience researching and writing about data protection and digital freedom, Gintarė makes complex security topics accessible and actionable.

Read more by this author
© Copyright 2026 UAB "MN Intelligence"