The mobile phone of a Greek politician investigating the sale of surveillance technology to governments was compromised multiple times by the very spyware he was working to regulate, according to research released in early July. Stelios Kouloglou, a journalist and former member of the European Parliament, discovered that his iPhone had been repeatedly infected with Pegasus, an advanced monitoring tool manufactured by Israeli firm NSO Group, on at least two separate occasions spanning 2022 and 2023. The University of Toronto's Citizen Lab, a leading digital rights monitoring organisation, published findings detailing the compromise in what observers have characterised as a striking example of the contradictions underlying Europe's approach to digital surveillance.
Pegasus represents one of the world's most sophisticated commercial surveillance instruments, designed ostensibly to target high-level criminals and security threats. NSO Group maintains that it sells access exclusively to government and law enforcement customers, with strict safeguards intended to prevent misuse. Once deployed on a device, the spyware grants operators the ability to intercept phone conversations, access encrypted messaging applications, harvest stored data and photograph documents without the target's knowledge. The technology's architecture allows for what specialists call zero-click exploitation, meaning targets need not open suspicious links or attachments to become compromised. Instead, vulnerabilities in core phone systems enable infection to occur silently in the background.
However, research by Citizen Lab, investigative journalists and human rights organisations has consistently documented a troubling pattern: government clients repeatedly weaponise Pegasus against civil society rather than criminals. Journalists, pro-democracy activists, opposition politicians and lawyers have been targeted across multiple continents. The tool has become synonymous with democratic backsliding, particularly in countries with weak oversight mechanisms where political leaders use surveillance to monitor rivals and suppress dissent. This contradiction between stated purpose and documented application has sparked mounting controversy throughout Europe and beyond.
At the time his device was compromised, Kouloglou served on the European Parliament's PEGA Committee, a body specifically established to investigate and regulate the proliferation of NSO's Pegasus technology and related surveillance systems deployed by governments. The committee's mandate reflected growing alarm among EU legislators about the unchecked use of commercial spyware by member states and third countries. Their final report, completed in 2023, concluded that such technologies posed fundamental threats to democracy and human rights protection, recommending stricter EU regulations on manufacture, sale and deployment.
Kouloglou's device contained particularly sensitive material that would have interested any government seeking intelligence on his parliamentary activities. His communications with Alexis Tsipras, Greece's former prime minister, stored on the compromised phone, could have provided insights into opposition circles. Additionally, his private medical records and his documented contacts with journalists and sources created a comprehensive picture of his professional and personal life. The targeting thus represented far more than simple surveillance; it amounted to what specialists describe as political intelligence gathering against a legislator actively working to constrain state power.
The Citizen Lab analysis found that the same attacker who hacked Kouloglou's iPhone had also targeted a distinct group comprising seven independent journalists and opposition activists from Russia and Belarus based in European countries. This pattern suggested a coordinated campaign rather than isolated incidents, though investigators cannot definitively confirm which government or intelligence service directed the operations. Kouloglou himself remains uncertain about his attacker's identity, though he has pledged to pursue investigation into responsibility.
One particularly significant technical detail emerged from the forensic examination: at least one compromise of Kouloglou's iPhone employed zero-click exploitation methods, among the most sophisticated attack vectors known to cybersecurity specialists. Such techniques represent the cutting edge of digital intrusion capability and carry substantial financial and technical costs. Only well-resourced state actors typically possess the expertise and infrastructure to develop and deploy such methods, suggesting his attacker possessed capabilities usually associated with established intelligence services rather than casual operators.
The incident marks the first documented case of a serving PEGA committee member being targeted by Pegasus, though European parliamentarians have previously fallen victim to NSO's tools. Catalan legislators faced compromise between 2019 and 2020, and a French representative was targeted in 2023. These earlier cases pointed to a troubling trend of governments abusing commercial surveillance against political opponents, yet none involved someone actively investigating the very technology used against them.
John Scott-Railton, a senior researcher with Citizen Lab, characterised the targeting as emblematic of Europe's broader failure to enforce meaningful constraints on spyware abuse. He argued that the European Commission bore responsibility for this enforcement vacuum and must adopt decisive measures to counter unchecked surveillance across the continent. The case represents what he termed the "ultimate irony" of Europe's surveillance crisis: the person tasked with investigating Pegasus became infected by it, while the PEGA committee's recommendations languished without implementation.
European Commission spokesperson Antoine Lomba responded to the incident by emphasising the institution's stated commitment to combating illegal spyware use. The Commission described its position as unequivocal: any unauthorised access to citizens' data, particularly affecting journalists and political opponents, remains fundamentally unacceptable. However, Lomba acknowledged that addressing the challenge required comprehensive action across multiple regulatory domains, combining legislative measures with non-legislative tools. Critics contend this multi-faceted approach has yielded minimal practical results.
Sophie in 't Veld, a Dutch former European Parliament member who served as rapporteur for the PEGA committee, expressed concern that Kouloglou's targeting represented not an anomaly but rather part of a systematic pattern of abuse. She pointed to five years of complete impunity for spyware misuse, with zero meaningful consequences imposed on governments deploying these tools against protected individuals. Her assessment suggests that Europe's regulatory and political structures have proven incapable of translating concern into enforcement, leaving activists, journalists and legislators vulnerable to surveillance despite public commitments to democratic protection and human rights.
The case exposes a fundamental tension in contemporary European governance: while the continent has developed sophisticated oversight mechanisms and rhetorical commitments to digital rights protection, implementation remains inconsistent and enforcement largely absent. Kouloglou's compromise serves as a potent reminder that surveillance technology respects neither institutional position nor legislative mandate when political interests align to weaponise it. For Southeast Asian observers and policymakers considering their own approaches to surveillance regulation and digital governance, the European experience suggests that rules without enforcement prove worthless.
