EU Spyware Investigator Hacked with Pegasus in Brazen Attack
AI News

EU Spyware Investigator Hacked with Pegasus in Brazen Attack

9 min
7/4/2026
Pegasus spywareNSO GroupEuropean ParliamentCitizen Lab

Irony and Espionage: A Spyware Investigator Hacked by Spyware

In a development that underscores the escalating threat of commercial spyware to democratic institutions, researchers at the University of Toronto's Citizen Lab have confirmed that a member of the European Parliament's committee investigating spyware abuses was himself hacked with NSO Group's Pegasus spyware. The finding, published on July 3, 2026, marks the first time a member of the PEGA committee has been publicly identified as a victim of the very technology they were tasked with investigating.

Former MEP Stelios Kouloglou, a Greek journalist and politician who served as a substitute member of the PEGA committee from March 2022 to July 2023, had his iPhone infected with Pegasus on at least three occasions. The infections occurred on October 21, 2022, and again on March 6 and 7, 2023, during critical periods of the committee's work, including the drafting of its final report on spyware abuses across Europe.

How the Attack Unfolded

Citizen Lab's forensic analysis of Kouloglou's iPhone revealed that the first infection on October 21, 2022, exploited a zero-click vulnerability known as PWNYOURHOME. This attack vector involved a specially crafted NSKeyedArchive that landed in Apple's HomeKit framework, followed by malicious content targeting the MessagesBlastDoorService. Apple mitigated the HomeKit issue in iOS 16.3.1, but the MessagesBlastDoorService fix likely arrived earlier in iOS 16.1. At the time of infection, Kouloglou's device was running iOS 15.5.

The second wave of infections occurred on March 6 and 7, 2023, using the same exploit chain. Researchers assess with high confidence that both infections were successful, though they note that additional infections may have occurred that could not be captured due to limitations in the available forensic data.

Timing and Context of the Attacks

The first infection on October 21, 2022, occurred while Kouloglou was hospitalized for elective surgery in Greece. He was visited that day by investigative journalist Thanasis Koukakis, who had himself been targeted with Intellexa's Predator spyware and had testified before the PEGA committee. The timing is particularly significant: it came just days before a series of critical PEGA hearings and as the committee was preparing its first draft report, which was published on November 8, 2022.

The second infection period on March 6-7, 2023, coincided with Kouloglou's travel from Athens to Brussels for intense committee deliberations. During this time, PEGA rapporteur Sophie in 't Veld was in Greece on a related mission with the LIBE committee, questioning officials about the Greek spyware scandal. The infections occurred approximately two months before the committee adopted its first report on May 8, 2023.

Attribution and the Russian-Belarusian Connection

While Citizen Lab has not attributed the attacks to a specific government, they have identified a critical link. The same unique Apple ID email address—rauharepo888@gmail.com—used in the HomeKit exploit against Kouloglou was also used in a previously identified Pegasus campaign targeting seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe. This overlap strongly suggests the same Pegasus operator was responsible.

Researchers note that the infections occurred in at least two European jurisdictions—Greece and Belgium—which would require an NSO customer with a license enabling operations across multiple EU countries. This narrows the list of potential operators. Notably, the Citizen Lab found no evidence implicating the Greek government, which is known to have used Intellexa's Predator spyware but not NSO's Pegasus.

Political Fallout and Institutional Response

The revelation has sparked outrage across the European Parliament. Belgian Green MEP Saskia Bricmont, a member of the PEGA committee, called the attack "a direct attack on the rule of law." Hannah Neumann, another Green MEP who served on the committee, told WIRED: "They did not only target an MEP, they spied on the investigation into spyware abuse itself. That shows the whole absurdity of the situation."

The European Parliament's spokeswoman, Delphine Colard, stated that the institution's services "constantly monitor cybersecurity threats" and noted that a spyware detection system has been available to all EU lawmakers since 2022. However, the case has raised serious questions about the effectiveness of these measures. John Scott-Railton, a senior researcher at Citizen Lab, warned: "It's open spyware season on Europe's lawmakers. The European Parliament, national parliaments, nobody is prepared."

Technical Analysis and Attribution

The forensic analysis revealed that the first infection on October 21, 2022, used a zero-click exploit chain. A lookup for the HomeKit email address rauharepo888@gmail.com was followed two minutes later by Pegasus process activity using mobile data. The same email address was previously identified in a May 2024 joint report by Citizen Lab and Access Now, which detailed a campaign targeting seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe.

While the researchers have not attributed the attacks to a specific government, they note that the operator likely had a license enabling infections in multiple EU jurisdictions, narrowing the field of potential NSO customers. Importantly, the Citizen Lab found no evidence implicating the Greek government, which is known to have used Intellexa's Predator spyware but not NSO's Pegasus.

continue reading below...

Broader Implications for European Democracy

The case has reignited debate about the regulation of commercial spyware in Europe. Despite the PEGA committee's recommendations, which included calls for stricter export controls and independent oversight, little concrete action has been taken. MEP Saskia Bricmont, a member of the PEGA committee, told WIRED: "The use of spyware not only violates the fundamental rights of the individuals concerned, but in this case also threatens the security and integrity of parliamentary work and of the European Parliament as a whole. It is a direct attack on the rule of law."

Kouloglou himself expressed anger upon learning of the hack, telling TechCrunch: "You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments." He contacted Citizen Lab in May 2026 after receiving multiple Apple threat notifications, which he had not initially noticed.

Institutional Response and Recommendations

The European Parliament has defended its cybersecurity posture, with spokeswoman Delphine Colard stating that a spyware detection system has been available to all lawmakers since 2022. However, the case has exposed significant gaps in protection. Citizen Lab's report includes several urgent recommendations:

  • Immediate screening of all PEGA committee members and their staff for spyware infections.
  • Annual threat reports on cyber and surveillance threats to the Parliament.
  • Mandatory reporting of state-sponsored attack warnings from companies like Apple and Google.
  • Expanded screening to include European Commissioners and their staff, as well as members of the Parliamentary Assembly of the Council of Europe.

Why This Matters

This case represents a profound breach of parliamentary privilege and democratic process. The PEGA committee was established in March 2022 following the Pegasus Project revelations, which showed that European governments had used spyware to surveil journalists, activists, and politicians. The committee's work was intended to hold governments accountable and recommend safeguards against such abuses.

As Hannah Neumann, a Green MEP who served on the committee, told WIRED: "They did not only target an MEP, they spied on the investigation into spyware abuse itself. That shows the whole absurdity of the situation." The attack on Kouloglou's device could have exposed non-public committee deliberations, confidential documents, and communications with witnesses—potentially compromising the integrity of the entire investigation.

Technical and Operational Details

The forensic analysis revealed that the first infection on October 21, 2022, used a zero-click exploit chain. A lookup for the HomeKit email address rauharepo888@gmail.com was followed two minutes later by Pegasus process activity using mobile data. The same email address was used in a previously identified campaign targeting Russian and Belarusian-speaking exiles, strongly suggesting a common operator.

Kouloglou received multiple Apple threat notifications about mercenary spyware targeting on March 2, 2023, August 29, 2023, and April 10, 2024. However, he did not recall receiving these alerts, highlighting a critical gap in how such warnings are communicated and acted upon. Citizen Lab notes that Apple's notifications are not real-time and are often sent in batches months after the actual targeting.

Broader Implications and Institutional Response

The case has exposed the vulnerability of European democratic institutions to commercial spyware. The PEGA committee's recommendations, which included calls for binding measures to ban illegal spyware use, have largely been ignored. MEP Saskia Bricmont urged the European Commission to "take binding measures to ban the illegal use of spyware in Europe."

Kouloglou, who left the European Parliament in July 2024, told TechCrunch that he felt a deep sense of violation upon learning of the hack. "You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments," he said.

The European Parliament has defended its cybersecurity posture, with spokeswoman Delphine Colard stating that a spyware detection system has been available to all lawmakers since 2022. However, Citizen Lab's report suggests that this capability is underused and that comprehensive screening of all PEGA committee members is urgently needed. The researchers also recommend that the European Commission and national parliaments implement similar screening programs.

What Comes Next

Citizen Lab's report includes a series of recommendations for EU institutions, including immediate forensic screening of all PEGA committee members and their staff, annual threat reports, and mandatory reporting of state-sponsored attack warnings. The researchers also urge tech companies to improve the effectiveness of their threat notifications, noting that Kouloglou received multiple Apple alerts that he did not notice.

As John Scott-Railton of Citizen Lab warned: "This case is the ultimate irony of Europe's spyware crisis. Someone on the very committee tasked with investigating Pegasus gets infected by it. And what has happened since? The parliament looks the other way when new European spyware abuses emerge. I can tell you how the next chapter will go: more hacked parliamentarians."