The irony of Europe's surveillance crisis came into sharp focus this week when a prominent Greek politician discovered his mobile phone had been repeatedly compromised by the very technology he was investigating. Stelios Kouloglou, a journalist and former member of the European Parliament, fell victim to NSO Group's Pegasus spyware on at least two separate occasions between 2022 and 2023 while working on a high-level parliamentary inquiry into surveillance tools, according to research published on July 3 by the University of Toronto's Citizen Lab watchdog.
The targeting represents an extraordinary breach of security affecting a senior European legislator actively scrutinising the misuse of state-sponsored hacking tools. At the time of the intrusions, Kouloglou was serving on the European Parliament's PEGA Committee, an investigative body specifically established to examine the commercial trade in surveillance technologies and their deployment by governments. His iPhone was compromised using sophisticated zero-click exploit techniques, meaning the device was infiltrated without requiring the user to interact with any malicious content—among the most advanced and costly hacking methods currently available.
Pegasus, manufactured by Israeli firm NSO Group, is marketed exclusively to governmental and law enforcement bodies as a counterterrorism and criminal investigation tool. The technology grants operators the ability to remotely penetrate smartphones and access protected communications, including phone conversations and encrypted messages, whilst also extracting stored data. However, extensive investigations by journalists and researchers have repeatedly documented how multiple governments have weaponised the platform against civil society targets, including press freedom advocates and political opposition figures, undermining its stated purpose.
Kouloglou disclosed that his compromised device contained sensitive communications with Greece's former prime minister Alexis Tsipras, confidential medical records, and contact information for journalists and sources. He stated he remains uncertain which government entity may have authorised the targeting but committed to pursuing accountability. Despite the investigation into his hacking, NSO Group declined to provide comment when approached by researchers and media organisations regarding the incident.
Citizen Lab's forensic analysis could not definitively identify which nation-state or agency deployed Pegasus against the Greek legislator. However, the researchers uncovered evidence linking the same attacker to a coordinated campaign targeting a network of seven independent journalists and opposition activists speaking Russian and Belarusian languages and based throughout Europe. The pattern suggests a systematic surveillance operation targeting multiple categories of individuals perceived as political or informational threats.
Kouloglou's victimisation carries particular significance because he represents the first confirmed case of an active PEGA Committee member being targeted with NSO technology—the very committee tasked with developing recommendations to curtail such abuses. The PEGA inquiry concluded in 2023 that surveillance platforms posed fundamental threats to democratic governance and human rights, and recommended stricter European Union regulations governing their purchase, deployment and oversight. Those recommendations have largely languished without implementation.
Previously, other European parliamentarians have experienced similar targeting. Four Catalan legislators were hacked between 2019 and 2020, whilst a French representative fell victim in 2023, each incident raising alarms about the inadequacy of protective measures for elected officials. Yet Kouloglou's case stands apart by occurring during active legislative work designed specifically to address these very vulnerabilities, creating what observers describe as a starkly emblematic failure of institutional safeguarding.
John Scott-Railton, a senior researcher with Citizen Lab, characterised the incident as exposing the profound inadequacy of European responses to proliferating spyware abuse. He argued that the European Commission, the EU's executive authority, has neglected to implement serious countermeasures despite mounting evidence of systematic targeting. Scott-Railton stated the situation represented "the ultimate irony of Europe's spyware crisis," noting that someone directly investigating Pegasus became infected by it while the institution responsible for responding has essentially ignored the committee's findings.
Sophie in 't Veld, a Dutch former MEP who served as rapporteur during the PEGA investigation, rejected characterisations of Kouloglou's hacking as an isolated security incident. Instead, she framed it within a broader pattern of continuous, unpunished surveillance abuse targeting civil society figures and political opponents across the continent. She pointed to five years of governmental impunity without meaningful consequences, describing a situation where national authorities and European institutions have effectively abandoned efforts to enforce existing protections or create new legal frameworks.
The European Commission responded to the revelations through a statement noting it was "working to address the illegal use of spyware from various angles of EU law." A spokesperson asserted the institution's position that "any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable." Yet the statement also acknowledged the complexity of enforcement, citing both legislative measures and unspecified non-legislative tools as components of the response—language that critics interpret as deflection from the absence of concrete enforcement mechanisms.
For Southeast Asian observers, the Kouloglou case carries implications extending beyond European governance. The widespread availability of sophisticated surveillance technology to any government with sufficient resources raises concerns applicable globally, particularly in regions where digital rights protections remain underdeveloped. Malaysia and neighbouring nations have faced mounting scrutiny regarding surveillance practices, making the European experience instructive regarding both the capabilities deployed against political figures and the challenges of establishing effective oversight frameworks.
The incident underscores how surveillance technology created with stated counterterrorism purposes becomes inevitably repurposed against democratic oversight mechanisms themselves. When legislators investigating such tools become their victims, institutional credibility erodes and public trust in democratic institutions faces corrosion. Unless the European Union translates committee recommendations into binding enforcement mechanisms with meaningful penalties for violating states, the pattern of impunity documented by in 't Veld and Scott-Railton appears likely to persist.
