Pegasus Spyware Deployed Against MEP Investigating Pegasus Abuses: Citizen Lab Exposes Surveillance of European Parliament’s Own Watchdog Committee

Jul 3, 2026 | Abuses of Power

Pegasus spyware MEP surveillance

In a revelation that cuts to the heart of democratic oversight, researchers at the Citizen Lab at the University of Toronto have confirmed that a member of the European Parliament was infected with NSO Group’s Pegasus spyware — while he was actively serving on the very committee created to investigate Pegasus abuses. The target was Stelios Kouloglou, a Greek television journalist-turned-lawmaker and member of the Syriza party, whose iPhone was compromised at least three times between October 2022 and March 2023. The timing of each infection, according to Citizen Lab, aligned directly with pivotal moments in the committee’s investigative work.

The Committee That Was Being Watched

The European Parliament established the PEGA Committee in March 2022, following the landmark publication of the Pegasus Project — a collaborative investigation by The Guardian and a consortium of media outlets that revealed how governments around the world were deploying Pegasus to surveil journalists, activists, politicians, and civil society figures. The committee’s mandate was explicit: to examine the scope of illegal spyware use within the European Union and to determine where EU law had been contravened.

Kouloglou joined the PEGA Committee in March 2022. According to Citizen Lab’s report, his mobile device was first infected approximately seven months later, on October 21, 2022 — a period the researchers described as a “particularly intense period of activity” in the committee’s deliberations, including the drafting of its first report. A second and third infection followed on March 6 and 7, 2023, precisely when PEGA was engaged in intensive discussions around the final drafting of its conclusions.

Citizen Lab confirmed this marks the first known instance of a PEGA Committee member being targeted with spyware. The infections were achieved through a vulnerability in Apple software that was not publicly known at the time of the attacks.

The Timing Is Not Incidental

The circumstances surrounding the October 2022 infection are particularly notable. Kouloglou was admitted to a hospital for elective surgery at the time. He was visited there by Thanasis Koukakis, a Greek investigative journalist who had been reporting on mercenary spyware in Greece in the wake of a major domestic scandal known as the “Greek Watergate” — a case involving the illegal surveillance of more than 80 individuals, including politicians, journalists, and military officials. Koukakis himself was among those targeted, and he had previously testified about his experience before the PEGA Committee.

The convergence of Kouloglou’s hospital visit, Koukakis’s presence, and the timing of the spyware infection raises questions that remain unanswered. Citizen Lab did not attribute the attacks to any specific government operator, stating only that the hacking campaign bore hallmarks of a previous operation targeting exiled Russian and Belarusian journalists in Europe.

Critically, Citizen Lab found no evidence suggesting the Greek government was responsible for the infections.

What Pegasus Can Access

Pegasus, developed and sold by Herzliya-based NSO Group, is not a conventional piece of surveillance software. Once installed on a target’s device, it grants its operator covert access to messages, photos, contacts, and the device’s camera and microphone. In the context of PEGA Committee work, the implications are severe. As Citizen Lab stated in its report, the infection “could have exposed strictly confidential exchanges among PEGA Committee members and their staff, and other sensitive and confidential parliamentary proceedings, including to parties under investigation by the Committee itself.”

Kouloglou received Apple threat notifications about the possible breaches — but only months after each incident. He formally requested that Citizen Lab conduct a forensic investigation of his phone in May of this year.

“When you realise your private life is scrutinised by very bad people, you become angry,” Kouloglou said in an interview with The Guardian. “It’s a big issue having to do with corruption, justice and democracy.”

Speaking to Reuters, he expressed a particular sense of disbelief at the brazenness of the operation. “I was not expecting that a PEGA member would be spied on by Pegasus,” he said. “I was not expecting that they would be as reckless as that.”

NSO Group’s Track Record and Legal Battles

NSO Group markets Pegasus as a legitimate law enforcement and intelligence tool designed to combat serious crime and terrorism. The company did not respond to requests for comment regarding the Citizen Lab report.

The company’s recent legal and regulatory history tells a different story. In 2021, the Biden administration blacklisted NSO Group, citing actions “contrary to the foreign policy and national security interests of the US.” Last year, a US judge barred NSO from targeting WhatsApp, finding that its software causes “direct harm.” Meta Platforms subsequently won a $168 million damages award against NSO — though the award was later significantly reduced. As recently as last month, Meta filed for a contempt order, accusing NSO of violating the court’s injunction against targeting its services.

The PEGA Committee’s Findings — And Their Fate

The PEGA Committee adopted its formal report on March 8, 2023. The document concluded that evidence existed of “degrees and forms of contravention and maladministration of EU law” in Poland, Hungary, and Greece. It identified deficits in the implementation of the EU Dual-use Regulation in Cyprus and called for reform in Spain. Perhaps most starkly, the report stated that “it can be safely assumed that all Member States have purchased or used one or more spyware systems.”

The committee called for common EU standards regulating the use of spyware by member state bodies, stronger enforcement of data protection law, and new European legislation requiring human rights and due diligence frameworks for companies that produce or export surveillance technologies.

Yet according to John Scott-Railton, a senior researcher at Citizen Lab, the committee’s recommendations have been “essentially ignored.” The European Parliament, in its response to Reuters, did not directly address Kouloglou’s case. It noted that IT security services “constantly monitor cybersecurity threats” and that spyware screening tools have been available to all lawmakers since 2022 — tools that, evidently, did not prevent the infections now documented.

Democratic Oversight in the Crosshairs

What the Citizen Lab report describes is a scenario in which the mechanism of democratic accountability — a formal parliamentary committee established explicitly to investigate illegal surveillance — was itself subjected to the same illegal surveillance it was tasked with exposing. Whether the intrusion was intended to monitor the committee’s deliberations, compromise its evidence, or simply intimidate its members, the effect on institutional integrity is the same.

Citizen Lab characterized the incident as highlighting “the serious threat that mercenary spyware poses to the integrity of democratic processes.” The language is measured, but the underlying reality it describes is significant: if the investigators can be surveilled by the very instruments they are investigating, the fundamental premise of oversight becomes compromised.

Kouloglou left the European Parliament in 2024. The PEGA Committee concluded its work. NSO Group continues to operate. And the Citizen Lab report, published July 3, 2026, adds one more documented case to a growing record of Pegasus deployments that cut across the line between law enforcement tool and political instrument.

This article draws on reporting from The Guardian, Al Jazeera, Reuters, and the European Parliamentary Research Service.

Related Posts