Israel Israel NSO Group Pegasus surveillance policy

EU's Pegasus Watchdog Was Itself Infiltrated by Pegasus

Citizen Lab confirms Greek MEP Stelios Kouloglou was hacked three times while serving on the Parliament's own PEGA committee investigating spyware abuse.

Pegasus in the European Parliament: The Accountabili… People of Internet Research · Israel 3 Kouloglou infections confirmed Oct 2022 and Mar 2023, via zero-cl… 4 EU states named by PEGA Poland, Hungary, Greece, Spain cit… $168M WhatsApp damages awarded May 2025 US jury verdict against N… 0 Binding EU spyware laws Commission has enacted none of PEG… peopleofinternet.com

Key Takeaways

The Infection That Compromised the Inquiry

On October 21, 2022, while Greek MEP Stelios Kouloglou was hospitalized for surgery, his iPhone was silently compromised. A specially crafted Apple HomeKit request — no tap, no link, no interaction required — triggered the PWNYOURHOME exploit chain, loading NSO Group's Pegasus spyware onto his device running iOS 15.5. Two months later, as he traveled from Athens to Brussels for committee hearings, his phone was infected again on March 6 and 7, 2023.

The timing was not incidental. Kouloglou was a substitute member of the European Parliament's PEGA Committee — the body Parliament established in March 2022 specifically to investigate how Pegasus had been deployed against journalists, politicians, and civil society across EU member states. He was hacked while the inquiry he sat on was building its case, ten days before the committee's planned fact-finding mission to Greece and Cyprus, and again during the final weeks of drafting its report.

Citizen Lab's forensic analysis, published July 3, 2026 as Report #194 from the University of Toronto, is the first publicly confirmed case of a PEGA committee member being hacked with Pegasus while actively serving on the committee.

What PWNYOURHOME Does

The exploit required zero interaction from Kouloglou. Citizen Lab identified the delivery mechanism: a HomeKit email lookup from the address rauharepo888@gmail.com, followed two minutes later by Pegasus process activity via Apple's MessagesBlastDoorService. Apple patched the underlying vulnerability in iOS 16.3.1. Apple sent Kouloglou threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024 — none of which he connected to anything until Citizen Lab's forensic examination.

What Pegasus exfiltrates is effectively total: text messages, location history, photos, encrypted messaging content, and live microphone access. Kouloglou described it plainly: "all of your personal data... not all the professional exchanges... but also the very private things." Citizen Lab noted the infection "could have exposed strictly confidential exchanges among PEGA Committee members and their staff" — potentially to parties who were themselves under investigation by the committee.

Attribution: Open, but Telling

Citizen Lab explicitly declines to attribute the infections to any specific government, stating: "We are not attributing these infections to a particular government at this time, and found no indications that the Greek Government is responsible." Kouloglou himself suspects Greek involvement, but the report provides no supporting evidence for that conclusion.

What the report does establish is that the rauharepo888@gmail.com infrastructure overlaps with a May 2024 Pegasus campaign targeting Russian- and Belarusian-speaking journalists and activists in exile across Europe. This points to an operator authorized to deploy Pegasus across multiple EU jurisdictions — Pegasus licenses are country-specific, and infections occurred in at least Greece and Belgium.

The Policy Failure This Exposes

The PEGA Committee ran for fourteen months, from March 10, 2022 to May 8, 2023, when its 145-page final report was adopted. Its recommendations to the European Commission were specific and proportionate: strict legal conditions for authorizing spyware, mandatory judicial oversight, a clear EU-level definition of "national security," transparency reporting requirements, and minimum standards for commercial spyware. These were not bans — they were the kind of accountability architecture liberal democracies already apply to wiretapping and bulk data collection.

The Commission has enacted none of it. As of early 2025, no binding legislative proposal responding to PEGA's recommendations had materialized.

The strongest argument for the Commission's caution is real: national security is formally excluded from EU competence under the Treaties, and member states guard their intelligence tools fiercely. Any binding EU spyware framework would face immediate legal challenge from governments that have deployed these tools under domestic legal cover. That constraint deserves honest acknowledgment.

But it does not explain the absence of even the softer measures PEGA recommended — measures that require no Treaty change and no confrontation with member states: mandatory forensic screening for MEPs, operational security protocols for parliamentary staff, and a coordinated incident-response mechanism when EU institutions are targeted. The Parliament has authority over its own security. That none of this exists — confirmed by the infection of a sitting investigative committee member — is a governance failure, not a Treaty problem.

PEGA itself named four EU member states — Poland, Hungary, Greece, and Spain — for illegitimate spyware use. Getting the Commission to legislate against tools some member state governments actively deploy is structurally difficult. The Commission's silence is, to a significant degree, a political choice.

NSO Group's Unresolved Position

NSO Group occupies a peculiar regulatory space. The US Commerce Department placed it on the Entity List in November 2021, effectively barring American technology exports to the company. In May 2025, a jury awarded Meta $168 million in damages in the WhatsApp lawsuit over NSO's exploitation of a messaging vulnerability — the most significant legal accountability the company has faced. Israel, meanwhile, narrowed NSO's authorized export destinations significantly following US pressure and rejected court challenges seeking to revoke its export license entirely.

In October 2025, US-based investors acquired a controlling stake, with former US Ambassador to Israel David Friedman named Executive Chairman — a repositioning effort aimed at legitimizing NSO as a regulated security vendor. Whether that results in more accountable export controls, or simply gives the company better political cover in Washington, remains the open question.

What Proportionate Accountability Requires

Mercenary spyware has documented legitimate uses: disrupting narcotics networks, locating kidnapping victims, preventing terrorism. The debate should not be about whether these tools should exist. It should be about whether governments deploying them face meaningful authorization requirements, oversight, and consequences when they are used against protected democratic processes.

An MEP investigating Pegasus being infected with Pegasus — three times, across two EU jurisdictions, while actively building a case — is evidence that the current oversight gap has real costs. The appropriate institutional response is not another inquiry. It is mandatory device screening for MEPs working on sensitive matters, a clear protocol for EU-level investigation when legislators are targeted within EU territory, and enforceable minimum standards for spyware authorization tied to EU market access.

The committee investigated the infection. The infection returned the favor. The next step cannot also be just another investigation.

Sources & Citations

  1. Citizen Lab Report #194 — Kouloglou Pegasus Infection
  2. European Parliament Think Tank — What Action Has Parliament Taken Against Spyware Abuse?
  3. The Record — Pegasus spyware used against PEGA committee member
  4. The Record — Jury orders NSO Group to pay $168M over WhatsApp hack
  5. Digital Front Lines — EU Commission inaction on spyware regulation
  6. Middle East Eye — Israeli court rejects bid to revoke NSO export licence