Recent findings have unveiled that Stelios Kouloglou, a former Member of the European Parliament (MEP), experienced multiple breaches of his mobile device through the Pegasus spyware. These intrusions occurred while he was actively involved in a committee dedicated to investigating the misuse of commercial surveillance tools within the European Union.
Forensic examinations of Kouloglou’s device indicated that attackers potentially accessed confidential documents and committee discussions. The specific perpetrators remain unidentified, and there is no current evidence implicating the Greek government. However, overlaps have been noted between this incident and previous campaigns targeting Russian and Belarusian-speaking journalists and activists in Europe, suggesting that a Pegasus client with operations across multiple European nations may be responsible.
Kouloglou served on the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware from March 24, 2022, to July 18, 2023. This committee was established to scrutinize alleged abuses of commercial spyware under EU law, focusing on how member states and other countries might be employing such tools in ways that infringe upon regional rights and freedoms.
Analyses of Kouloglou’s iPhone in May 2026 revealed compromises on or around October 21, 2022, and again on March 6 and 7, 2023. The initial breach involved a lookup for a specific HomeKit email address, followed by Pegasus activity utilizing mobile data. It is believed that a zero-click exploit in Apple’s smart home software, known as PWNYOURHOME, facilitated the spyware’s delivery. Apple addressed this vulnerability in iOS 16.3.1. During both incidents, Kouloglou’s device was operating on iOS 15.5.
Further investigations showed that Kouloglou received threat notifications from Apple regarding mercenary spyware targeting on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024. Notably, during the first breach, Kouloglou was hospitalized for elective surgery and was visited by Greek investigative journalist Thanasis Koukakis, who had previously testified before the committee and had his own phone compromised with Intellexa’s Predator spyware.
The second breach in March 2023 coincided with critical discussions related to the committee’s final drafting process and subsequent hearings, occurring two months before the adoption of the committee’s initial report. This marks the first public identification of a committee member being targeted by Pegasus spyware during their tenure.
The connection between Kouloglou’s case and the campaign targeting Russian and Belarusian-speaking journalists and activists is based on the use of the same email address, suggesting a common operator. Given NSO Group’s licensing practices, this implies that the client had authorization for operations across multiple EU jurisdictions, narrowing down potential Pegasus operators responsible for this incident.
These revelations underscore ongoing concerns about the deployment of spyware, originally marketed for combating serious crimes like terrorism and child exploitation, being used to monitor journalists, lawmakers, dissidents, and critics. The incident highlights the pressing need for stringent regulations and oversight to prevent the misuse of such powerful surveillance tools against individuals engaged in legitimate investigative and political activities.