Stelios Kouloglou, a journalist and former European Parliament member, discovered his iPhone had been infiltrated by sophisticated Israeli-made spyware on multiple occasions while he was actively investigating the sale and misuse of such surveillance technologies. According to research published by the University of Toronto's Citizen Lab on July 3, the NSO Group's Pegasus spyware compromised Kouloglou's device at least twice between 2022 and 2023, creating a striking paradox: the investigator became the investigated subject.
The targeting of Kouloglou represents an unprecedented breach of institutional trust within European oversight mechanisms. At the time of the intrusions, he was serving on the European Parliament's PEGA Committee, the legislative body specifically tasked with examining the trade in surveillance technologies and their deployment by governments. His phone contained highly sensitive material including communications with Greece's former prime minister Alexis Tsipras, private medical records, and contacts from his work as a journalist. The breach exposed not merely an individual's privacy, but potentially compromised sources and confidential political communications at the highest levels.
Pegasus, manufactured by NSO Group, operates under the stated premise of targeting only terrorists and serious criminals. The technology enables authorities to remotely penetrate mobile devices and access private conversations, messages, and stored data without detection. However, extensive documentation by researchers and international media investigations has consistently shown governments weaponising Pegasus against journalists, human rights activists, and political opponents—fundamentally corrupting its original purpose. NSO Group declined to respond to inquiries about Kouloglou's case, maintaining its pattern of non-engagement with accountability questions.
The technical sophistication of the attacks against Kouloglou warrants particular attention. In at least one instance, the spyware employed what specialists term a zero-click exploit—a method that silently compromises a device without requiring the victim to click malicious links or take any action. Such techniques represent the cutting edge of mobile hacking, known for their complexity and cost. The deployment of zero-click methods against a European politician suggests significant resources and technical capability, indicators typically associated with state-level actors rather than ordinary criminals.
Kouloglou acknowledged uncertainty about which government orchestrated the hacking, stating he would pursue investigation into the perpetrator's identity. This uncertainty itself reflects a broader crisis in European cybersecurity governance. Despite possessing technical forensic capabilities, European authorities have struggled to attribute and prosecute spyware abuse. The absence of clear attribution mechanisms has emboldened those wielding these tools, creating an environment where governmental overreach proceeds with minimal consequence.
Citizen Lab's investigation uncovered additional evidence suggesting the same entity that targeted Kouloglou also hacked a network of seven Russian and Belarusian-speaking independent journalists and opposition activists based across Europe. This pattern indicates a coordinated campaign, likely targeting individuals perceived as threats to specific state interests. The clustering of attacks on media figures and political dissidents alongside a parliamentary investigator suggests spyware deployment has become a tool for suppressing scrutiny itself—attacking those documenting and constraining surveillance abuse.
While several European lawmakers have previously fallen victim to NSO spyware, including four Catalan parliamentarians between 2019 and 2020 and a French representative in 2023, Kouloglou's targeting carries exceptional symbolic weight. He represents the first known instance of a serving PEGA Committee member being compromised by the very surveillance apparatus his committee investigates. This inversion underscores the asymmetry confronting European institutions: legislative bodies attempt to regulate surveillance while governments wielding surveillance tools operate beyond institutional oversight.
The PEGA Committee's 2023 report reached unambiguous conclusions about the threat posed by unregulated surveillance technologies. The investigation determined such tools represent a fundamental danger to democratic institutions and human rights protections, and recommended stringent new regulations governing how surveillance technologies could be marketed and deployed within the European Union. Yet these recommendations have languished without implementation. John Scott-Railton, a senior Citizen Lab researcher, characterised the situation as the "ultimate irony of Europe's spyware crisis," noting that the committee's findings, despite institutional authority, have been systematically disregarded.
The European Commission's response to Kouloglou's hacking illustrates the structural paralysis afflicting European governance on this issue. Commission spokesperson Antoine Lomba issued carefully calibrated statements affirming the institution's opposition to illegal data access and commitment to "comprehensive" solutions. However, these pronouncements remain largely rhetorical. The Commission has pursued some legislative initiatives but relies substantially on non-legislative mechanisms that lack enforcement authority. This two-track approach—combining empty rhetoric with ineffectual measures—effectively permits continued surveillance abuse.
Sophie in 't Veld, a Dutch former MEP who served as rapporteur for the PEGA Committee, offered a more candid assessment of the institutional failure. She characterised Kouloglou's hacking not as an isolated incident but as symptomatic of systemic abuse enabled by absolute impunity. Across five years of documented Pegasus misuse, no government has faced meaningful consequences. No officials have been prosecuted, no budgets frozen, no licenses revoked. The absence of accountability has effectively signalled that surveillance abuse, regardless of documented evidence, will remain consequence-free.
For Malaysia and Southeast Asian readers, Kouloglou's experience illustrates a critical vulnerability within democratic frameworks globally. Surveillance technologies marketed as counter-terrorism tools consistently migrate toward political repression. The NSO Group's business model—exclusive sales to governments—creates incentive structures that reward expanding applications and regulatory evasion. Southeast Asian governments, some of which have reportedly acquired NSO products or comparable technologies, operate in contexts where democratic institutional checks remain weaker than in Europe. The absence of consequences for European government abuses creates precedent permitting similar overreach across the region without international consequences.
The Kouloglou case exposes the inadequacy of current regulatory frameworks in managing dual-use technologies with inherent surveillance capabilities. Effective governance requires attribution mechanisms allowing rapid identification of responsible actors, prosecution capacity reaching government officials, and enforcement mechanisms including technology trade sanctions. Until European institutions demonstrate capacity to enforce accountability standards against their own member states, the expansion of surveillance technologies across developing democracies will accelerate unchecked. The irony transcends Europe: investigating surveillance abuse has become dangerous precisely because governments deploying surveillance tools operate beyond institutional constraint.
