Former Greek Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the European Parliament committee set up to investigate that exact technology, according to a new forensic report from the Citizen Lab, the University of Toronto research group that studies digital surveillance.
The finding marks the first time a member of the PEGA committee has been publicly identified as a Pegasus victim while the committee was doing its work. PEGA, short for the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware, was created by the European Parliament in March 2022 to examine how EU governments deployed such tools against journalists, activists, and politicians.
Kouloglou, a longtime investigative journalist before his election to the European Parliament in 2015, sat on the committee as a substitute member from March 2022 to July 2023. He was elected on the ticket of Syriza, and later served as an independent and then with the New Left grouping before his term ended in July 2024.
What the analysis found
Kouloglou contacted the Citizen Lab in May 2026, and researchers examined data pulled from his iPhone. They concluded with high confidence that the device was infected on or around Oct. 21, 2022, and again on March 6 and 7, 2023.
Both intrusions used what is known as a zero-click attack, meaning the target does not need to tap a link or open a file for the phone to be compromised. Once installed, Pegasus, developed by the Israeli firm NSO Group, gives an operator near-total access to a device, including messages, calls, photos, and the ability to switch on the camera and microphone.
The report notes that the analysis cannot rule out further infections that forensic limits may have prevented investigators from detecting.
Why the timing matters
Both infection dates coincided with sensitive moments in the committee’s work. The October 2022 hack came days before a cluster of PEGA hearings and while a draft of the committee’s first report was circulating among members and their staff, largely over text and email. It also fell just before committee members traveled to Greece and Cyprus, two countries at the center of Europe’s spyware scandals. Kouloglou helped plan and took part in those visits.
By the researchers’ assessment, the spyware could have captured non-public information about the committee’s activities, potentially breaching the European Parliament’s confidentiality and privilege rules. That access, the report warns, could have extended to material concerning the very parties the committee was investigating.
The second infection, in March 2023, landed as the committee worked on its final report and while Kouloglou was traveling from Athens to Brussels.
There is also a personal detail to the first hack. On Oct. 21, 2022, Kouloglou was in a Greek hospital for elective surgery, where he was visited by Greek investigative journalist Thanasis Koukakis, himself a confirmed target of Predator, another spyware tool whose abuse in Greece triggered an investigation and an uproar. The Citizen Lab notes that because the infection occurred in a hospital, confidential medical information could also have been exposed.
Kouloglou’s device received Apple threat notifications about mercenary spyware on three occasions, in March 2023, August 2023, and April 2024. He told the Citizen Lab he did not recall receiving them. Such alerts, the report stresses, are typically sent in batches months after the fact, not in real time.
No government blamed
The Citizen Lab is not attributing the hacking to any specific government or NSO client. Crucially, it found no indication that the Greek government was responsible, and it noted there are no reports that Greece has ever been a Pegasus customer. Instead, the report points to an overlap between the first infection and an earlier Pegasus campaign that targeted Russian and Belarusian-speaking exiled journalists and activists in Europe. A HomeKit email address used in the attack on Kouloglou matched one identified in that earlier operation, which the researchers believe indicates a single operator with a license to conduct surveillance across multiple European countries. Traces of infection appeared on his phone in at least two jurisdictions, Greece and Belgium.
The greek government has been embroiled in a scandal involving the Predator software, a rival spyware tool. An Athens court convicted four private individuals of illegal surveillance in that matter, attributing the wrongdoing to private actors rather than the state. They have appealed the verdict.
Reaction and next steps
Kouloglou has expressed his shock s shocked after finding out he has been a victim of illegal surveillance and called it unthinkable that a member of a committee investigating these practices would himself be targeted. He said he intends to pursue legal action against NSO Group and anyone responsible, and to raise the matter again in the European Parliament.
The Citizen Lab is urging EU institutions to open immediate investigations and calling on former PEGA members and their staff to seek forensic screening of their devices. Short of a comprehensive sweep, the report says, there is no way to know how many other committee members may have been compromised.