A Greek journalist and former European Parliament member became the first known victim of a targeted spyware attack while serving on the very EU committee tasked with investigating the technology's misuse. Stelios Kouloglou's iPhone was compromised by Pegasus, surveillance software manufactured by Israeli company NSO Group, on at least two separate occasions between 2022 and 2023, according to research released on July 3 by the University of Toronto's Citizen Lab digital watchdog organisation.

The revelation exposes a troubling paradox at the heart of Europe's struggle to regulate surveillance technology. Kouloglou was actively participating in the European Parliament's PEGA Committee when his device fell victim to the same tool he was investigating. The committee, established to scrutinise NSO's Pegasus and other government-deployed surveillance systems, concluded in 2023 that such technologies represented a fundamental "threat to democracy and fundamental rights" and urged stricter European Union controls on their distribution and deployment. The committee's damning assessment made the targeting of one of its own members particularly striking, underscoring the scale of the spyware problem across the continent.

Kouloglou's compromised iPhone contained extraordinarily sensitive material, including private communications with Greece's former prime minister Alexis Tsipras, personal medical records, and confidential journalistic contacts developed over decades of news reporting. The breach therefore posed risks not merely to Kouloglou himself but potentially to his sources, medical providers, and former political collaborators. When interviewed about the incident, Kouloglou expressed frustration about his inability to identify which government had orchestrated the attack, though he committed to pursuing accountability. "I'll do my best to find out who is responsible," he stated, acknowledging the difficulty of attributing such sophisticated cyber operations to specific state actors.

Citizen Lab's investigation uncovered evidence suggesting that the same entity responsible for hacking Kouloglou had also targeted a network of seven independent journalists and political activists from Russia and Belarus who were based elsewhere in Europe. This pattern indicates a coordinated campaign rather than an isolated incident, pointing to systematic efforts to silence critical voices across the continent. The finding raises troubling questions about which state or states might be deploying Pegasus against European-based dissidents and opposition figures, though Citizen Lab stopped short of formal attribution.

The sophistication of the attack on Kouloglou's device warrants particular attention. In at least one of the two hacking incidents, NSO's spyware exploited what security researchers call a "zero-click" vulnerability—a method allowing silent compromise of a smartphone without requiring the victim to click any malicious link or interact with any suspicious content. These zero-click techniques represent among the most advanced and expensive hacking methods available in the global cyber arsenal, typically deployed only by well-resourced intelligence agencies rather than criminal enterprises. The use of such sophisticated tools against Kouloglou suggests that powerful state-level actors viewed disrupting his committee work as sufficiently important to justify deploying their most advanced capabilities.

NSO Group, which manufactures and distributes Pegasus exclusively to governments and law enforcement agencies, maintains that its technology targets only terrorists and serious criminals. The company did not respond to requests for comment regarding Kouloglou's case. However, years of research and media investigation have repeatedly documented Pegasus deployments against journalists, human rights activists, and political opponents across dozens of countries. The gap between NSO's stated purpose and documented misuse has become a central concern for policymakers grappling with surveillance technology governance. The company's silence on Kouloglou's hacking suggests either an inability or unwillingness to account for how its most powerful clients deploy its products.

This case does not stand alone in recent European history. Several European Parliament members representing Catalonia fell victim to Pegasus attacks between 2019 and 2020, while a French legislator was targeted in 2023. However, Kouloglou's targeting carries unique significance precisely because it occurred while he actively served on the committee investigating the very technology that compromised his device. John Scott-Railton, a senior Citizen Lab researcher, described the situation as "the ultimate irony of Europe's spyware crisis," highlighting the apparent disconnect between investigative efforts and enforcement action. Scott-Railton argued that the European Commission must intensify countermeasures against spyware deployment across European territory.

The European Commission's response has proven measured but non-committal. Antoine Lomba, speaking for the Commission, stated that the institution was "working to address the illegal use of spyware from various angles of EU law" and declared that "any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable." Yet this forceful language contrasted sharply with vague commitments to address challenges "comprehensively" through both legislative and non-legislative mechanisms, without specifying concrete timelines or enforcement measures.

Sophie in 't Veld, a Dutch former MEP who served as rapporteur for the PEGA committee, offered a more damning assessment of Europe's institutional response. Rather than viewing Kouloglou's hacking as an anomaly, she characterised it as symptomatic of "a system" of coordinated attacks carried out with absolute impunity. "For five years now there has been complete impunity for the abuse of spyware," she stated, emphasising that "there have been absolutely zero consequences." Her observation points to a critical enforcement gap in European governance: investigations and reports generate recommendations, but without corresponding accountability mechanisms or punitive consequences, governments continue exploiting surveillance technology unchecked. The case thus illustrates not merely a technical security failure but a systemic governance failure, where the elaborate machinery of European parliamentary oversight has proven insufficient to deter state-level surveillance abuses.

For Southeast Asian observers, Kouloglou's experience carries profound implications. Many nations in the region have acquired or expressed interest in acquiring advanced surveillance capabilities, either from NSO Group or from competing providers offering similar technologies. The European experience demonstrates that without robust legal frameworks, transparent oversight mechanisms, and genuine enforcement consequences, surveillance tools marketed for counterterrorism and serious crime inevitably migrate toward political suppression and journalist targeting. As countries across ASEAN navigate questions about national security technology acquisition, the Greek MEP's compromised iPhone serves as a cautionary reminder that the most sophisticated surveillance systems pose inherent risks to democratic institutions and press freedom, regardless of the stated intentions of their purchasers.