Espionage Against the European Parliament

ledoge1 pts0 comments

Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with Pegasus - The Citizen Lab

Skip to content

Opens in a new window<br>Opens an external site<br>Opens an external site in a new window

Search by keyword

Search for:

Focus Areas

App Security & Privacy

Artificial Intelligence

Censorship

Digital Transnational Repression

Disinformation

Law & Policy

Mass Surveillance

Targeted Surveillance

Subscribe to our newsletter

Search by keyword

Search for:

Contents

Key Findings

Background

Kouloglou Infected with Pegasus Spyware

Targeting Context and PEGA Committee Activities

The European Parliament Under Surveillance

Attribution

Conclusion

Appendix: Timeline of PEGA Deliberations and Infection Dates

Key Findings

Former Member of the European Parliament, Stelios Kouloglou , was repeatedly hacked with NSO Group’s Pegasus spyware while on the committee investigating Pegasus spyware abuses.

Kouloglou was infected during key periods of PEGA committee activity, and the spyware would have likely captured non-public information about committee activities, possibly breaching EU parliamentary confidentiality and privilege frameworks.

We are not attributing these infections to a particular government at this time, and found no indications that the Greek Government is responsible. Instead, we note an overlap between the first infection and a previously identified Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe, suggesting a Pegasus customer with authorization to spy in multiple European countries is responsible.

Background

Stelios Kouloglou is a prominent Greek investigative journalist who was elected as a Member of the European Parliament in 2015. He reported for Greek radio and TV from Paris (1983-84), Moscow (1989-93), and Yugoslavia (1992-95). He later founded and reported for Television Without Borders (TVXS) starting in 2008.

Figure 1<br>Greek journalist and MEP Stelios Kouloglou

Kouloglou was elected to the European parliament as an independent in the Syriza party’s electoral list (affiliated with the Left). He was elected to the next parliamentary term in the 2019 European elections.

Kouloglou was a substitute member of the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) from March 24, 2022 to July 18, 2023. The PEGA Committee was established on March 10, 2022 following the 2021 publication of the Pegasus Project and other reporting which revealed European governments used spyware to surveil journalists, activists, politicians, and other citizens. Led by MEP Sophie in ‘t Veld, the PEGA Committee was tasked to investigate the scope of spyware usage in contravention of EU law, focusing on “Pegasus and equivalent surveillance spyware.”

While sitting as an MEP, Kouloglou continued to write opinion pieces and report for TVXS. He left the Syriza party in October 2023 and sat as an independent until the elections of June 2024, after which he served as a member of the New Left. His parliamentary term ended in July 2024.

Kouloglou Infected with Pegasus Spyware

In May 2026, Kouloglou contacted the Citizen Lab and we conducted a forensic analysis of artifacts from his iPhone. We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.

On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888 [@]gmail.com . Two minutes later, a Pegasus process used mobile data. We assess that the phone was hacked with the PWNYOURHOME zero-click exploit at this point. PWNYOURHOME appeared to first involve the attacker sending a specially crafted NSKeyedArchive that landed in HomeKit, followed by malicious content that landed in MessagesBlastDoorService. Apple mitigated the first issue with a change to HomeKit in iOS 16.3.1, though we assess that they fixed the MessagesBlastDoorServiceissue earlier, likely in iOS 16.1.

We additionally saw Pegasus activity on Kouloglou’s device between 2023-03-06 09:49 and 2023-03-07 07:30 that we assess is likely linked to the same exploit. On the 2022 and 2023 dates, we assess that the device was running iOS 15.5 (19F77).

These findings do not preclude the possibility of additional infections that we have been unable to capture due to limitations of available forensic data.

Apple Notifications

Further validating our finding of targeting, our forensic analysis shows Kouloglou received multiple Apple threat notifications about targeting with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024. It is important to note that threat notifications from Apple and other companies are not real-time alerts. They are typically sent to users in batches, often months or more after targeting takes place.

Kouloglou reports to us that he did not recall receiving the Apple...

pegasus kouloglou spyware european committee parliament

Related Articles