European Parliament building in Brussels at dusk

TL;DR: Citizen Lab confirmed on July 3, 2026 that former Greek MEP Stelios Kouloglou was successfully infected with Pegasus spyware twice while serving as a substitute member of the European Parliament's PEGA Committee, the body investigating the use of Pegasus and equivalent mercenary spyware. The first infection hit on October 21, 2022, the second on March 6 to 7, 2023. The infections spanned Greece and Belgium. Citizen Lab is not attributing the infections to a specific NSO Group customer, and reports no indications that the Greek government is responsible. The same HomeKit infrastructure marker used in the 2022 hit also appeared in a Citizen Lab / Access Now May 2024 report on exiled Russian and Belarusian journalists in Europe. This is the first public identification of a PEGA Committee member hacked with Pegasus while serving on the committee.

The Pegasus Hit on a PEGA Member

Citizen Lab Report 194, published July 3, 2026, confirms that former Member of the European Parliament Stelios Kouloglou was "successfully infected with Pegasus spyware on or around October 21, 2022," and again "on or around March 6 and 7, 2023," while he was a substitute member of the PEGA Committee [1].

Kouloglou is a Greek investigative journalist who served in the European Parliament across three party affiliations: SYRIZA, then independent, then the New Left. He sat on the PEGA Committee, the European Parliament's Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware, as a substitute member from March 24, 2022 to July 18, 2023 [1]. The committee's rapporteur was Dutch MEP Sophie in 't Veld [1].

The forensic work was carried out by Citizen Lab, part of the Munk School of Global Affairs and Public Policy at the University of Toronto, in May 2026 after Kouloglou requested analysis of his iPhone, which was running iOS 15.5 (19F77) at the time [1]. The research team was John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis, and Ron Deibert [1].

Pegasus is the mercenary spyware made by Israeli vendor NSO Group. Citizen Lab has been tracking its deployment against civil society for years, and Pegasus has been the subject of the very committee Kouloglou was sitting on.

Forensic Timeline: Two Infections, Two Cities

Citizen Lab's forensic reconstruction puts the first infection on October 21, 2022, at 10:16, when the iPhone looked up an email address, rauharepo888 [@] gmail.com, through HomeKit. Two minutes later, a Pegasus process used mobile data. Citizen Lab assesses the infection vector as the PWNYOURHOME zero-click exploit, in which a specially crafted NSKeyedArchive lands in HomeKit and is followed by malicious content delivered through MessagesBlastDoorService [1].

Kouloglou was in a Greek hospital as a patient on the day of the first infection. Greek investigative journalist Thanasis Koukakis visited him there on October 21, 2022, the same day Citizen Lab places the infection. Koukakis was himself confirmed by Citizen Lab in March 2022 to have been targeted with Intellexa's Predator spyware, and testified to the PEGA Committee in September 2022 [1].

The second infection period, March 6 and 7, 2023, with Pegasus activity running from 09:49 on March 6 to 07:30 on March 7, was assessed by Citizen Lab as likely linked to the same PWNYOURHOME exploit [1]. Kouloglou traveled from Athens to Brussels and was in Brussels during that window. Between the two infections, the device received Apple threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024. Kouloglou did not recall receiving any of them [1].

The infections therefore touched at least two EU jurisdictions: Greece and Belgium. Citizen Lab's read is that this suggests "a Pegasus customer with authorization to spy in multiple European countries" [1].

The Operator Trail

Citizen Lab does not attribute the infections to a specific NSO Group customer, and the report is explicit that it has "no indications that the Greek Government is responsible." Greece is not known to be an NSO Group customer, though Greece is known to have used Intellexa's Predator spyware [1].

The HomeKit email address rauharepo888 [@] gmail.com used in the 2022 infection also appeared in a Citizen Lab / Access Now joint report published in May 2024, which documented targeting of Russian and Belarusian-speaking exiled journalists and activists in Europe. Citizen Lab writes that "We believe that the same operator targeted both Kouloglou in 2022 and the targets we highlighted" in that earlier report. The March 2023 infection may involve the same or a different operator [1].

Kouloglou is not the first European Parliament member publicly identified as a Pegasus or Predator target. Catalan MEPs Diana Riba and Jordi Solé, MEP Clara Ponsatí, MEP Carles Puigdemont, MEP Antoni Comín, and Greek MEP Nikos Androulakis were previously identified as targets of Pegasus or Predator. French MEP Nathalie Loiseau was confirmed as targeted with Pegasus in February 2024, Bulgarian MEP Elena Yoncheva in late October 2023, and German MEP Daniel Freund as targeted with Candiru, announced May 2024. Kouloglou is the first PEGA Committee member publicly identified as hacked with Pegasus while serving on the committee [1].

Why This Matters: A Direct Hit on Democratic Oversight

Citizen Lab frames the infection as "a significant and troubling finding" because the PEGA Committee was the European Parliament's main institutional instrument for investigating spyware abuse across the EU, and a sitting member of that committee was hit with the very tool the committee was examining [1].

The timing compounds the problem. The October 21, 2022 infection coincided with the committee's drafting of its first draft report, its preparation of PEGA research visits to Cyprus and Greece in early November 2022, Kouloglou's own participation in those visits, and upcoming hearings on "Big Tech and Spyware," "Spyware and e-privacy," and spyware's impact on fundamental rights on October 26 to 27, 2022 [1]. The March 2023 infection period overlapped with PEGA hearings on a European Security Lab and the geopolitics of spyware, and a LIBE Committee mission to Greece questioning the Director of the National Transparency Authority [1].

Citizen Lab's conclusion is that "the infection could have exposed strictly confidential exchanges," with the attackers gaining "access to confidential documents and committee deliberations" [1]. The report warns of a "seriously [sic] threat that mercenary spyware poses to the integrity of democratic processes" and the possibility of "breaching EU parliamentary confidentiality and privilege frameworks" [1].

What to Watch

Citizen Lab's recommendations are unusually specific, and they put the burden back on the European Parliament's own institutions [1]:

  • MEPs and PEGA staff should immediately seek forensic spyware screening via the Directorate-General for Information Technologies and Cybersecurity (DG ITEC), and enable Lockdown Mode on iPhones or Advanced Protect on Android.
  • The European Parliament should investigate spyware attacks on MEPs, commission an annual report on cyber and surveillance threats (potentially via the European Parliamentary Research Service, EPRS), expand DG ITEC screening, publish yearly statistics, and circulate guidance on state-sponsored attack warnings.
  • The European Commission should screen Commissioners and staff for spyware, with DG DIGIT building a comprehensive screening and response capability.
  • The Parliamentary Assembly of the Council of Europe (PACE) and its Directorate of Information Technology (DIT) should screen PACE members and staff.
  • National parliaments should adopt similar screening models.
  • Tech companies should improve the user experience of threat notifications so recipients notice and act on them. Apple sent Kouloglou three threat notifications. He did not remember receiving any of them.

The first public test will be whether the European Parliament treats the infection as a security incident worth a full institutional response, or files it next to the existing pile of Pegasus findings and moves on. Citizen Lab has put the receipts on the table: a member of the committee investigating spyware was hacked with spyware, and the operator used an infrastructure marker previously tied to targeting of exiled Russian and Belarusian journalists in Europe. The plausible reading is that an EU-jurisdiction Pegasus customer wanted to see what the committee was about to publish.

Sources

  1. Citizen Lab: "Member of Committee Investigating Spyware Hacked with Pegasus" (Report 194, July 3, 2026)