Stelios Kouloglou, a Greek journalist and former European Parliament member, discovered that his iPhone fell victim to sophisticated spyware attacks on at least two separate occasions while he was actively investigating the very technology that compromised his device. The revelation, detailed in research released on July 3 by the University of Toronto's Citizen Lab digital watchdog organisation, underscores a troubling paradox at the heart of Europe's struggle with surveillance technology: those tasked with regulating it remain vulnerable to its abusive deployment.

The spyware in question, Pegasus, is manufactured by Israeli firm NSO Group, which maintains it sells the technology exclusively to governments and law enforcement agencies for legitimate counter-terrorism and criminal investigations. In practice, the system's capabilities are formidable—it permits remote intrusion into mobile devices to intercept calls, monitor encrypted messages, and extract stored data without a user's knowledge or consent. Yet across jurisdictions from the Middle East to Europe, evidence consistently demonstrates that such tools are weaponised against journalists, civil society activists, and political figures who pose inconvenience to those in power.

During the period when Kouloglou's phone was compromised, he served on the European Parliament's PEGA Committee, a body established specifically to scrutinise the proliferation and misuse of surveillance technologies including Pegasus. The committee's 2023 report concluded that such systems represent a fundamental "threat to democracy and fundamental rights," recommending stricter European Union regulations governing their sale and deployment within member states. The irony is stark: a legislator actively working to constrain surveillance abuse became a target of that very abuse, potentially exposing his communications with Greece's former Prime Minister Alexis Tsipras, confidential medical information, and sensitive journalistic sources.

Citizen Lab's technical analysis reveals that in at least one attack, the hacker employed a zero-click exploit—an exceptionally sophisticated method that silently infiltrates a device without requiring the victim to interact with malicious content. Such techniques rank among the most difficult and expensive cyber-intrusion methods available, suggesting that whoever targeted Kouloglou possessed significant technical resources and motivation. The research organisation has not identified which government entity may have orchestrated the attack, though Kouloglou himself has acknowledged uncertainty about his attacker's identity while committing to investigate the matter further.

The targeting extends beyond Kouloglou alone. Citizen Lab's investigation uncovered evidence that the same actor responsible for hacking the Greek politician also targeted approximately seven Russian and Belarusian-speaking journalists and opposition activists operating from European bases. This pattern suggests a coordinated campaign rather than an isolated incident, potentially indicating state-sponsored surveillance operations conducted within European territory against persons deemed politically inconvenient by authoritarian regimes.

While other European parliamentarians have previously fallen victim to Pegasus—four Catalan lawmakers between 2019 and 2020, and a French representative in 2023—Kouloglou's case carries particular significance as the first documented instance of a sitting PEGA committee member being compromised. The distinction matters because it transforms the abstract policy debate into concrete evidence of surveillance creep at the highest levels of EU governance. Those responsible for formulating responses to surveillance abuse are themselves being surveilled, yet possess limited recourse or protective mechanisms.

John Scott-Railton, a senior researcher at Citizen Lab, characterised the situation as "the ultimate irony of Europe's spyware crisis," highlighting the disconnect between investigative findings and institutional action. He stressed that the European Commission must substantially escalate its counter-surveillance efforts. Despite the PEGA Committee's detailed recommendations, Scott-Railton noted, no meaningful enforcement or implementation has followed, leaving Europe's spyware problem unaddressed and perpetrators unpunished.

The European Commission has responded with language emphasising its commitment to combating illegal data access and reiterating that such activities are "unacceptable." Antoine Lomba, a commission spokesperson, indicated that various EU legal frameworks are being mobilised to address the challenge, though he acknowledged the issue's complexity requires both legislative and non-legislative solutions. However, such statements ring hollow for observers like Sophie in 't Veld, the Dutch former MEP who served as rapporteur for the PEGA committee.

In 't Veld's assessment, Kouloglou's hacking represents not an anomaly but rather symptomatic of systemic abuse characterised by complete impunity. She pointed out that five years of documented spyware misuse have yielded zero consequences for perpetrators, with institutional actors remaining passive despite mounting evidence of rights violations. For her, the scandal lies not in the technology itself but in the deliberate inaction of those positioned to prevent its abuse—a damning indictment suggesting that without dramatic policy shifts, surveillance targeting of political and journalistic figures will continue unabated across Europe.

The case reverberates beyond European borders. Southeast Asian nations, including Malaysia, face similar pressures as governments worldwide procure sophisticated surveillance capabilities. The Kouloglou incident demonstrates that even advanced democracies with robust oversight institutions struggle to prevent spyware abuse. Developing democracies with weaker institutional safeguards face even greater vulnerability, raising urgent questions about how regional frameworks might better protect citizens and officials from transnational surveillance campaigns while maintaining legitimate security capabilities.