European Parliament Member Investigating Spyware Was Hacked With Pegasus
Analysis of the Pegasus spyware attack on MEP Stelios Kouloglou and its implications for European democratic integrity and surveillance regulation.

This article is original editorial commentary written with AI assistance, based on publicly available reporting by The Hacker News. It is reviewed for accuracy and clarity before publication. See the original source linked below.
The revelation that Stelios Kouloglou, a former Member of the European Parliament (MEP), was targeted with Pegasus spyware marks a brazen escalation in the ongoing conflict between state-sponsored surveillance and democratic oversight. According to a forensic report by Citizen Lab, Kouloglou’s mobile device was repeatedly compromised during his tenure on the PEGA Committee—a body specifically established to investigate the illicit use of commercial spyware within the European Union. This incident is not merely a technical breach; it represents a direct assault on the legislative integrity of the EU, suggesting that those tasked with policing the surveillance industry are being silenced or monitored by the very tools they seek to regulate.
The context for this breach is rooted in a years-long global scandal involving NSO Group, the Israeli firm behind Pegasus. Since the 'Pegasus Project' disclosures in 2021, the software has been identified as a weapon of choice for autocratic regimes and, increasingly, European governments. Prior to Kouloglou, high-profile figures including French President Emmanuel Macron, Spanish Prime Minister Pedro Sánchez, and several Polish opposition figures were targeted. The PEGA Committee was formed as a defensive reaction to these intrusions, aiming to establish a framework for accountability in a market that has largely operated in the shadows of national security exemptions.
Technically, the Pegasus spyware remains one of the most sophisticated 'zero-click' threats in existence. It requires no interaction from the user, exploiting unknown vulnerabilities in mobile operating systems to gain total access to messages, emails, location data, and even the device’s microphone and camera. For a legislator like Kouloglou, this means every confidential conversation with whistleblowers, legal experts, and fellow MEPs was potentially transparent to the attackers. The mechanics of the hack underscore the asymmetric nature of modern espionage: while the EU debates policy and legal definitions, commercial actors provide turnkey solutions that render traditional privacy protections obsolete.
The industry implications of this hack are profound, signaling a breakdown in the norm that democratic representatives are off-limits for such intrusive measures. The incident highlights a glaring loophole in European law: while the EU has strict data protection rules (GDPR) for corporations, it lacks a unified, enforceable mechanism to prevent member states from using 'national security' labels to justify spying on political rivals or investigators. This creates a fragmented regulatory landscape where spyware companies can exploit legal gray zones, marketing their tools to internal security services with little fear of EU-wide repercussions.
Market-wise, the persistent use of Pegasus despite repeated condemnations suggests that the demand for commercial spyware remains inelastic. Despite NSO Group being blacklisted by the U.S. Department of Commerce, the company and its competitors continue to find receptive clients within the European bloc. This suggests that diplomatic pressure and economic sanctions are currently insufficient to curb the proliferation of these tools. The Kouloglou hack demonstrates that the spyware industry is not just a peripheral threat to activists in distant regimes, but a central component of European domestic politics.
Moving forward, the focus will shift to how the European Commission responds to this direct provocation. The PEGA Committee’s final recommendations called for a conditional moratorium on spyware use, but these have yet to be translated into binding legislation. Observers should watch for a potential showdown between the European Parliament and member states who are reluctant to cede control over their intelligence apparatuses. Furthermore, the development of new 'threat intelligence' cooperation between technology giants like Apple and Google and civil society labs will be critical in detecting these breaches faster. The Kouloglou case serves as a grim reminder that in the age of digital surveillance, the watchers are being watched, and the line between security and subversion has never been thinner.
Why it matters
- 01The targeting of an MEP investigating spyware proves that commercial surveillance is being used to undermine democratic oversight within the European Union.
- 02Persistent 'zero-click' vulnerabilities allow Pegasus to bypass standard security, making state-level actors nearly impossible to detect without specialized forensic audits.
- 03The incident exposes the inadequacy of current EU regulations, which allow member states to bypass privacy laws under the broad and often unchecked banner of national security.