Stelios Kouloglou, a Greek journalist and former European Parliament member, fell victim to sophisticated spyware intrusion while investigating the very technology that compromised his device, according to research released by the University of Toronto's Citizen Lab on July 3. The Israeli-developed Pegasus system, manufactured by NSO Group, penetrated his iPhone on at least two separate occasions spanning 2022 and 2023, exposing his private communications, medical records, and journalistic sources to unknown actors.
The targeting of Kouloglou carries profound implications for cybersecurity governance across Europe and raises uncomfortable questions about the state's ability to protect its own officials investigating government surveillance abuses. At the time of the breaches, Kouloglou was actively engaged with the European Parliament's PEGA Committee, a body specifically established to examine and regulate the commercial surveillance technology trade, including NSO's controversial Pegasus platform. The committee's own investigation culminated in a 2023 report declaring such surveillance systems represented a fundamental "threat to democracy and fundamental rights," yet the author of this very conclusion found himself weaponised by the technology his committee sought to control.
Pegasus operates as one of the world's most intrusive mobile surveillance tools, ostensibly restricted to government and law enforcement use for counter-terrorism and serious criminal investigations. The technology's capabilities are formidable: it enables remote unauthorised access to smartphones, permitting comprehensive eavesdropping on calls and encrypted messages whilst duplicating all stored data. However, documented cases consistently reveal deployment against journalists, human rights activists, and political adversaries rather than genuine security threats. NSO Group has maintained that its clients bear responsibility for any misuse, though the company declined to comment on Kouloglou's case specifically.
The sophistication of the attack against Kouloglou underscores the asymmetric power dynamics characterising modern digital espionage. Citizen Lab identified that at least one successful intrusion employed what specialists term a "zero-click exploit"—a method requiring no user interaction whatsoever. Targets receive no suspicious link, no phishing email, no opportunity to detect danger. The device silently compromises itself through automated vulnerability exploitation, representing among the most advanced and expensive hacking methodologies available. This technical sophistication suggests targeting by a well-resourced state actor rather than criminal operators.
Kouloglou himself remains uncertain which government orchestrated his compromise, though his phone contained highly sensitive material that would prove valuable to numerous state interests. Stored communications with Alexis Tsipras, Greece's former prime minister, alongside confidential medical information and lists of journalistic contacts, represented precisely the intelligence profiles that governments seek when targeting political figures and media professionals. His uncertainty reflects a broader challenge facing European officials: when governments deploy surveillance tools against their own continent's legislators, attribution often remains murky even after technical confirmation of compromise.
Citizen Lab's investigation unveiled additional targets linked to the entity responsible for Kouloglou's hacking, identifying seven independent journalists and opposition activists from Russian and Belarusian backgrounds who were similarly compromised. This pattern suggests coordinated targeting of Russian-speaking dissidents and critics of Moscow's governance, potentially indicating Russian state involvement, though Citizen Lab avoided definitive attribution. The clustering of targets suggests operational purpose beyond random opportunism.
Kouloglou's case represents unprecedented violation of parliamentary oversight mechanisms. Previous spyware incidents had affected European lawmakers—including four Catalan parliamentarians between 2019 and 2020 and a French representative in 2023—yet none of these targets served on committees actively investigating NSO and its Pegasus system. The irony struck observers sharply: an investigator tasked with regulating surveillance weapons became themselves a victim of precisely those weapons. John Scott-Railton, Citizen Lab's senior researcher, characterised this as "the ultimate irony of Europe's spyware crisis," emphasising that the PEGA Committee's substantive recommendations had been systematically ignored despite demonstrating exactly why stringent regulation was necessary.
The European Commission's response to mounting spyware crises has proven inadequate by many critics' assessment. Antoine Lomba, speaking for the Commission, affirmed that "any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable," yet acknowledged that solutions remained incomplete and fragmented across multiple legislative and non-legislative initiatives. This bureaucratic caution contrasts sharply with the urgency surrounding surveillance threats—governmental capacity to penetrate secure devices has far outpaced regulatory frameworks designed to constrain that capability.
Sophie in 't Veld, the Dutch former MEP who served as rapporteur for the PEGA Committee's investigation, characterised Kouloglou's targeting not as isolated incident but as manifestation of systematic governance failure. She highlighted five years of "complete impunity" for spyware abuses—zero consequences imposed on governments or NSO Group for documented misuse patterns. This accountability vacuum creates perverse incentives for continued surveillance deployment. If investigations trigger no sanctions, prosecutions, or commercial restrictions, then governments face negligible costs for deploying these tools against journalists and political opponents.
For Malaysian and Southeast Asian readers, the Kouloglou case illuminates risks inherent in surveillance technology proliferation across the region. Several governments in Southeast Asia have purchased or expressed interest in advanced surveillance capabilities, raising parallel concerns about deployment against dissidents and journalists. The European experience demonstrates that regulatory frameworks and committee investigations provide minimal protection when powerful actors decide surveillance serves their interests. Smaller democracies with weaker institutional constraints face even greater vulnerability to surveillance weaponisation than Europe's established systems. The technical sophistication enabling attacks on well-protected EU officials—zero-click exploits operating silently on encrypted devices—remains available to any government purchasing NSO's services.
The broader crisis reflects fundamental misalignment between surveillance technology capabilities and existing governance structures. Governments initially justified Pegasus and similar systems as counter-terrorism tools targeting dangerous criminals. Yet predictably, once deployed, these capabilities serve political purposes. The targeting of Kouloglou whilst he investigated spyware regulation exemplifies this mission creep: surveillance intended for security became a weapon against democratic oversight. Until serious consequences—criminal liability for government officials, revocation of export licenses, substantial financial penalties—attach to documented misuse, the incentive structure favours continued surveillance deployment. Europe's institutions have proven capable of identifying the problem and proposing solutions, yet implementation remains stalled, leaving investigators and journalists fundamentally vulnerable to the very tools they attempt to regulate.
