A European politician was helping investigate governments’ abuse of Pegasus spyware while his own iPhone was secretly infected with Pegasus during some of the committee’s most sensitive work.
Stelios Kouloglou is a Greek investigative journalist and former member of the European Parliament. In 2022, he joined the Parliament’s PEGA Committee, which was created to investigate the misuse of Pegasus and similar commercial spyware against journalists, activists, politicians, and other targets.
Citizen Lab examined his iPhone in May 2026 and found strong forensic evidence that it had been successfully infected:
• Around October 21, 2022 • Again on March 6 and 7, 2023
Those dates coincided with hearings, overseas investigative visits, and intense discussions surrounding the committee’s draft and final reports. The first infection happened about ten days before the committee traveled to Greece and Cyprus.
The attack appears to have used a zero-click exploit called PWNYOURHOME. It abused Apple services associated with HomeKit and Messages, meaning Kouloglou apparently did not need to click a link, download a file, or knowingly interact with the attacker.
Pegasus is not normal consumer malware. It is sophisticated commercial surveillance software developed by Israel-based NSO Group and sold to government customers. Once installed, spyware of this kind can potentially collect messages, photographs, contacts, browsing information, and other phone data, while also accessing microphones and cameras.
That means encrypted messaging is not necessarily enough. Signal, WhatsApp, and similar services may encrypt messages while they travel across the network, but the messages still appear in readable form on the phone. If the phone itself is compromised, the attacker may be able to observe information at the endpoint.
Citizen Lab believes the attacker could therefore have gained access to confidential committee communications and deliberations, including information about the investigation into spyware operators and government customers. However, the researchers cannot establish exactly which documents or conversations were actually collected.
Nobody has publicly identified who ordered the attack.
Citizen Lab specifically says it has no evidence that the Greek government carried it out. However, technical infrastructure from the October 2022 infection overlaps with an earlier Pegasus operation targeting Russian and Belarusian journalists and opposition activists living in Europe. The infections also occurred while Kouloglou was in Greece and Belgium, suggesting that the customer may have been authorized to operate across multiple European jurisdictions.
NSO Group maintains that its products are intended to help governments investigate terrorism and serious crime, but Pegasus has repeatedly been connected to surveillance of journalists, political opponents, activists, and public officials.
This was not merely a politician being surveilled. It was potentially espionage against the democratic body investigating the spyware industry itself.
It is similar to someone secretly wiretapping the congressional committee investigating illegal wiretapping. Whoever was behind it may have been watching the investigators, learning what they knew, identifying witnesses, and seeing what the committee planned to publish.
Citizen Lab says this is the first publicly identified case of an active PEGA Committee member being infected while serving on the committee. It is also calling for the other members and staff to have their devices forensically examined because nobody knows whether Kouloglou was the only target.
Another concerning detail is that Apple issued threat notifications associated with Kouloglou’s account in March 2023, August 2023, and April 2024, but he told researchers that he did not remember seeing them. Apple says these alerts are designed for the relatively small number of people targeted by sophisticated mercenary spyware operations.
The article diplomatically suggests that Russia was behind it. If I were to make a wild guess, in order to see if any of their other targets were discovered.
I don't understand why regular malware screening isn't mandatory for (important) government people. Glad he eventually sought it out though.
The story in one sentenceThe story in one sentence
A European politician was helping investigate governments’ abuse of Pegasus spyware while his own iPhone was secretly infected with Pegasus during some of the committee’s most sensitive work.
What happenedWhat happened
Stelios Kouloglou is a Greek investigative journalist and former member of the European Parliament. In 2022, he joined the Parliament’s PEGA Committee, which was created to investigate the misuse of Pegasus and similar commercial spyware against journalists, activists, politicians, and other targets.
Citizen Lab examined his iPhone in May 2026 and found strong forensic evidence that it had been successfully infected:
• Around October 21, 2022
• Again on March 6 and 7, 2023
Those dates coincided with hearings, overseas investigative visits, and intense discussions surrounding the committee’s draft and final reports. The first infection happened about ten days before the committee traveled to Greece and Cyprus.
The attack appears to have used a zero-click exploit called PWNYOURHOME. It abused Apple services associated with HomeKit and Messages, meaning Kouloglou apparently did not need to click a link, download a file, or knowingly interact with the attacker.
Why Pegasus is so seriousWhy Pegasus is so serious
Pegasus is not normal consumer malware. It is sophisticated commercial surveillance software developed by Israel-based NSO Group and sold to government customers. Once installed, spyware of this kind can potentially collect messages, photographs, contacts, browsing information, and other phone data, while also accessing microphones and cameras.
That means encrypted messaging is not necessarily enough. Signal, WhatsApp, and similar services may encrypt messages while they travel across the network, but the messages still appear in readable form on the phone. If the phone itself is compromised, the attacker may be able to observe information at the endpoint.
Citizen Lab believes the attacker could therefore have gained access to confidential committee communications and deliberations, including information about the investigation into spyware operators and government customers. However, the researchers cannot establish exactly which documents or conversations were actually collected.
The biggest unanswered questionThe biggest unanswered question
Nobody has publicly identified who ordered the attack.
Citizen Lab specifically says it has no evidence that the Greek government carried it out. However, technical infrastructure from the October 2022 infection overlaps with an earlier Pegasus operation targeting Russian and Belarusian journalists and opposition activists living in Europe. The infections also occurred while Kouloglou was in Greece and Belgium, suggesting that the customer may have been authorized to operate across multiple European jurisdictions.
NSO Group maintains that its products are intended to help governments investigate terrorism and serious crime, but Pegasus has repeatedly been connected to surveillance of journalists, political opponents, activists, and public officials.
The part that makes this story especially badThe part that makes this story especially bad
This was not merely a politician being surveilled. It was potentially espionage against the democratic body investigating the spyware industry itself.
It is similar to someone secretly wiretapping the congressional committee investigating illegal wiretapping. Whoever was behind it may have been watching the investigators, learning what they knew, identifying witnesses, and seeing what the committee planned to publish.
Citizen Lab says this is the first publicly identified case of an active PEGA Committee member being infected while serving on the committee. It is also calling for the other members and staff to have their devices forensically examined because nobody knows whether Kouloglou was the only target.
Another concerning detail is that Apple issued threat notifications associated with Kouloglou’s account in March 2023, August 2023, and April 2024, but he told researchers that he did not remember seeing them. Apple says these alerts are designed for the relatively small number of people targeted by sophisticated mercenary spyware operations.
The article diplomatically suggests that Russia was behind it. If I were to make a wild guess, in order to see if any of their other targets were discovered.
I don't understand why regular malware screening isn't mandatory for (important) government people. Glad he eventually sought it out though.