European Parliament Member Investigating Spyware Hacked With Pegasus

A new report from Citizen Lab has revealed that former MEP Stelios Kouloglou’s mobile phone was repeatedly hacked by the infamous Pegasus spyware while working on a committee tasked with investigating the misuse of commercial surveillance tools in the bloc.
“Through careful analysis of his device, we found that the attackers were able to access confidential documents and committee discussions,” said Citizen Lab researchers John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis and Ron Deibert.
The infection was not attributed to a specific government at this time, and there is no evidence that the Greek government was responsible for the operation. However, Canada’s interdisciplinary research laboratory noted that it identified overlaps between the first infection and a previous campaign targeting exiled Russian- and Belarusian-speaking journalists and activists in Europe.
This indicates that a Pegasus client that has been sanctioned as a spy in several European countries may be responsible for the attempt, Citizen Lab added.
Kouloglou was a member of the “Committee of Inquiry of the European Parliament to investigate the use of Pegasus and similar surveillance spies” from March 24, 2022, to July 18, 2023. The PEGA Committee was established on March 10, 2022, to investigate allegations of misuse of EU law providing specific information on misuse of the law. the extent to which member states and other countries use instruments to violate the rights and freedoms of the region.
Citizen Lab said a formal analysis of artifacts collected from his iPhone in May 2026 found it was compromised with Pegasus spyware on October 21, 2022, and again on March 6 and 7, 2023.
“On 2022-10-21 10:16, there was a check for HomeKit email address rauharepo888[@]gmail.com. Two minutes later, the Pegasus process used mobile data,” the researchers explained. It was tested that a zero-click exploit in Apple’s smart home software, codenamed PWNYOURHOME, was used to deliver the spy. The issue was addressed by Apple in iOS 16.3.1.
The next Pegasus mission observed in March 2023 is said to be equipped with the same. On both occasions, Kouloglou’s device was running iOS 15.5. Further analysis of the phone revealed that Kouloglou received Apple’s threat notifications about being targeted by mercenary spyware three times: March 2, 2023, August 29, 2023, and April 10, 2024.
Interestingly, the first time Kouloglou’s phone was hacked, he was admitted to the hospital for special surgery and was visited by the Greek investigative journalist, Thanasis Koukakis, who had his phone compromised with Intellixa’s Predator spyware and had testified before the PEGA Committee last month.
The timing of the second contagion in March 2023 is also important, as it coincided with intense discussions related to the final draft process, followed by a series of PEGA hearings. The incident took place two months before the adoption of the first report of the PEGA Committee.
This development marks the first time that a member of the PEGA Committee has been publicly identified as a victim of Pegasus spyware while serving on the committee.
The connection between Kouloglou’s case and the campaign targeting Russian and Belarusian-speaking freelance journalists and European-based opposition activists is based on the use of the same email address “rauharepo888[@]gmail.com.”
“Based on our understanding of the Pegasus infection infrastructure at this time, we believe these emails are unique to certain users,” Citizen Lab said. “We cannot say whether the second infection in 2023 is linked to this operator, or another operator.”
“Based on what we know about NSO Group’s license, this may indicate that the customer has a license that allows disease in many EU jurisdictions, narrowing down the list of Pegasus users who may be liable in this case.”
These findings raise new concerns about the way governments use spying apparently to combat serious crimes, such as terrorism and child sexual abuse, by monitoring the communications of journalists, lawmakers, opponents and critics.
The development comes days after Citizen Lab revealed that Russian authorities used Cellebrite’s UFED forensics tools to access the iPhone of jailed opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite announced it would stop providing its tools and services to Russia and Belarus.
“Authorities searched Pivovarov’s resources to find important organizations and contacts, as well as senior opposition figures,” Citizen Lab said. “Search terms included Mikhail Khodorkovsky, founder of Open Russia, Anastasiya Burakova, then Open Russia’s human rights lawyer and currently head of a prominent anti-war group, and former Open Russia coordinator and Pivovarov’s associate, Tatiana Usmanova.”
Some of these people, including Burakova, were later targeted in a phishing campaign organized by a Russian hacking group known as COLDRIVER, raising the possibility that the use of Cellebrite’s tools could help further the investigation and allow for further identification and surveillance of other dissidents abroad.
Back in April, Citizen Lab also revealed two separate, long-running surveillance campaigns exploiting well-known weaknesses in the global telecommunications infrastructure to track people’s locations. Notably, this attack does not require the deployment of the malware, making it stealthy and difficult to detect.
One of the two campaigns used sending a special type of text message with hidden SMS commands to target locations in an attempt to “turn the device into a tracking beacon,” the report said. The second campaign relied on a weakness in Signaling System No. 7 (SS7) and Diameter signaling protocol to track a person’s location without needing access to their devices.
The two campaigns are said to have targeted three telecommunications providers, namely 019Mobile, Airtel Jersey (part of the Sure Group), and Tango Networks UK, which act as “monitoring and transit points within the telecommunications ecosystem” and “allow traffic to pass through reliable signaling connections while providing access to malicious actors hiding behind their infrastructure.”
“Both actors used custom surveillance tools to spoof user identities, exploit signing protocols, and redirect traffic to specific network paths to evade protections and masking,” the digital rights group said.
“The findings reveal how suspected commercial venders (CSVs) are exploiting the global telecom interconnect ecosystem, growing the networks of private operators, and conducting covert location tracking operations that can go undetected for years.”



