There is a certain irony in spending months examining spyware abuses, only to learn that your own phone was secretly doing the same job for someone else…
That is exactly what happened to former Member of the European Parliament Stelios Kouloglou. On 3 July, the Citizen Lab announced that forensic analysis of his iPhone found he had been infected with NSO Group’s Pegasus spyware while serving on the European Parliament’s PEGA Committee. The committee had one job. It was investigating the use of Pegasus and other surveillance tools across Europe.
The Citizen Lab wrote, “We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe. Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations.”
What Did Investigators Find On His Phone?
Kouloglou contacted the Citizen Lab in May 2026 and asked researchers to examine his iPhone. Their forensic investigation found, with high confidence, that the device was successfully infected around 21 October 2022 and again on 6 and 7 March 2023.
Researchers said those infections happened during busy periods for the PEGA Committee. Hearings were about to begin, draft reports were circulating among members and staff, and committee discussions were taking place through emails and text messages.
The report explains, “Kouloglou confirms that the first infection date (October 21, 2022) coincided with a period of intense discussion and exchange that primarily took place over text messages and email.”
Citizen Lab also found evidence that Kouloglou received Apple threat notifications on three occasions. Those arrived on 2 March 2023, 29 August 2023 and 10 April 2024. Apple sends those alerts well after suspicious activity has happened. According to the report, Kouloglou told researchers, “Kouloglou reports to us that he did not recall receiving the Apple notifications we observed.”
Why Is The Timing Here So Important To Take Note Of?
The first known infection came as the committee prepared hearings on Big Tech, spyware, e-privacy and fundamental rights. Members were also preparing the committee’s first draft report, which examined spyware allegations involving Poland, Hungary, Greece, Cyprus and Spain.
Ten days after the first infection, PEGA members travelled to Greece and Cyprus for research visits and Kouloglou helped organise those visits and joined the delegation.
The second infection happened on 6 and 7 March 2023, when Kouloglou travelled from Athens to Brussels during another busy period of committee work. According to the Citizen Lab, “According to Kouloglou, during this time frame, the PEGA committee was engaged in intense discussions related to the final drafting process.”
Researchers say access to the phone during those periods could have exposed confidential parliamentary discussions. Their report says, “Whichever entity is responsible for the hacking, the infection could have exposed strictly confidential exchanges among PEGA Committee members and their staff, and other sensitive and confidential parliamentary proceedings, including to parties under investigation by the Committee itself.”
Do We Who Was Responsible For This Yet?
That question does not have an answer yet, as Citizen Lab says it is not attributing the attacks to any government and found no indication that the Greek government carried them out. Researchers instead noticed an overlap with an earlier Pegasus campaign that targeted Russian and Belarusian speaking journalists and opposition activists living in Europe.
The report says, “We are not attributing these infections to a particular government at this time, and found no indications that the Greek Government is responsible.”
Researchers also found that one email address used during Kouloglou’s infection matched infrastructure identified in an earlier Pegasus investigation. They believe the same operator was responsible for the first infection, although they cannot say if the second infection involved that operator or another one.




