Espionage Against the European Parliament: PEGA Committee Member Targeted with Pegasus
Espionage Against the European Parliament: PEGA Committee Member Targeted with Pegasus
Pegasus Spyware Targeted PEGA Committee Member
Stelios Kouloglou, a former Member of the European Parliament (MEP) and substitute member of the PEGA Committee—the body tasked with investigating the use of Pegasus and equivalent surveillance spyware—was repeatedly infected with NSO Group’s Pegasus spyware. The infections occurred during critical periods of the committee’s activity, potentially exposing non-public information regarding EU parliamentary confidentiality and privilege frameworks.
Forensic Evidence of Infection
Forensic analysis conducted by the Citizen Lab in May 2026 on Kouloglou’s iPhone revealed high-confidence evidence of successful Pegasus infections on two separate occasions:
- October 21, 2022: The device was hacked using the PWNYOURHOME zero-click exploit, which targeted HomeKit. The analysis identified a lookup for the email address
rauharepo888 [@]gmail.comfollowed by Pegasus process activity. - March 6 and 7, 2023: A second infection occurred, likely linked to the same exploit, while Kouloglou was traveling from Athens to Brussels.
At the time of these infections, the device was running iOS 15.5. Additionally, Kouloglou received three Apple threat notifications regarding mercenary spyware targeting on March 2, 2023, August 29, 2023, and April 10, 2024, although he reported not recalling these alerts.
Correlation with PEGA Committee Activities
The timing of the infections aligns closely with high-stakes investigative work conducted by the PEGA Committee.
October 2022 Infection
The first infection on October 21, 2022, occurred just before a series of critical hearings on "Big Tech and Spyware" and "Spyware and e-privacy." It also coincided with the drafting of the committee’s first report, which focused on spyware allegations in Poland, Hungary, Greece, Cyprus, and Spain. Furthermore, the infection happened ten days before a scheduled research visit to Greece and Cyprus.
Notably, on the day of the first infection, Kouloglou was in a Greek hospital for elective surgery. This suggests that confidential medical information and private conversations in his hospital room may have been intercepted, potentially violating Greek laws concerning the confidentiality of health-related data.
March 2023 Infection
The second infection (March 6‣) occurred during intense final drafting processes for the PEGA report. Simultaneously, PEGA Rapporteur MEP Sophie in ’t Veld was in Greece as part of a LIBE Committee mission questioning Greek officials about the national spyware scandal.
Attribution and Operator Analysis
While the Citizen Lab has not attributed the attacks to a specific government, they have identified a technical link to a known operator. The HomeKit email used in the 2022 attack (rauharepo888 [@]gmail.com) matches a redacted Apple ID identified in a May 2024 report targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.
Because the infections occurred across at least two European jurisdictions (Greece and Belgium), the operator likely possesses a license allowing surveillance in multiple EU countries. The Citizen Lab explicitly noted that there is no evidence suggesting the Greek government was responsible, as Greece is not known to be an NSO Group customer and has primarily used Intellexa’s Predator spyware.
Broader Implications for the European Parliament
This is the first documented case of a PEGA Committee member being infected with Pegasus while serving on the committee. Other MEPs have been targeted previously, including Catalan MEPs Diana Riba, Jordi Solé, and Carles Puigdemont, as well as French MEP Nathalie Loiseau and Bulgarian MEP Elena Yoncheva.
The breach suggests a systemic vulnerability within the European Parliament, where the surveillance of an investigator into spyware could expose the very proceedings intended to hold surveillance states accountable.
Recommendations for EU Institutions
To mitigate the risk of mercenary spyware, the Citizen Lab recommends the following actions:
- Immediate Screening: All MEPs and staff who participated in the PEGA Committee should undergo forensic screening via the Directorate-General for Information Technologies and Cybersecurity (DG ITEC).
- Enhanced Security Protocols: MEPs should enable "Lockdown mode" on iPhones and "Advanced Protect" on Android devices.
- Institutional Investigation: The European Parliament should launch a formal investigation into spyware attacks targeting its members and commission an annual report on cyber and surveillance threats.
- Expanded Screening Programs: DG ITEC should increase screening rates and publish yearly statistics on discoveries to identify patterns of targeting.