The irony cuts deep in European governance: a politician tasked with scrutinizing dangerous surveillance technology became a victim of that very tool. Stelios Kouloglou, a journalist-turned-European Parliament member, discovered his iPhone had been compromised by NSO Group's Pegasus spyware on multiple occasions while he served on the parliament's investigative committee examining the technology's proliferation across the continent. The University of Toronto's Citizen Lab released its findings on July 3, exposing a troubling vulnerability in democratic oversight mechanisms that are supposed to protect European citizens from unchecked surveillance.
Kouloglou's targeting represents a direct assault on the investigative work being conducted at the highest levels of European governance. At the time his device was compromised, he was actively contributing to the European Parliament's PEGA Committee, an initiative established to examine how NSO and similar vendors distribute surveillance capabilities to state actors. The committee's mandate had grown increasingly urgent following mounting evidence that governments routinely misuse such tools, diverting them from legitimate counter-terrorism operations toward political opponents and journalists. When the PEGA Committee concluded its work in 2023, it issued a stark assessment: these technologies represented a fundamental "threat to democracy and fundamental rights," necessitating stringent European Union regulations on their transfer and deployment.
The breach exposed far more than technical security failures. Kouloglou's compromised device contained sensitive communications with Alexis Tsipras, Greece's former prime minister, alongside private medical records and contact information for journalists and sources. The vulnerability wasn't merely a technical oversight—it represented a breach of political confidentiality and potentially privileged communications at the parliamentary level. The targeting demonstrated how spyware can penetrate the inner sanctum of democratic institutions, compromising the very people responsible for defending democratic principles against technological overreach.
What elevates this incident beyond typical cybersecurity concerns is the sophistication deployed against Kouloglou. Citizen Lab confirmed that at least one infiltration employed a zero-click exploit—an advanced hacking method that silently compromises a device without requiring the victim to interact with malicious content. These techniques represent the frontier of mobile device exploitation, rarely deployed against ordinary targets because of their complexity and cost. That such sophisticated capability was directed against a European politician investigating the spyware industry suggests either state-level resources or entities with exceptional technical sophistication and motivation to silence oversight efforts.
The mystery of attribution complicates accountability. Citizen Lab's analysis did not identify which government or actor deployed Pegasus against Kouloglou, leaving him uncertain about which authority may have targeted him. However, the researchers discovered that the same entity responsible for hacking the Greek politician had also targeted seven Russian and Belarusian-speaking independent journalists and opposition activists sheltering in Europe. The pattern suggests a coordinated campaign against those challenging authoritarian governance or examining state surveillance capabilities, which carries profound implications for regional security and press freedom across Eastern Europe and the Balkans.
Pegasus itself occupies a unique and troubling space in the global surveillance marketplace. NSO Group, the Israeli technology firm, markets the spyware exclusively to governments and law enforcement agencies, with stated purposes centered on counter-terrorism and serious criminal investigation. The company maintains strict contractual controls intended to prevent misuse. Yet this veneer of legitimacy obscures a consistent pattern of abuse documented by researchers, journalists, and civil society organizations. Governments across the world, from democracies to autocracies, have weaponized Pegasus against investigative journalists, human rights activists, opposition politicians, and democratic reformers—fundamentally inverting its stated purpose from protecting societies to threatening them.
Kouloglou's case represents a critical escalation in this pattern because it marks the first documented instance of a sitting PEGA Committee member becoming a surveillance target. While other European parliamentarians had previously been compromised, including four Catalan lawmakers between 2019 and 2020 and a French representative in 2023, none occupied a position of direct institutional responsibility for investigating NSO's activities. The targeting carries a chilling message: even those wielding official authority to constrain spyware abuse cannot shield themselves from its consequences. This vulnerability undermines the very legitimacy of European oversight efforts and demonstrates that committee membership provides no practical protection against determined surveillance actors.
John Scott-Railton, a senior analyst at Citizen Lab, characterized the situation as embodying "the ultimate irony of Europe's spyware crisis." He emphasized that European institutions have fundamentally failed to act despite comprehensive evidence of abuse. The PEGA Committee's carefully researched recommendations, developed following extensive investigation and compiled into formal parliamentary conclusions, have been systematically ignored by European decision-makers. The recommendations languished without implementation, leaving the regulatory environment virtually unchanged and the market for surveillance technology continuing unabated. This institutional paralysis, despite clear evidence of threats to democracy, reflects either insufficient political will or competing interests that prioritize security establishment prerogatives over fundamental rights.
European Commission responses, while acknowledging concern, reveal the glacial pace of institutional action. Antoine Lomba, representing the commission, stated that officials were "working to address the illegal use of spyware from various angles of EU law" and declared that any unauthorized access to citizen data was "unacceptable." Yet these statements, however well-intentioned, must be measured against the concrete absence of binding regulations, enforcement mechanisms, or consequences for abusing governments. The commission's reference to "some challenges" being addressed through legislation while others require "non-legislative tools" suggests a fragmented, insufficient approach to a comprehensive threat.
Sophie in 't Veld, the Dutch former MEP who served as rapporteur for the PEGA Committee, offered a more pessimistic assessment grounded in five years of observation. She characterized Kouloglou's targeting not as aberration but as manifestation of systemic abuse protected by complete institutional impunity. The absence of meaningful consequences for governments deploying spyware against journalists, activists, and opposition figures has created a permissive environment where such practices continue without restraint. Her statement—that "there have been absolutely zero consequences"—captures the fundamental governance failure underlying this crisis. European institutions possess the authority and technical capacity to regulate surveillance technology distribution, yet they have chosen inaction, allowing the abuse to persist and expand.
For Malaysia and Southeast Asia, Kouloglou's experience illuminates critical vulnerabilities in transnational surveillance architecture. NSO's spyware operates across borders, and if European parliamentarians cannot protect themselves, citizens in regions with weaker institutional safeguards face exponentially greater risk. The technology's availability to state actors, combined with minimal accountability mechanisms, creates conditions where surveillance capability concentrates in the hands of those least constrained by democratic norms. Southeast Asian governments' demonstrated interest in acquiring surveillance capabilities, alongside documented concerns about press freedom and political opposition, suggests that this technology poses acute risks to regional democracy and civil liberties.
The broader implications extend beyond individual victimization to encompass institutional trust and democratic functionality. When oversight mechanisms themselves become vulnerable to the technologies they investigate, confidence in democratic institutions erodes. Citizens and activists cannot reasonably advocate for rights or hold governments accountable if the infrastructure protecting political communication is compromised by the very authorities they seek to constrain. This dynamic creates cascading harm: surveillance chills speech, reduces accountability, concentrates power, and ultimately corrupts democratic processes. Until European and international institutions demonstrate genuine commitment to regulating surveillance technology rather than merely expressing concern, the vulnerability of figures like Kouloglou will persist as a symbol of institutional failure.
