
Security researchers have confirmed that a European politician had his phone hacked with Pegasus spyware while participating in an investigative committee investigating abuses of the notorious surveillance tool. This has reignited a new debate about governments abusing spyware to gather information about their critics.
Researchers at The Citizen Lab, a digital rights unit at the University of Toronto, said the confirmed phone hacking of Greek journalist and former politician Stelios Kouloglou in 2022 and 2023 marks the first time a member of the European Parliament’s PEGA committee, which is tasked with investigating phone spyware attacks on European governments, has been publicly identified as a victim of spyware.
Kouloglou told TechCrunch in a phone call that deliberately damaging his phone was “reckless.” A European lawmaker described Kuroglou’s phone hacking as a “direct attack on the rule of law” and urged the European Commission to take concrete action, including severely limiting the use of spyware across the 27-member bloc.
Spyware attacks on members of Congress are rare, but the timing and targeting of the very spyware the committee investigators are investigating suggests they are focusing on the committee’s inner workings ahead of a report detailing the widely anticipated findings. The hack raised new questions about how the government used spyware ostensibly needed to identify serious crimes but was caught monitoring the communications of journalists, lawmakers and critics.
Researchers at Citizen Lab did not attribute the phone hacking to a specific country, but said government clients used the same Pegasus loading email addresses used in previous campaigns that hacked journalists’ phones across Europe. Although the customer’s identity is unknown, the reuse of the same attack email address suggests that the customer was authorized by NSO Group to use Pegasus spyware to snoop on phones in several European countries.
A European Commission spokesperson did not respond to TechCrunch’s request for comment. NSO Group also did not respond to a request for comment on the Citizen Lab report before publication.
Citizen Lab said in a report released Friday that Kouloglou was hacked at least twice, once in October 2022 and again in March 2023 using an exploit that compromised a security vulnerability in Apple iPhone software. The vulnerability has been patched, but the fix has not yet been installed on Kouloglou’s phone. This attack was a “zero click” bug. This means that spyware broke in and stole data without any user interaction.
The bug exploited a flaw previously discovered in Apple’s smart home software used on iPhones. This allowed the spyware to take personal data from Kouloglou’s phone, including text messages, other correspondence, location data, and photos, without Kouloglou’s knowledge.
The timing of the October 2022 hack coincides with intense debate over email and text messaging throughout October and November 2022, ahead of the delivery of a first draft outlining spyware abuses focused on Cyprus, Greece, Hungary, Poland and Spain.
The hack was also timed to the exact time Kouloglou was in the hospital for a pre-scheduled surgery, which may have allowed spyware operators to hear ambient audio discussing his health care or other conversations he had with visitors at the time.
Months later, on March 6 and 7, Citizen Lab revealed that Kouloglou’s phone was hacked again by the same Pegasus operator while he was traveling from Athens to Brussels during the committee hearing and several months before the committee finalized and adopted the draft written report.
Kouloglou told TechCrunch in a phone call that he didn’t know why he was specifically targeted but believed it was because he worked on a European Parliament committee investigating Pegasus abuses.
He said he was furious when he found out his phone had been hacked.
“You realize that all your personal data has been (taken away), not just every professional interaction or message you had with a minister, but even very private data like happy and sad moments,” he told TechCrunch.
Kouloglou said he plans to sue NSO Group, an Israel-based spyware manufacturer. NSO has been largely banned in the United States since a Biden-era executive order banning government use of spyware that could violate people’s human rights.
Last year, the spyware maker confirmed that an unnamed U.S. investment group had invested tens of millions of dollars into the company as part of an effort to rehabilitate the NSO brand, which has fallen into crisis over human rights abuses.
Kuloglou said he would go public with his story “for democracy, human rights and the fight against corruption.”
“Corruption is everyone’s concern,” he said.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.