The Hunter Became the Hunted: A Lawmaker Investigating Pegasus Spyware Was Hacked — Twice

The Hunter Became the Hunted: A Lawmaker Investigating Pegasus Spyware Was Hacked — Twice

SpywarePegasusEuropean ParliamentNSOCybersecurityPrivacy

Sources:HN + Citizen Lab + web research · HN

On July 3, 2026, the University of Toronto’s Citizen Lab released a report that left me with only one reaction: the irony could not be sharper.

The report’s subject is Stelios Kouloglou, a Greek former member of the European Parliament. Between 2022 and 2023, he served on the European Parliament’s “PEGA Committee” — the Committee of Inquiry to Investigate the Use of Pegasus and Equivalent Surveillance Spyware. To put it plainly: his day job was to investigate who was using Pegasus spyware to illegally surveil people.

And while he was doing that job, his phone was infected with Pegasus. Not once. Twice.

The hunter became the hunted.

Greek journalist and MEP Stelios Kouloglou

▲ Greek journalist and former Member of the European Parliament Stelios Kouloglou. Source: Citizen Lab

1. A Patient in a Hospital Bed — and His Phone Is Being Hacked

Rewind to October 21, 2022. On that day, Kouloglou was in a hospital in Athens undergoing an elective surgery. He wasn’t working. He wasn’t in a meeting. He wasn’t even looking at his phone — he was lying in a hospital bed.

A Greek investigative journalist named Thanasis Koukakis came to visit him. Koukakis is himself a spyware victim — earlier in 2022, his phone was found to have been infected with a different spyware called Predator. The two of them talked in the hospital room about the progress of the spyware investigations, about the PEGA committee’s work plan. Koukakis took a photo to mark the occasion.

On that very day, at roughly the same moment that photo was taken, Kouloglou’s phone was successfully compromised by Pegasus spyware.

Photo taken by Koukakis on the day Kouloglou's phone was hacked

▲ October 21, 2022. Greek journalist Koukakis visits Kouloglou in his hospital room. At this exact moment, Kouloglou’s phone is being infected with Pegasus spyware. Source: Citizen Lab / Thanasis Koukakis

Looking at this photograph, I feel a deep unease. The two people in the frame are talking about how to fight spyware. And what they don’t know is that, as they speak, one of the phones in the room is silently streaming everything — conversations, text messages, contacts, calendar entries — to a “customer” somewhere on the other side of a screen.

This is the terrifying thing about military-grade spyware like Pegasus: you have absolutely no idea you’ve been compromised. Your phone looks entirely normal. No strange text messages. No pop-ups. No lag. But every call you make, every photo you take, every message you send — someone, somewhere, is reading it remotely.

2. Zero-Click Attacks: You Don’t Need to Do Anything

Some readers might wonder: how does Pegasus actually get onto a phone? Don’t you have to click a link, download a file, or at least answer a suspicious call?

The answer: none of the above.

Let me explain this as plainly as possible. Imagine your phone as a house. A traditional virus attack is like someone knocking on your door, tricking you into opening it, and charging inside. Pegasus works differently: it doesn’t need to knock. It exploits a structural flaw in the house itself — say, a crack in the wall that even you don’t know exists. The attacker slips something through that crack and takes control of the entire house from the inside.

The cybersecurity industry calls this a “zero-click exploit.” You don’t click anything. You don’t need to perform any action. You don’t even need to unlock your phone. The attack completes on its own.

In Kouloglou’s case, the vulnerability used to compromise his phone is known as “PWNYOURHOME.” It exploits a flaw in Apple’s HomeKit framework. The attacker simply registers a specially crafted email address with HomeKit — that triggers an error deep inside the system, which in turn grants control over the device.

Throughout this entire process, Kouloglou received no notification. He saw nothing unusual. It wasn’t until months later that Apple patched the vulnerability in iOS 16.3.1. When Kouloglou was infected, his phone was running iOS 15.5. To the attacker, the door was wide open.

What makes this even more chilling is the second infection window: March 6–7, 2023. On those two days, Kouloglou flew from Athens to Brussels for intensive PEGA committee deliberations. The committee was finalizing its concluding report — the document that would determine which governments were abusing spyware and what consequences they might face. If, during that period, the discussions about the draft report, other members’ positions, or even voting strategies were intercepted — I don’t need to spell out what that means.

Apple did, in fact, send Kouloglou three security threat notifications: on March 2, 2023; August 29, 2023; and April 10, 2024. But Kouloglou says he does not recall receiving any of them. This isn’t surprising. Apple delivers these “threat notifications” silently — they’re easily missed or mistaken for spam.

3. Who Sells These Digital Weapons? A Multi-Billion-Dollar Business

Here we need to talk about the company behind Pegasus: NSO Group.

Founded in Israel in 2010, NSO sells what the industry calls “cyber weapons.” Its business model is brutally simple: sell only to governments. No individuals. No corporations. The deployment cost for a single Pegasus system is estimated in the millions to tens of millions of dollars.

NSO’s official line is that Pegasus is a “tool for fighting crime and terrorism.” On the surface, it sounds reasonable — police use surveillance technology to catch criminals. Of course they do. The problem is: once the product is sold, NSO has no control over how its customers use it. And that customer list includes countries whose human rights records are, shall we say, less than spotless.

Starting in 2021, the Pegasus Project — a consortium of 17 international media organizations — began systematically exposing cases of Pegasus abuse. Journalists, lawyers, opposition politicians, human rights activists, even heads of state: all were on target lists. Every time an exposé breaks, NSO responds with “we will investigate” and “we didn’t know our client used it this way.” But the cases keep coming.

I looked up the relevant court records. In May 2025, a U.S. federal court in California ordered NSO Group to pay Meta (WhatsApp’s parent company) $168 million in damages. The finding: NSO exploited WhatsApp vulnerabilities to help its clients illegally surveil 1,400 phones globally. It remains the largest single penalty ever imposed on a spyware vendor.

But here’s what worries me most: the judgment didn’t stop NSO. According to TechSpot, NSO restructured under new ownership in November 2025 and resumed hunting for new buyers.

In other words: the business continues.

4. The European Parliament Has Been Targeted Before — and It Will Be Again

Kouloglou is not the only MEP to have been targeted by Pegasus.

Even before the PEGA committee was formed, four Catalan members of the European Parliament were infected with Pegasus — including Diana Riba, who would later become PEGA’s vice-chair, and Carles Puigdemont, the former president of Catalonia. They were simultaneously members of the committee investigating spyware and victims of the very spyware under investigation. That absurd situation is its own indictment.

In February 2024, two members of the European Parliament’s Security and Defence Subcommittee were found to have spyware traces on their phones. In May of the same year, German MEP Daniel Freund confirmed he was targeted by a different spyware called Candiru.

The pattern is clear: the European Parliament — the institution that styles itself “Europe’s democratic fortress” — is being penetrated from multiple directions by multiple spyware tools.

One detail from Citizen Lab’s report deserves particular attention: the researchers explicitly state there is no evidence that the Greek government carried out the attack. Instead, the evidence points to the same “operator” linked to the hacking of Russian and Belarusian exiled journalists — a Pegasus customer with “authorization” across multiple European countries. In other words, this was likely a surveillance operation that crossed multiple national borders.

5. Why This Matters: The Rules Are Being Trampled

Let’s return to that phrase: the hunter became the hunted. It’s more than a catchy headline. It points to a deeper problem.

When someone tasked with overseeing spyware abuse can be casually infected with spyware, it means the surveillance technology is no longer bound by any rules at all.

The PEGA committee was supposed to draw red lines around spyware use: under what circumstances can it be deployed? Who can authorize it? What rights does the targeted person have? But when a committee member’s own phone is compromised — when confidential committee deliberations may have been intercepted — the act of drawing red lines becomes nearly impossible. Because the entity you’re trying to constrain already knows, in advance, exactly how you plan to constrain it.

It’s like setting an exam, and the student has already seen the questions. Does the exam still mean anything?

Citizen Lab’s report ends with a recommendation that I find both heartbreaking and pragmatic: they urge all PEGA committee members and staff to immediately undergo spyware screening on their phones. “In the absence of comprehensive screening, it is impossible to know whether other committee members or their staff have been similarly targeted.”

Four years later, nobody knows how many more phones remain compromised.

6. What Can Ordinary People Learn From This?

Frankly, for the average person, an attack at the Pegasus level is nearly impossible to defend against. This isn’t something you can stop by installing an antivirus app. The vulnerabilities it exploits are often ones even the phone manufacturer doesn’t know exist yet — in security parlance, “zero-day vulnerabilities.”

But a few things are worth knowing:

First, be aware that this threat exists. This is not the plot of a Hollywood thriller. Military-grade spyware is deployed globally, and the target list has long since expanded from terrorists to include journalists, lawyers, politicians, activists — and the people investigating those spyware tools.

Second, pay attention to security warnings from your device manufacturer. Both Apple and Google send “threat notifications” to users who may be targeted by state-sponsored attacks. If you receive one, do not ignore it. It may mean your phone has already been flagged.

Third, if your work is sensitive, consider enabling Lockdown Mode (iOS) or Advanced Protection (Android). This will restrict many features — for example, certain attachments in iMessages from unknown senders won’t load automatically — but it dramatically raises the bar for a successful spyware attack.

Closing

As I finished writing this piece, I looked again at that photograph from the hospital room. Two people in the frame: a lawmaker investigating spyware, and a journalist who had himself been a spyware victim. They’re talking about how to resist surveillance. And between them, one phone is being actively surveilled by the very spyware they’re discussing.

The image itself is a metaphor for the era we live in.

Citizen Lab’s report recommends that EU institutions and national parliaments conduct comprehensive spyware screening for all members. But I think there’s a question that matters even more than screening, and someone needs to answer it: who watches the watchers?

Reference links: