Stelios Kouloglou, a Greek journalist and former European Parliament member, became an unwitting victim of the very surveillance technology he was investigating when his iPhone was compromised by NSO Group's Pegasus spyware on at least two separate occasions spanning 2022 and 2023. The breach was identified through research published on July 3 by Citizen Lab, the digital security watchdog programme operated by the University of Toronto, raising fresh concerns about how government-grade surveillance tools continue to evade oversight mechanisms designed to curb their abuse across Europe and internationally.
At the time his device was penetrated, Kouloglou served on the European Parliament's PEGA Committee, a specialist body established to examine and regulate the proliferation of advanced surveillance technologies marketed by firms like NSO Group to governmental and law enforcement agencies worldwide. The committee subsequently concluded that such technologies represented a fundamental "threat to democracy and fundamental rights," recommending stricter European Union controls over their deployment and cross-border sale. That someone actively engaged in scrutinising these technologies would himself become a target underscores the paradoxical vulnerability facing those attempting to police the surveillance industry's most powerful actors.
NSO Group markets Pegasus exclusively to state and law enforcement entities, framing the platform as a legitimate counterterrorism and serious crime-fighting instrument capable of remotely accessing mobile devices and intercepting communications, phone calls, messages and stored data. Yet documented cases consistently reveal deployment against journalists, political activists and opposition figures rather than the ostensible criminal targets the company emphasises. The incident involving Kouloglou exemplifies a broader pattern where ostensibly regulated tools intended for narrowly defined purposes become instruments of political control and intimidation.
Kouloglou's compromised device contained highly sensitive materials including private communications with Alexis Tsipras, Greece's former prime minister, alongside confidential medical records and his journalistic contacts and sources. The breach therefore threatened not only his personal privacy but potentially the security of individuals connected to him and the integrity of investigative journalism conducted through his phone. Despite the severity of the intrusion, Kouloglou acknowledged uncertainty regarding which government entity orchestrated the attack, describing his intention to investigate the matter further without apparent confidence in existing accountability mechanisms.
Citizen Lab's investigation identified evidence suggesting the same actor responsible for hacking Kouloglou also targeted a cohort of seven independent journalists and opposition activists from Russian and Belarusian-speaking communities operating from European bases. This clustering pattern suggests coordinated surveillance rather than isolated incidents, pointing towards state-sponsored operations systematically monitoring political dissidents and media figures across jurisdictions. The breadth of such targeting reveals how surveillance capabilities have become tools for suppressing legitimate political speech and journalistic inquiry across multiple countries simultaneously.
Particularly significant was Citizen Lab's finding that at least one intrusion employed a zero-click exploit, representing the most sophisticated and prohibitively expensive hacking methodology currently known. Such techniques require no user interaction—no deceptive links to click, no suspicious attachments to open—making them virtually undetectable without advanced forensic analysis. The deployment of such costly methods against Kouloglou indicates either state-level resources or significant financial commitment to silencing his oversight work, suggesting the targeting was deliberate rather than opportunistic.
While several European parliamentarians have previously fallen victim to Pegasus, including four Catalan lawmakers during 2019 and 2020 and a French representative in 2023, Kouloglou's case represents a watershed moment: he becomes the first serving member of the oversight committee itself to be compromised. This inversion—where investigators become investigated subjects—crystallises the power asymmetry between those attempting regulatory control and the surveillance industry's capacity to neutralise oversight efforts through technological superiority. The symbolism resonates beyond the individual case, illustrating how current governance frameworks prove structurally inadequate against determined state actors wielding these tools.
John Scott-Railton, a senior Citizen Lab researcher, framed the incident as encapsulating the fundamental failure of European governance regarding spyware proliferation. His observation that committee recommendations have been systematically ignored despite this high-profile breach highlights institutional dysfunction at the European level. The European Commission's subsequent statement acknowledging that illegal data access attempts are "unacceptable" rings hollow when years of documented abuses have generated minimal enforcement action or legislative consequence.
Sophie in 't Veld, the Dutch former MEP who served as rapporteur overseeing the PEGA committee's work, characterised the targeting of Kouloglou not as an anomaly but as evidence of systemic state surveillance operating with effective impunity. Her observation that five years of documented abuse have produced "absolutely zero consequences" reflects a governance vacuum where political will to enforce restrictions remains absent despite rhetorical commitments. The absence of meaningful penalties creates perverse incentives encouraging continued abuse, as governments apparently calculate that surveillance benefits outweigh diplomatic or legal costs.
For Southeast Asian observers, the Kouloglou case carries particular relevance, as several regional governments are known purchasers and deployers of NSO technologies and comparable surveillance platforms. The demonstrated vulnerability of even prominent politicians and journalists in developed democracies with sophisticated oversight bodies suggests comparable or greater exposure faces activists and political figures in jurisdictions with weaker institutional protections and more limited public scrutiny. The case demonstrates that purchasing advanced surveillance capabilities often precedes institutional maturity in restricting their abuse, creating dangerous gaps between technological capacity and governance restraint.
The broader implication extends beyond individual hacking incidents to encompass the fundamental question of whether liberal democratic institutions can effectively regulate technologies that inherently concentrate power in governmental hands. That investigators specifically tasked with creating regulatory frameworks themselves become surveillance targets suggests the surveillance industry has achieved capabilities that effectively place it beyond democratic control. Unless enforcement mechanisms are substantially strengthened and accompanied by genuine political commitment, the pattern established by Kouloglou's compromise will likely persist, with oversight committees serving primarily to document abuses rather than prevent them.
