A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc.
“Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations,” the Citizen Lab researchers John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis, and Ron Deibert said.
The infections have not been attributed to a particular government at this time, and there is no evidence that the Greek government is behind the activity. However, the Canadian interdisciplinary research laboratory noted that it identified an overlap between the first infection and a previous campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.
This indicates that a Pegasus customer with authorization to spy in multiple European countries is likely responsible for the effort, the Citizen Lab added.
Kouloglou was a member of the European Parliament’s “Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware” from March 24, 2022, to July 18, 2023. The PEGA Committee was set up on March 10, 2022, to probe alleged misuses of commercial spyware offerings under E.U. law, specifically focusing on gathering information on the extent to which member states and other countries are using such tools in contravention of the region’s rights and freedoms.
The Citizen Lab said that a forensic analysis of artifacts collected from his iPhone in May 2026 has found that it was compromised with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.
“On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888[@]gmail.com. Two minutes later, a Pegasus process used mobile data,” the researchers explained. It’s assessed that a zero-click exploit in Apple’s smart home software, codenamed PWNYOURHOME, was used to deliver the spyware. The issue was addressed by Apple in iOS 16.3.1.
The subsequent Pegasus activity observed in March 2023 is also said to have weaponized the same exploit. At both times, Kouloglou’s device was running iOS 15.5. Further analysis of the phone has revealed that Kouloglou received Apple threat notifications about being targeted with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024.
Interestingly, during the first time Kouloglou’s phone was hacked, he was admitted to a hospital for elective surgery and had been visited by Greek investigative journalist Thanasis Koukakis, who had his own phone compromised with Intellexa’s Predator spyware and had testified before the PEGA Committee a month before.
The timing of the second infection in March 2023 is also significant, as it coincided with the intense discussions related to the final drafting process, followed by a series of PEGA hearings. The incident took place two months before the adoption of the first PEGA Committee report.
The development marks the first time a member of the PEGA Committee has been publicly identified as a victim of Pegasus spyware while serving on the committee.
The connection between Kouloglou’s case and the campaign targeting Russian and Belarusian-speaking independent journalists and opposition activists based in Europe is based on the use of the same email address “rauharepo888[@]gmail.com.”
“In our understanding of Pegasus infection infrastructure during this period, we believe that these emails are unique to specific operators,” the Citizen Lab said. “We are unable to say whether the second infection in 2023 is similarly connected to this operator, or a different operator.”
“Based on what we know of NSO Group’s licensing, this would likely indicate that the customer had a license that enabled infections in multiple E.U. jurisdictions, narrowing the list of potential Pegasus operators that could be responsible for this case.”
The findings raise fresh concerns about how governments leverage spyware ostensibly marketed for combating serious crimes, such as terrorism and child sexual abuse, for spying on the communications of journalists, lawmakers, dissidents, and critics.
The development comes days after the Citizen Lab revealed that Russian authorities used Cellebrite’s UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite announced it would stop offering its tools and services to Russia and Belarus.
“The authorities searched Pivovarov’s devices for key organizations and contacts, as well as high-profile opposition figures,” the Citizen Lab said. “Search terms included Mikhail Khodorkovsky, who founded Open Russia, Anastasiya Burakova, who was at the time a human rights lawyer at Open Russia and currently leads a prominent anti-war group, and Open Russia’s former coordinator and Pivovarov’s partner, Tatiana Usmanova.”
Some of these individuals, including Burakova, were later targeted in a phishing campaign orchestrated by a Russian hacking group known as COLDRIVER, raising the possibility that the use of Cellebrite’s tools may have helped facilitate reconnaissance and enable further targeting and surveillance of other regime opponents abroad.
Back in April, the Citizen Lab also uncovered two distinct, long-running spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people’s locations. Notably, these attacks do not necessitate malware deployment, making them stealthy and harder to detect.
One of two campaigns worked by sending a special type of text message with malicious hidden SMS commands to targets in an effort to “turn the device into a covert tracking beacon,” the report said. The second campaign relied on weaknesses in Signaling System No. 7 (SS7) and Diameter signaling protocols to track an individual’s whereabouts without requiring access to their devices.
The two campaigns are said to have abused three specific telecom providers, namely 019Mobile, Airtel Jersey (part of Sure Group), and Tango Networks U.K., that act as “surveillance entry and transit points within the telecommunications ecosystem” and “allow traffic to move through trusted signalling interconnections while granting access to threat actors that hide behind their infrastructure.”
“Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution,” the digital rights organization said.
“The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.”























