Former Greek Member of the European Parliament (MEP) Stelios Kouloglou was repeatedly infected with NSO Group’s Pegasus spyware while actively serving on the very committee tasked with investigating Pegasus abuses.
Citizen Lab’s forensic analysis confirmed with high confidence that Kouloglou’s iPhone was compromised on October 21, 2022, and again on March 6–7, 2023, during his tenure as a substitute member of the European Parliament’s Committee of Inquiry into Pegasus and equivalent spyware (PEGA Committee).
Both infections aligned with sensitive periods of committee deliberation, meaning the spyware likely captured non-public information about PEGA proceedings, potentially breaching EU parliamentary confidentiality and privilege frameworks.
Pegasus Spyware Hacked MEP Serving
Despite Greece’s ongoing surveillance scandal involving Intellexa’s Predator spyware, Citizen Lab found no technical indicators linking the Greek government to this attack, and no reports suggest Greece has ever been an NSO Group customer.
Instead, researchers identified an infrastructure overlap: the HomeKit lookup email used in Kouloglou’s first infection rauharepo888[@]gmail.com matches a redacted Apple ID from Citizen Lab’s May 2024 joint report with Access Now, which documented Pegasus targeting seven Russian and Belarusian-speaking exiled journalists and activists across Europe.
Since such emails are believed to be unique to specific Pegasus operators, this suggests that a single customer with licensing authorization spanning multiple EU jurisdictions is responsible for the evidence of infection in at least two countries (Greece and Belgium).
The first infection was attributed to the PWNYOURHOME zero-click exploit chain. The attack began with a specially crafted NSKeyedArchive object delivered via HomeKit, followed by a malicious payload delivered through MessagesBlastDoorService.
Apple mitigated the HomeKit vector in iOS 16.3.1, though the MessagesBlastDoorService issue was likely patched earlier, around iOS 16.1. At the time of both infections, Kouloglou’s device was still running the outdated iOS 15.5 (19F77), leaving it exposed to exploitation at both stages.
Kouloglou also received three separate Apple threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024, warning of mercenary spyware targeting.
He told researchers he did not recall seeing any of them, underscoring a critical gap between notification delivery and user awareness.
The October 2022 infection occurred while Kouloglou was hospitalized for elective surgery, during a visit from journalist Thanasis Koukakis himself a confirmed Predator spyware target.
This raises the possibility that protected health information, not just political communications, was exposed, potentially implicating Greek health-data confidentiality law.
Citizen Lab revealed the infection also came just weeks before PEGA’s Cyprus-Greece fact-finding mission and its first draft report.
The March 2023 infection struck while Kouloglou was in Brussels, amid intense final-report drafting, coinciding with Rapporteur Sophie in ‘t Veld’s parallel LIBE Committee mission to question Greek officials.
Kouloglou joins a growing list of European lawmakers targeted with mercenary spyware, including Catalan MEPs Diana Riba, Jordi Solé, and Carles Puigdemont (Pegasus), French MEP Nathalie Loiseau (Pegasus), Bulgarian MEP Elena Yoncheva, and German MEP Daniel Freund (Candiru), though Kouloglou is the first confirmed PEGA Committee member hacked during his tenure.
Citizen Lab urges immediate forensic screening for all PEGA Committee members and staff via DG ITEC, adoption of Lockdown Mode (iOS) or Advanced Protection (Android), formal investigations by the European Parliament and Commission.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
