Key Takeaways

  • Citizen Lab verified that Pegasus was used to compromise Stelios Kouloglou while he served on the European Parliament’s PEGA committee
  • Zero-click exploits in Apple iOS highlight persistent gaps in mobile device hardening and monitoring across public institutions
  • Analyst research shows rising concern among government CISOs about commercial spyware risks and the need for more resilient mobile security programs

Security researchers have now confirmed that Stelios Kouloglou, a Greek journalist and former member of the European Parliament, had his iPhone compromised with Pegasus in 2022 and 2023 at the same time he was investigating abuses of Pegasus itself. The finding, published by the University of Toronto’s Citizen Lab, marks an unusual moment in the continuing debate over commercial surveillance tools in democratic systems. For the enterprise and public sector audience, the incident also illustrates how targeted spyware operations continue to challenge even well-resourced institutions.

Kouloglou served on the European Parliament’s PEGA committee, which was created to investigate the use of Pegasus and similar spyware inside the EU. According to Citizen Lab, his device was breached during October 2022 and at least twice during March 2023 through a zero-click exploit in Apple’s iPhone software. The vulnerability had been patched by Apple, but the update had not yet been installed on his device at the time of compromise. That detail alone offers a reminder of how quickly threat actors can capitalize on patching delays.

The timing of the attacks highlights the tactical deployment of commercial spyware. Targeting a committee investigator using the very spyware under investigation suggests an intense focus on the committee’s inner workings ahead of a widely anticipated report detailing its findings. The deliberate compromise allowed the spyware to capture private data from the device without requiring any user interaction.

Citizen Lab did not attribute the breach to a specific country, but noted that the operator used the same Pegasus-linked email infrastructure previously seen targeting journalists across Europe. Reusing that email address implied that the operator had ongoing authorization from NSO Group to deploy Pegasus in multiple jurisdictions. Details like that raise questions for public sector CISOs. If threat actors are operating across borders with licensed access to advanced spyware, government bodies that rely heavily on mobile workflows face significant monitoring challenges.

Gartner’s 2023 analysis of the commercial surveillance and law enforcement technology sector placed the market above $12 billion, a scale that demonstrates how accessible these capabilities have become for state customers. That figure helps explain why individual incidents increasingly show up in political, legal, and diplomatic contexts. It is not rare for high-profile targets to be watched, but compromising an investigator in the middle of an inquiry represents a direct escalation.

The European Parliament’s policy department has warned about risks associated with zero-click mobile exploits. In its own research, such attacks were described as a severe threat to fundamental rights, especially for journalists and elected officials. Policymakers inside the EU have long understood that the mobile device represents a single point of failure for sensitive deliberations. The Kouloglou case shows the practical consequences in far more personal terms, as private data was successfully extracted. If the people writing oversight reports are targeted, immediate questions arise regarding the safeguards needed to protect the integrity of the investigative process.

Forrester has reported that a majority of public sector CISOs consider commercial spyware one of their highest-tier strategic risks. Many organizations have responded by increasing investment in secure communications, mobile threat intelligence, and operational monitoring. Those strategies represent practical levers institutions can pull without waiting for regulatory shifts. The PEGA committee’s work has pushed for stronger EU-wide limits on intrusive surveillance, but the legislative path remains fragmented across the 27 member states.

The security guidance from NIST’s mobile device program, particularly NIST SP 800-124 Rev.2, emphasizes timely patching, configuration hardening, and network analysis as baseline controls. In theory, these measures reduce the attack surface for sophisticated malware. In practice, targeted spyware tends to exploit unpatched or unknown vulnerabilities, sometimes leaving even disciplined teams exposed. Still, a hardened environment increases the amount of work an attacker must do, driving up the cost of deployment and slowing the spread of these tools.

A spokesperson for the European Commission did not comment on the findings, and NSO Group did not respond before publication of the Citizen Lab report. NSO remains restricted in the United States after an executive order barred government use of tools that could facilitate human rights abuses. Kouloglou has stated he plans to take legal action against NSO Group.

Institutional responses to spyware oversight provide essential context for understanding these attacks. The European Parliament published an investigative analysis that outlines technical and legal findings related to Pegasus and other surveillance tools, mapping directly to the environment in which the PEGA committee operates. Additionally, incidents in other regions have been documented in independent reporting, including coverage by AP News of Pegasus use in Jordan. These references illustrate the international scope of the issue.

Mobile devices have become deeply embedded in the daily routines of lawmakers, journalists, and public administrators, making them highly valuable targets. The Kouloglou case underscores that value and demonstrates why mobile spyware remains a potent element of the strategic threat landscape. For organizations responsible for sensitive information, proactive mobile security programs are necessary to mitigate the impact of sophisticated exploits.