TL;DR
Civil society groups and MEPs are demanding urgent European Commission action on spyware after Citizen Lab confirmed that Stelios Kouloglou, a member of the Parliament’s PEGA spyware inquiry, was himself hacked with Pegasus in 2022 and 2023. The attacker is unknown, the Commission is silent, and the PEGA committee’s 2023 recommendations remain largely unanswered. This is the follow-up beat to TNW’s earlier story on the hack itself.
Pressure is mounting on the European Commission to act on spyware, after forensic evidence showed one of the EU’s own spyware investigators was hacked with Pegasus. Civil society groups issued a joint statement demanding the abuse be met with accountability, “not impunity”.
Citizen Lab confirmed last week that Stelios Kouloglou, a Greek former MEP, was infected in October 2022 and again in March 2023. The infections hit while he served on the PEGA committee, the European Parliament’s inquiry into exactly this kind of abuse.
The attacker remains unidentified, and Citizen Lab says it has no indication the Greek government was responsible. The same Pegasus-linked email address appeared in an earlier campaign against journalists across Europe, suggesting a customer authorised to deploy the NSO Group tool in multiple countries.
Whoever was behind the hack could have accessed confidential committee documents and deliberations. Lawmakers have described the incident as an attack on the rule of law, and the Parliament’s left grouping is demanding strict EU-wide limits on spyware use.
The Commission did not respond to requests for comment from TechCrunch. It has yet to publicly account for its implementation of the PEGA committee’s 2023 recommendations, the gap campaigners now want closed with a public roadmap.
A rap sheet, not an isolated case
The statement’s signatories list a pattern of European scandals: spyware used against exiled journalists in Latvia, Lithuania, and Poland, the targeting of the Parliament’s president with Predator, and Graphite infections in Italy, where spyware-laced fake WhatsApp apps have also surfaced. EU public money has meanwhile flowed to the surveillance industry itself, according to EUobserver.
Enforcement of the bloc’s dual-use export rules remains patchy, as leaked Bulgarian export licences to governments accused of repression showed. On paper the EU regulates spyware sellers, and in practice it sometimes funds them.
NSO Group has meanwhile explored selling Pegasus altogether, a prospect that raises its own accountability questions. The tool’s customers, whoever they are, keep finding European targets.
The PEGA committee spent two years documenting Europe’s spyware problem, and one of its own members was bugged while doing it. If that does not trigger the urgent response campaigners want, it is hard to imagine what would.