Pegasus Spyware Deployed Against European Parliament Investigator: Targeting of Oversight Creates Political Vulnerability
Stelios Kouloglou, a European Parliament member investigating commercial spyware abuses, was infected with Pegasus spyware twice during his tenure on the PEGA committee. This represents a direct attack on parliamentary oversight mechanisms and suggests threat actors are targeting those scrutinising spyware exports.
Affected
The infection of Kouloglou with Pegasus whilst serving on the European Parliament's committee investigating spyware abuses represents a significant escalation in the use of surveillance tools against democratic institutions. The targeting was neither random nor coincidental: Kouloglou was actively engaged in legislative scrutiny of commercial spyware sales and licensing practices. This constitutes a direct assault on parliamentary independence and the ability of elected representatives to conduct investigations into potential human rights violations.
The technical vector used to deliver Pegasus to Kouloglou remains unconfirmed from the available information, but historical deployments of Pegasus typically rely on zero-day exploits or sophisticated social engineering. The fact that infection occurred twice suggests either persistent compromise attempts or reinfection following initial detection. Pegasus is known to target iOS and Android devices through both zero-day and n-day vulnerabilities, often delivered via SMS or messaging applications with minimal user interaction required.
The broader implications are substantial. This incident demonstrates that commercial spyware vendors or their customers view parliamentary investigation as a threat worthy of targeting with their most sophisticated tools. It raises questions about who authorised the targeting, whether judicial oversight existed in the jurisdictions ordering the surveillance, and whether the targeting itself violated EU law or national legal frameworks. The PEGA committee's mandate specifically includes examining the misuse of commercial surveillance technology, making this targeting particularly problematic from a rule-of-law perspective.
Organisations and parliaments conducting oversight of surveillance tools should assume they are targets for compromise. This includes implementing device security hardening, separation of sensitive work onto isolated devices, and robust endpoint detection capabilities. European Parliament members and staff working on PEGA and related committees should conduct comprehensive device audits. Critically, this incident should inform European Union export controls and licensing frameworks for dual-use surveillance technology, particularly concerning end-use assurances and human rights safeguards.
The incident illustrates a fundamental tension in commercial spyware governance: tools marketed for law enforcement and national security purposes are deployed against political opposition and oversight bodies. Until export licensing and judicial authorisation frameworks are substantially strengthened, democratic institutions remain vulnerable to the very surveillance tools they are tasked with regulating.
Sources