A profound irony has emerged from Europe's escalating surveillance scandal: a politician working to regulate intrusive spyware has himself become a victim of the very technology he was investigating. Stelios Kouloglou, a journalist-turned-European Parliament member, discovered that his iPhone was compromised by NSO Group's Pegasus surveillance tool on at least two separate occasions during 2022 and 2023, according to research released on July 3 by the University of Toronto's Citizen Lab, a leading digital rights monitoring organisation.
The timing of these hacks is particularly significant because Kouloglou was actively engaged with the European Parliament's PEGA Committee, a body specifically established to examine the proliferation and misuse of sophisticated surveillance technologies like Pegasus. The committee's work culminated in a 2023 report that characterised such surveillance tools as fundamental threats to democratic institutions and citizens' rights, recommending stricter European Union regulations governing their sale and deployment. That Kouloglou himself became a target while drafting these protective measures underscores the weakness of current regulatory frameworks and the impunity enjoyed by those who wield these weapons.
NSO Group's Pegasus represents one of the most potent commercial surveillance instruments ever developed. The Israeli company markets the technology exclusively to governments and law enforcement agencies, framing it as essential for combating terrorism and serious organised crime. In practice, Pegasus grants operators the ability to remotely penetrate mobile devices, intercepting phone conversations and encrypted messages while extracting stored data. The sophistication lies in the potential for zero-click deployment, a methodology demonstrated in at least one attack against Kouloglou—meaning his phone was compromised without requiring him to interact with malicious links or suspicious attachments. This approach demands substantial technical expertise and financial resources, suggesting well-resourced state actors rather than common cybercriminals.
Kouloglou's compromised device contained extraordinarily sensitive material, including correspondence with Alexis Tsipras, Greece's former prime minister, alongside personal medical records and confidential journalistic sources. The violation represents not merely an individual privacy breach but potentially threatens ongoing journalistic investigations and political relationships. Despite the gravity of the situation, Kouloglou has stated uncertainty about which government operatives targeted him, though he has committed to investigating the matter further. NSO Group declined to comment on the allegations.
Citizen Lab's investigation uncovered additional targets beyond Kouloglou. The research suggests the same operational entity responsible for compromising the Greek politician also targeted approximately seven Russian and Belarusian-speaking journalists and opposition figures residing across Europe. This pattern indicates a coordinated campaign against individuals involved in independent media and political opposition activities, expanding the scope far beyond a single incident.
For Southeast Asian observers, Kouloglou's situation carries uncomfortable parallels. Multiple regional governments have faced credible allegations of deploying NSO's Pegasus technology and similar commercial spyware against journalists, activists, and political adversaries. Malaysia itself has been implicated in previous surveillance scandals involving sophisticated monitoring tools. The European experience demonstrates that possessing advanced surveillance capabilities creates institutional pressure to utilise them, and that oversight mechanisms struggle to restrain such impulses even within supposedly robust democratic systems.
Historical precedent within Europe itself reveals the pervasive nature of this threat. Four Catalan members of parliament fell victim to Pegasus between 2019 and 2020, and a French representative was targeted in 2023. Yet despite these documented incidents, substantive consequences for perpetrators have remained absent, and victims have received minimal official support. The targeting of an active PEGA committee member represents an escalation—this is not merely collateral damage or mistaken targeting, but an apparent attack against the very machinery designed to constrain such surveillance.
John Scott-Railton, Citizen Lab's senior researcher, articulated the fundamental dysfunction: the committee tasked with investigating Pegasus abuse has itself been weaponised against, yet Europe's decision-making bodies have largely ignored the committee's recommendations. This represents a crisis not simply of cybersecurity but of institutional responsiveness. When investigative bodies become targets, they are simultaneously delegitimised and silenced, creating chilling effects that discourage rigorous oversight.
The European Commission has offered carefully qualified statements emphasising its opposition to illegal surveillance and commitment to addressing the issue through multiple legislative and non-legislative channels. Yet critics, including Sophie in 't Veld, the Dutch former MEP who served as PEGA's rapporteur, characterise this response as inadequate. In 't Veld describes the hacking pattern not as isolated incidents but as systematic attacks reflecting entrenched impunity. Across five years, she observes, perpetrators have faced zero meaningful consequences, while abuse has accelerated rather than diminished.
For Malaysia and other Southeast Asian nations grappling with surveillance concerns, the European experience offers sobering lessons. Even within the European Union—a bloc theoretically committed to human rights and the rule of law—surveillance abuse persists despite regulatory efforts and international attention. This suggests that technical solutions alone prove insufficient; genuine constraint requires sustained political will, independent judicial intervention, and meaningful punishment for violators. The targeting of parliamentarians investigating surveillance indicates that perpetrators view themselves as beyond accountability, confident that political considerations will shield them from consequences.
Kouloglou's case crystallises a central tension in contemporary governance: the same technological capabilities that enable legitimate security work can be perverted into instruments of political control and intimidation. The question now confronting European institutions is whether they possess the resolve to transform their recommendations into binding enforcement, or whether Pegasus and comparable tools will continue targeting democratic participants with impunity.
