Stelios Kouloglou, a journalist and former member of the European Parliament, fell victim to the very surveillance technology he was investigating. According to research released by the University of Toronto's Citizen Lab on July 3, his iPhone was compromised on at least two separate occasions between 2022 and 2023 using Pegasus spyware, manufactured by Israeli firm NSO Group. The case underscores a troubling paradox: those tasked with regulating dangerous surveillance tools remain vulnerable to their misuse, even as they work to establish safeguards.

At the time his device was targeted, Kouloglou was an active member of the European Parliament's PEGA Committee, established specifically to investigate the trade in Pegasus and other government surveillance technologies. The committee's 2023 report concluded that such tools posed a fundamental threat to democratic institutions and citizen rights, recommending stricter regulations on their deployment and sale across the European Union. Yet while Kouloglou drafted these recommendations, his own communications were being monitored without his knowledge or consent.

The compromised device contained sensitive material that underscores the gravity of the breach. Kouloglou's iPhone held communications with Greece's former prime minister, Alexis Tsipras, alongside private medical records and contact information for journalistic sources. Such information, if accessed by hostile actors, could compromise political relationships, endanger journalists' safety, and expose vulnerable individuals. The targeting represents not merely a technical intrusion but a serious breach of political confidentiality and professional privilege. Kouloglou remains uncertain which government may have orchestrated the attack, though he has committed to investigating the matter.

The sophistication of at least one of the hacks amplifies concerns about state-level surveillance capabilities in Europe. Citizen Lab identified that in one instance, the NSO spyware exploited a zero-click vulnerability, meaning Kouloglou's phone was silently compromised without requiring him to interact with any suspicious link or message. These attack methods represent the cutting edge of mobile device exploitation and are among the most expensive to develop and deploy, suggesting involvement by well-resourced state actors rather than common criminals or corporate competitors.

While the Citizen Lab investigation could not definitively identify the attacker, researchers found evidence linking the entity responsible for targeting Kouloglou to a broader campaign against vulnerable populations across Europe. The same operator had apparently targeted a group of seven Russian and Belarusian-speaking independent journalists and opposition activists living on the continent. This pattern indicates a coordinated surveillance operation likely aimed at silencing critical voices and gathering intelligence on political adversaries.

The Pegasus spyware ecosystem operates under a veneer of legitimacy. NSO Group maintains that it sells exclusively to governments and law enforcement agencies for counterterrorism and serious crime investigation. However, documented instances worldwide reveal a starkly different reality. Multiple investigations have shown that intelligence services deploy Pegasus against journalists documenting corruption, activists advocating for human rights, and political opponents challenging sitting governments. The gap between stated purpose and actual deployment has widened consistently since Pegasus emerged as a major surveillance tool.

Kouloglou's case marks a historic turning point in Europe's spyware crisis. While other European Parliament members have previously been targeted—four Catalan lawmakers between 2019 and 2020, and a French representative in 2023—none were serving on the PEGA Committee itself. This distinction carries symbolic weight and practical significance. The irony of targeting someone actively investigating surveillance abuses highlights both the audacity of state-level spyware operators and the inadequacy of existing oversight mechanisms.

John Scott-Railton, senior researcher at Citizen Lab, characterised the situation as emblematic of broader European failures in addressing surveillance threats. He noted that the European Commission must strengthen its response to spyware proliferation across the continent. The research findings place direct pressure on Brussels to move beyond rhetoric and implement substantive enforcement measures against both the manufacturers and operators of illicit surveillance technology.

The European Commission's official response acknowledges the issue while emphasising the complexity of addressing it comprehensively. Antoine Lomba, speaking for the Commission, stated that Brussels is pursuing multiple legislative and non-legislative approaches to combat illegal surveillance. The Commission explicitly condemned any unauthorised data access targeting journalists, political opponents, and ordinary citizens. Nevertheless, critics argue that such statements remain largely performative without corresponding enforcement actions or meaningful consequences for violating nations.

Sophie in 't Veld, a Dutch former MEP who served as rapporteur for the PEGA Committee, reframed the Kouloglou incident as symptomatic of systemic dysfunction rather than an isolated mishap. She underscored that surveillance abuses targeting political voices have persisted for five years without serious repercussions. The absence of meaningful consequences encourages further violations, creating a cycle of impunity that weakens democratic institutions across the European Union.

For Southeast Asian observers, this European crisis carries instructive lessons. Many governments in the region have acquired sophisticated surveillance capabilities through various channels, and the precedent of unchecked spyware deployment elsewhere establishes dangerous precedents. The normalisation of state-level surveillance against journalists and opposition figures creates templates that other regimes may emulate. Regional governments should recognise that oversight mechanisms and legal frameworks developed in Europe—however imperfect—may provide useful models for preventing surveillance abuses domestically.

The targeting of Kouloglou demonstrates that institutional position alone provides no protection against sophisticated surveillance threats. Even those wielding legislative authority to regulate surveillance tools remain vulnerable to state-level hacking operations. This asymmetry suggests that addressing the problem requires not incremental reforms but fundamental restructuring of how surveillance technology is regulated, deployed, and monitored. Until states face genuine consequences for surveillance abuses, the cycle of impunity will likely persist across Europe and globally.