The European Parliament committee formed to investigate Pegasus spyware abuse had one of its own members hacked with Pegasus — while he was serving on that exact committee.
TL;DR
- Citizen Lab confirmed that Stelios Kouloglou, a substitute member of the EU’s PEGA Committee, was infected with NSO Group’s Pegasus spyware twice in 2022–2023 — while actively investigating spyware abuse.
- The October 2022 infection was proven using iOS forensic artifacts: a HomeKit email lookup followed two minutes later by Pegasus process activity, consistent with the zero-click PWNYOURHOME exploit chain.
- The same attacker infrastructure (a reused Apple ID) links this case to a 2024 campaign against seven Russian- and Belarusian-speaking journalists and activists in Europe — attribution to a specific government customer is not confirmed.
- Pegasus is not alone: Paragon’s Graphite and Intellexa’s Predator show how mature the mercenary spyware market has become, even when the delivery method differs from case to case.
- Mobile Verification Toolkit (MVT), the open-source tool Amnesty International built for this kind of investigation, is free and usable by technical teams that understand mobile forensics.
Why This Matters to You
This isn’t just a story about politicians and spyware. It’s a demonstration of a repeatable forensic process — one that works whether the target is a member of parliament, a journalist, or a high-risk employee at your organization who might reasonably worry about being targeted (executives handling M&A, human rights staff, investigative reporters, dissidents in exile).
If you do incident response, threat intelligence, or protect high-risk individuals, the detection techniques below are things you can run yourself, today, with a free tool.
Table of Contents
- The Case: A Watchdog Bitten
- How the Infection Was Proven
- Who’s Behind It — And Why That’s Still Unclear
- Pegasus Isn’t Alone
- Blue Team: Running This Detection Yourself
- What You Can Do Today
The Case: A Watchdog Bitten
Stelios Kouloglou is a former Greek Member of the European Parliament and an investigative journalist. From March 2022 to July 2023, he served as a substitute member of the PEGA Committee — the European Parliament’s Committee of Inquiry formed specifically to investigate the use of Pegasus and equivalent surveillance spyware by EU governments.
Citizen Lab’s forensic analysis found his iPhone was infected with Pegasus twice:
- October 21, 2022 — while hospitalized in Greece
- March 6–7, 2023 — while in Brussels, during the committee’s active work
Both infections landed during a period when the PEGA Committee was holding hearings, preparing its draft report, and conducting investigative missions to Greece and Cyprus — two countries where domestic Pegasus abuse had already been documented. The person tasked with investigating spyware abuse was, at the same time, a target of it.
How the Infection Was Proven
This is the part worth studying regardless of your interest in EU politics. Citizen Lab didn’t rely on a single indicator — they cross-referenced multiple independent signals.
iOS artifact analysis. iOS keeps records of process activity and network usage in two SQLite databases: DataUsage.sqlite (recoverable from an iTunes/Finder backup) and netusage.sqlite (not backed up, requires direct device access). Since late 2019/early 2020, Pegasus has tried to cover its tracks by deleting its process name from the ZPROCESS table in DataUsage.sqlite — but it leaves the corresponding entry in the ZLIVEUSAGE table untouched. That mismatch between the two tables is, per Amnesty’s original forensic methodology work, an anomaly that has never been observed outside a Pegasus infection.
The PWNYOURHOME exploit chain. In the October 2022 infection, the timeline shows a HomeKit-related email lookup at 10:16, followed two minutes later by Pegasus process activity using mobile data. That sequence matches the known PWNYOURHOME zero-click exploit: a specially crafted NSKeyedArchive object is delivered to HomeKit, which chains into MessagesBlastDoorService — the very sandbox Apple built specifically to isolate and neutralize malicious content in Messages — to gain code execution without any tap, click, or user interaction at all.
Apple threat notifications. Since 2021, Apple has proactively notified users it believes were targeted by state-sponsored or mercenary spyware, and has now done so in over 150 countries. Kouloglou received Apple threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024 — independent corroboration, from the platform vendor itself, layered on top of the forensic artifact analysis.
No single piece of evidence here is exotic. What made the case solid was combining a known forensic signature, a known exploit chain’s telltale timing pattern, and vendor-side corroboration.
Who’s Behind It — And Why That’s Still Unclear
Citizen Lab is explicit that they are not attributing this to a specific NSO Group customer — a distinction worth preserving rather than flattening into “a government did this.” What they did find is an infrastructure link: the Apple ID used in the HomeKit lookup that preceded Kouloglou’s infection matches operator infrastructure documented in a May 2024 joint report by Citizen Lab and Access Now, which covered Pegasus targeting of seven Russian- and Belarusian-speaking independent journalists and opposition activists based in Europe between 2020 and 2023.
Citizen Lab’s assessment is that these operator-specific email addresses are unique per Pegasus customer — meaning the same customer, whoever they are, appears to have authorization to operate Pegasus across multiple European jurisdictions, targeting both a sitting EU lawmaker investigating spyware and a separate group of exiled journalists and activists. That’s a claim about shared infrastructure, confirmed by Citizen Lab’s own research — the identity of the government customer behind it remains unconfirmed.
Pegasus Isn’t Alone
Treating this as an NSO Group story alone undersells how mature the mercenary spyware industry has become. In the same window as the Kouloglou case, two other vendors have been generating comparable, independently confirmed cases:
| Vendor | Product | Notable 2025–2026 case |
|---|---|---|
| NSO Group (Israel) | Pegasus | Kouloglou/PEGA Committee; ongoing Meta contempt-of-court proceedings over WhatsApp attacks |
| Paragon Solutions (Israel) | Graphite | WhatsApp notified roughly 90 accounts in 2025; Citizen Lab later documented Paragon activity against civil society targets in Italy, and Italian prosecutors have confirmed at least one journalist was hacked |
| Intellexa (Greece/Cyprus-linked) | Predator | Greek Predatorgate investigations exposed link-based targeting of 87 prominent people; in February 2026, a Greek court convicted Intellexa founder Tal Dilian and three other executives, sentencing each to eight years in prison, suspended pending appeals |
The common lesson is not that every spyware family arrives the same way. Pegasus and Paragon cases include zero-click exploitation, while Predator has often been documented through malicious links. The common lesson is harsher: user awareness training is not enough when the attack can be invisible, targeted, and backed by exploit vendors. For this class of threat, forensic artifact analysis is the control that actually answers the question: did the device show signs of compromise? If you want the broader picture of how nation-state-linked and mercenary operators overlap, see our state-sponsored threat actor deep dive, and for the ongoing legal fallout from NSO’s WhatsApp attacks, see our coverage of Meta’s contempt filing.
Blue Team: Running This Detection Yourself
You don’t need Citizen Lab’s budget to run this kind of investigation. Mobile Verification Toolkit (MVT) is the open-source tool Amnesty International Security Lab built for exactly this purpose, first released alongside their 2021 Pegasus forensic methodology report and still actively maintained.
# Install MVT (requires Python 3.9+)pip install mvt
# Decrypt and process an iTunes/Finder backupmvt-ios decrypt-backup -d /path/to/decrypted -p /path/to/encrypted_backup
# Check against a relevant STIX2 IOC file you have downloadedmvt-ios check-backup -o /path/to/output --iocs /path/to/indicators.stix2 /path/to/decryptedMVT can help surface the kinds of traces described above: suspicious iOS database anomalies, known malicious process names, configuration profiles, and matches against public indicators of compromise. It supports both iOS (from a backup) and Android (via androidqf, Amnesty’s companion collection tool) — the same combination Amnesty used to detect Serbia’s homegrown NoviSpy spyware in a December 2024 case.
Important limitation: MVT is a forensic research tool, not a consumer app. It requires backup access, command-line comfort, and an understanding that a clean scan does not prove a clean device — it only checks against known, public indicators. Sophisticated operators rotate infrastructure specifically to stay ahead of published IOC lists.
If mobile app security assessment is new territory for your team, our mobile pentesting guide for Android and iOS covers the broader toolset and methodology this kind of forensic work sits alongside.
Who Should Actually Run This
Not everyone needs to MVT-scan their phone. This is proportionate for:
- Journalists, human rights defenders, and civil society staff working on subjects that have historically drawn state interest
- Executives and staff involved in sensitive M&A, litigation, or geopolitical-adjacent business
- Anyone who has already received an Apple or Google threat notification — treat it as credible, but verify it by signing in directly to the vendor account portal rather than clicking message links
What You Can Do Today
- Enable Lockdown Mode on iOS for any high-risk individual in your organization — it disables entire categories of attack surface (including several vectors PWNYOURHOME-style chains rely on) at the cost of some device functionality.
- Take Apple/Google threat notifications seriously. Verify them through the official account portal, not through links in a message. Apple says it has sent these notifications in over 150 countries since 2021, and they have correlated with real, confirmed cases.
- Run MVT against a backup for anyone in a high-risk role, on a recurring basis, not just after a suspected incident.
- Keep devices updated. Many documented Pegasus, Predator, and Graphite chains have been disrupted by iOS, Android, or app-level patches — the exposure window is the gap between exploit discovery and your update cycle.
- Don’t assume “no confirmed customer” means “no risk.” Attribution gaps are normal in this space; treat unresolved cases as an open threat, not a closed one.
Related Posts
- Court Said Stop. Meta Says NSO Group Didn’t Listen. — the ongoing legal fallout from NSO Group’s WhatsApp attacks.
- Mobile Pentesting: How to Attack Android and iOS Apps Like a Professional — broader mobile security assessment methodology.
- State-Sponsored Threat Actors 2026: Who They Are and What They Do — where mercenary spyware customers fit into the wider threat landscape.
Sources
- Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with Pegasus — The Citizen Lab
- By Whose Authority? Pegasus targeting of Russian & Belarusian-speaking opposition activists and independent media in Europe — The Citizen Lab
- Forensic Methodology Report: How to catch NSO Group’s Pegasus — Amnesty International
- Mobile Verification Toolkit (MVT) — GitHub
- Tech Guide: Detecting NoviSpy spyware with AndroidQF and MVT — Amnesty International Security Lab
- About Apple threat notifications and protecting against mercenary spyware — Apple Support
- Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations — The Citizen Lab
- Italian prosecutors confirm journalist was hacked with Paragon spyware — TechCrunch
- Greek court convicts Intellexa founder Tal Dilian, three others in wiretapping scandal — ICIJ