Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds


Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds

Pierluigi Paganini
July 03, 2026

A former EU lawmaker was hacked with Pegasus spyware while investigating its use, according to Citizen Lab.

The Citizen Lab published a report documenting one of the more darkly ironic findings in recent surveillance research: former Member of the European Parliament Stelios Kouloglou was repeatedly infected with NSO Group‘s Pegasus spyware while serving on the very committee tasked with investigating Pegasus abuses across the EU. The PEGA Committee ran from March 2022 to July 2023. Kouloglou was on it the entire time.

“We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe.” reads the Citizen Lab report. “Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations.”

The infections happened on October 21, 2022, and again on March 6 and 7, 2023, both during periods of intense PEGA activity. The first infection came ten days before a planned committee visit to Greece and Cyprus, and while drafts of the first PEGA report were circulating among members. The second hit while the committee was deep in the final drafting process, two months before the report’s adoption in May 2023.

The delivery mechanism for the first infection was PWNYOURHOME, a zero-click exploit targeting Apple’s HomeKit system.

“On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888 [@]gmail.com. Two minutes later, a Pegasus process used mobile data. We assess that the phone was hacked with the PWNYOURHOME zero-click exploit at this point.” continues the report. “PWNYOURHOME appeared to first involve the attacker sending a specially crafted NSKeyedArchive that landed in HomeKit, followed by malicious content that landed in MessagesBlastDoorService.”

the researchers noted. No interaction required from Kouloglou. His device was running iOS 15.5 on both infection dates — a version Apple had already moved past. He also received three Apple threat notifications about mercenary spyware targeting, in March 2023, August 2023, and April 2024. He told the Citizen Lab he didn’t recall seeing any of them.

The timing of the first infection adds another layer. On October 21, 2022, Kouloglou was in a Greek hospital for elective surgery. He was visited that day by investigative journalist Thanasis Koukakis, who had himself been confirmed as a Predator spyware target and had testified before the PEGA Committee the month before. If Pegasus captured conversations in that hospital room, Greek law covering confidentiality of health data may have been violated.

Citizen Lab says it is highly confident that former MEP Stelios Kouloglou was infected with Pegasus, but cannot identify the NSO’s customer behind the attack. Researchers found no evidence linking the operation to the Greek government, which has instead been associated with Predator spyware. Technical evidence suggests the same Pegasus operator also targeted Russian and Belarusian journalists and activists in Europe. The infections occurred in both Greece and Belgium, indicating the spyware operator likely held a license allowing surveillance across multiple EU countries.

“We further note that infections appear to have been present on his phone in at least two European jurisdictions (We further note that infections appear to have been present on his phone in at least two European jurisdictions (Greece and Belgium).” continues Citizen Lab. “Based on what we know of NSO Group’s licensing, this would likely indicate that the customer had a license that enabled infections in multiple EU jurisdictions, narrowing the list of potential Pegasus operators that could be responsible for this case.”

The same HomeKit email address used against Kouloglou in 2022 appeared in a prior Citizen Lab investigation into Pegasus infections of Russian and Belarusian-speaking journalists and activists living in Europe.

This is the first confirmed case of a PEGA Committee member being hacked with Pegasus while the committee was in session. It’s not the first MEP targeted with spyware, Catalan MEPs were hit with Pegasus as far back as 2019, and French MEP Nathalie Loiseau confirmed she was targeted in early 2024. The Citizen Lab is now calling on the European Parliament to investigate the full scope of spyware targeting during the PEGA proceedings, and urging DG ITEC, which already offers optional spyware screening for MEPs, to significantly increase screening rates and publish yearly statistics.

The committee spent more than a year investigating who was spying on Europeans. Someone was apparently taking notes the whole time.

“Whichever entity is responsible for the hacking, the infection could have exposed strictly confidential exchanges among PEGA Committee members and their staff, and other sensitive and confidential parliamentary proceedings, including to parties under investigation by the Committee itself.” concludes the report. “The finding that a PEGA Committee member was targeted with Pegasus spyware during the Committee’s work highlights the serious threat that mercenary spyware poses to the integrity of democratic processes. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pegasus spyware)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


gettyimages-647882122

S847/iStock / Getty Images Plus

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Staff who use AI can end up with more to do, not less.
  • Think carefully about the tools you’re using and why.
  • Adopt a set of standards and refine your outputs.

The promise of productivity boosts from AI can come with an unwelcome side order of stress. Harvard Business Review found that AI doesn’t reduce work; it intensifies it, leading to cognitive fatigue and unsustainable hours.

While the common perception is that AI can help reduce workloads, allowing employees to focus more on higher-value and more engaging tasks, HBR’s research found that staff using AI worked more quickly and often ended up with more to do, not less.

Also: Forget productivity: Here are 5 strategic shifts that drive real AI value

While we’ve written about how some professionals are finding ways to turn AI’s time-saving magic into a productivity superpower, we’ve also recognized that some employees have started to become tired with the low quality of AI outputs.

Ankur Anand, group CIO at tech recruiter Harvey Nash, said professionals who want to avoid cognitive fatigue must understand how to use AI effectively and its potential risks.

“That focus will help to reduce the noise around the workload that AI creates,” he told ZDNET, suggesting that many people have unrealistic expectations about the productivity boost that AI will provide.

Also: Why I ditched Copilot for Claude in Word, Excel, and PowerPoint – and how you can, too

“Many organizations are telling their people, ‘We want to understand how you’re making an impact with AI,'” he said. “But these professionals are not empowered, which means that using AI adds a lot of pressure, because they need to prove themselves on their own terms.”

If you’re going to make the most of AI at work, then you’re going to have to find an effective balance between completing tasks quickly and producing high-quality work. 

Here’s how the experts believe professionals can ensure they reap the benefits, not the problems, of AI — and they suggest that you’ll need to focus on three core areas: tools, guidelines, and outputs.

Limit your toolset

Alex Read, senior enterprise product manager for data at energy provider EDF UK, told ZDNET that the best way for professionals to reap the benefits, not the challenges, of AI is to be uber-focused on tools that help you produce value in your roles.

While there are thousands of potential AI-enabled services on the market, Read said sensible professionals limit their horizons.

Also: How this travel company’s AI rollout drove a 73% satisfaction boost: A 5-step playbook for your business

In his own role, for example, Read focuses on how AI can help him build a data platform and update information accurately, efficiently, and productively: “Anything outside of that scope is noise for me.”

That sentiment resonated with Nick Pearson, CIO at technology specialist Ricoh Europe, who told ZDNET it’s important to take a step back and think carefully about how an AI tool can help you produce value in your role.

“If you think about the phrase ‘gen AI,’ the tech is very good, by definition, at generating outputs,” he said. “I could go to bed in the evening, set the model to work, and we could have four new IT strategies produced overnight.”

Also: Worried AI agents will replace you? 5 ways you can turn anxiety into action at work

However, quantity doesn’t necessarily mean quality. Pearson suggested it’s important to focus on AI’s blind spots, particularly as most models are trained on preexisting content.

“AI can’t inspire people, per se; it can’t naturally create something new, because it’s actually quite recursive,” he said.

“And the judgment you have to put in sometimes, on top of everything else, whether it be an ethical or a capability judgment, is not there automatically in the technology.”

It’s in this gap, said Pearson, that human experts play a critical role: “We’re toying with that concern as an organization and saying, ‘Where does AI really play an important role, versus where are we upskilling people in areas that AI probably won’t play for a long time?'”

Work to the guidelines

HBR’s research found that an initial productivity surge when AI is adopted can lead to lower-quality work, turnover, and other problems as people work harder rather than smarter.

To correct this issue, HBR said companies need to adopt an “AI practice,” or a set of norms and standards around AI use that help professionals ensure they use AI in a constrained but productive manner.

Also: 90% of AI projects fail – here are 3 ways to ensure yours doesn’t

At EDF UK, Read is part of an internal AI Center of Excellence in enterprise IT, which enables policy for the effective use of AI across the wider organization. 

In addition to Read, who contributes input from a data-use perspective, the group includes other tech representatives, such as the firm’s senior manager of AI, principal software engineer, and principal solution architect.

“The remit of this center is to make sure that, when the federated business units are looking to build, develop, and deploy AI services, they have platforms, guidance, best practices, architectural assets, and materials to guide them on how to safely and efficiently adopt AI and operationalize it at scale,” he said.

Some of the key themes the center considers when assessing AI tools are scalability and reusability, ensuring a proposed service doesn’t replicate one already in use.

Also: 5 ways to use AI when your budget is tight

“All new tools and services related to AI will go through that hopper and funnel to understand scope and ensure the security, regulatory, and ethical side of things are understood,” he said, suggesting that all professionals should use their organization’s pre-existing guidelines to foster an appropriate exploitation of emerging tech.

“The benefit that guided approach brings is that it allows us to be clear in our messaging around what AI services can be used, how they’re used from a use-case perspective, and ultimately, what personas are allowed to use them.”

Refine your outputs

Even when tools are assessed and considered acceptable, there can still be an overreliance on AI outputs. Worse, some professionals can drown in the insights they receive, leading to higher stress and fewer benefits.

Louise Newbury-Smith, head of UK&I at technology specialist Zoom, told ZDNET that one way to ensure your outputs are constrained is to focus on prompting.

“Use simple amendments to be specific, such as ‘Give me the top three things with the biggest impact.’ That approach should guide your prompt, rather than saying, ‘Give me everything you know about this topic.'”

Also: 5 ways to fortify your network against the new speed of AI attacks

Newbury-Smith said the successful use of AI is all about being smart about how it’s exploited, and that effectiveness comes down to enablement and engagement. If a prompt yields too much information, refine it until you get what you need. She said this should still be faster than trying to get answers without AI.

The basic message for professionals is that effective applications of AI are all about you staying in the loop, said Bernhard Seiser, vice president of digital, data, and IT at AOP Health.

Think before you use AI, and think again before you push your outputs around the organization.

“It doesn’t help the business if you get AI-generated emails that are many pages long, and then you need ChatGPT to summarize the text,” he told ZDNET.

Seiser said that while there are certain tasks generative AI is good at and worth using for, in the end, “you need to use your brain.”





Source link