Pegasus on the MEP investigating Pegasus
Citizen Lab's forensic analysis found that former European Parliament member Stelios Kouloglou was repeatedly infected with NSO Group's Pegasus spyware while serving on the committee tasked with investigating that industry.
Citizen Lab’s forensic team reported this week that former Member of the European Parliament Stelios Kouloglou was, during his time on the body’s committee investigating commercial spyware, repeatedly infected with the very product the committee was investigating: NSO Group’s Pegasus.
You can read the sentence twice if you like. It does not get funnier the second time.
Kouloglou was one of the members seated on PEGA — the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware — which the European Parliament stood up in 2022 in response to the Predator and Pegasus cases surfacing across the bloc. The committee’s job, as chartered, was to look at whether member states had used commercial spyware against journalists, opposition politicians, dissidents, lawyers, and each other. Its final report, in 2023, said yes, several had, and recommended a raft of licensing and export-control reforms most of which have not happened.
What Citizen Lab found
The specifics belong to Citizen Lab’s own writeup and to Kouloglou. Publicly, the shape of it is: forensic analysis of his mobile device turned up Pegasus infections during his committee tenure — meaning during the very period in which he was, on paper, one of the gatekeepers over the industry that was surveilling him. Citizen Lab has not, in the material publicly summarized so far, publicly attributed the infections to a specific NSO customer state. We should not either.
That last part matters. Pegasus is licensed to a long list of government customers, and the operators of a given infection are the question that Citizen Lab spends months answering, not weeks, and never guesses at. When we know, we’ll say. Until then, “infected with Pegasus” is the fact; “by whom” is a separate question, and the honest answer today is: not yet public.
Why this one lands harder than the others
The commercial-spyware beat has, at this point, a long list of confirmed victims: journalists across a dozen jurisdictions, opposition figures in Poland and Hungary and Greece and Spain, lawyers representing dissidents, senior civil servants. Each of those is a serious case in its own right, and cumulatively they were exactly the reason the European Parliament stood up PEGA in the first place.
What is different about this case is the loop it closes. The industry’s basic public defense — reiterated by NSO Group, reiterated by their competitors, reiterated by the licensing states that buy them — has been some version of: our tools are used lawfully against serious criminals and terrorists by responsible governments under judicial oversight, and the abuse cases are outliers. That claim has always been implausible, and PEGA’s own final report treated it as such. But the surveillance of a member of PEGA itself is not an outlier. It is the industry’s product being used against the specific mechanism the European Union set up to constrain it, during the period that mechanism was operating.
This is the same mistake, different decade. The FBI wiretapped members of the Church Committee’s staff. GCHQ’s tasking was found, decades later, to have swept up Amnesty International’s lawyers and Human Rights Watch’s researchers. The dynamic — the surveillance apparatus turning inward on the people appointed to look at it — is not a new failure mode. It is the failure mode, of the class of tool, when it is deployed without hard external constraint. Commercial spyware is the same tool in a new business model.
What to do with this, if you do anything
For most 0daynews readers this is not, strictly, a patch-and-move-on item. Pegasus is not a mass-market threat and there is no CVSS number attached to being an appointed committee member; that is the wrong frame. If you handle sensitive advocacy, legal, or journalistic communications, the standing advice from Citizen Lab and Access Now still applies: iOS Lockdown Mode, GrapheneOS on the Android side, and — most importantly — the assumption that your device is a potentially hostile artifact when you are the kind of person a state has a reason to spend six figures surveilling.
For everyone else this belongs in the policy bucket. It is another data point in the argument that the commercial-spyware market cannot be self-regulated by its buyers, and that the European Union’s PEGA reforms, or something like them, need to actually pass. The industry keeps supplying evidence for its own regulation. Whether the gatekeepers use it is a separate story, and one we will follow.
The tools do not care who bought them. That is the whole design.
Found this useful? Share it.