The European Parliament convened a committee to investigate Pegasus spyware abuse. Someone deployed Pegasus against one of its members while he served on it. That is the finding, in one sentence, of a Citizen Lab report published July 3 — and it is as stark an illustration of the mercenary spyware problem as any document produced in the four years since the Pegasus Project revelations.

Forensic analysis of an iPhone belonging to Stelios Kouloglou, a Greek journalist and former Member of the European Parliament, found the device was compromised with NSO Group’s Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023. Throughout that window, Kouloglou was a substitute member of the PEGA Committee — the European Parliament’s Committee of Inquiry investigating the use of Pegasus and equivalent surveillance spyware, on which he served from March 2022 to July 2023.

Zero Clicks, Zero Warning

The infections required nothing from Kouloglou — no tapped link, no opened attachment, no mistake. Citizen Lab assesses the spyware was delivered via PWNYOURHOME, a zero-click exploit chain targeting Apple’s HomeKit smart-home software and iMessage that the lab first documented in 2023. The exploit fires silently; the phone shows nothing; the user’s operational security is irrelevant.

Once implanted, Pegasus provides effectively total access: messages before and after encryption, mail, photos, location, contacts — and live microphone and camera activation. The phone of a parliamentarian becomes a room bug that follows him into every meeting.

The compromise surfaced only because artifacts were collected from the device in May 2026 and analyzed — meaning the infections went undetected for more than three years.

What the Spyware Could Reach

The timing is the story. Citizen Lab notes Kouloglou was infected during key periods of PEGA committee activity, and that the spyware would likely have captured non-public information about the committee’s work — potentially breaching EU parliamentary confidentiality and privilege frameworks.

Consider what that means concretely. The PEGA committee interviewed victims, questioned governments, and handled sensitive testimony about spyware abuse across Poland, Hungary, Greece, Spain, and beyond. An operator with Pegasus on a committee member’s phone had visibility into witnesses, draft findings, internal deliberations, and the committee’s strategy — while the committee’s entire mandate was investigating exactly this kind of surveillance. The inquiry into the abuse was itself under surveillance by the tool it was investigating.

Who Did It? Deliberately Unanswered

Citizen Lab is not attributing the infections to any government at this time — and pointedly notes it found no indications the Greek government is responsible, a caveat that matters because Kouloglou is Greek and Greece’s own “Predatorgate” wiretapping scandal ran through the same era.

One thread stands out: the lab identified an overlap between the first infection and a previous campaign targeting Russian- and Belarusian-speaking exiled journalists and activists in Europe. That overlap doesn’t name a customer, but it places Kouloglou’s targeting adjacent to a cluster with clear geopolitical contours. NSO Group maintains it sells only to vetted government customers for fighting crime and terrorism — a claim that grows harder to square with each parliamentarian, journalist, and human-rights lawyer who turns up in the forensic record.

Democracy’s Spyware Problem, Unresolved

The PEGA committee concluded its work in 2023 with recommendations: stricter export controls, national moratoria on abusive deployment, real remedies for victims. Most of it went nowhere. Member states stonewalled the inquiry, and the mercenary spyware industry consolidated and kept selling. This report closes the loop with bleak symmetry — the process democracies used to examine the problem was itself penetrated by the product.

The pattern extends well past Europe’s institutions. Commercial spyware has been found on the devices of opposition politicians, journalists, and civil-society figures across dozens of countries, and the EU’s answer so far has been sanctions frameworks aimed at state-backed cyber operations that barely touch the private surveillance market. Until the customers of that market face consequences, the forensic reports will keep coming — each one discovered years late, attributed to no one.

Lessons Beyond Parliament

  • Zero-click means posture, not caution. High-risk individuals — officials, journalists, executives handling sensitive matters — cannot behavior their way out of exposure. Apple’s Lockdown Mode specifically hardens against exploit chains like PWNYOURHOME and has held up remarkably well; for anyone plausibly on a spyware target list, it should be on.
  • Detection lag is the norm. Three-plus years passed between infection and discovery. Periodic forensic checks (via organizations like Citizen Lab, Access Now’s helpline, or Amnesty’s Security Lab) are the only reliable detection path for mercenary spyware.
  • Institutions need device-level threat models. A parliament investigating spyware ran its inquiry over members’ personal iPhones. Sensitive deliberative bodies need hardened devices, not just secure meeting rooms.

Sources