NSO Group’s hacking software was repeatedly used against a member of the European parliament while he was conducting an investigation of spyware abuses in Europe, according to a new report.
Researchers at the Citizen Lab at the University of Toronto said they could not attribute the attacks against Stelios Kouloglou to any particular government operator of Pegasus spyware. But their investigation found the attack against the Greek now-former MEP bore the hallmarks of a previous hacking campaign against exiled Russian and Belarusian journalists in Europe.
“When you realise your private life is scrutinised by very bad people, you become angry,” Kouloglou, who is also a journalist and left parliament in 2024, said in an interview. “It’s a big issue having to do with corruption, justice and democracy.”
At the heart of Citizen Lab’s new report lies Kouloglou’s work for a special European parliamentary committee known as Pega, which was established in March 2022 after the publication of the Pegasus Project by the Guardian and a consortium of media outlets.
The Pegasus Project revealed how journalists, activists, politicians and other members of civil society were being targeted by governments using Pegasus, which is made by the Israel-based NSO Group and sold to governments around the world for the purposes of stopping serious crime and terror attacks. Pega’s mission in 2022 was to investigate the scope of how spyware was being used in contravention of EU law.
Kouloglou, a journalist who was first elected to the European parliament as a member of the Syriza party, joined the Pega committee in March 2022. His mobile device was first infected, Citizen Lab said, about seven months later, on 21 October 2022, in what was described as a “particularly intense period of activity” in Pega’s deliberations and investigations, including the drafting of the committee’s first report.
NSO did not respond to a request for comment.
The hacking coincided with Kouloglou’s admittance to a hospital for elective surgery, where he was visited by a Greek investigative journalist, Thanasis Koukakis.
Koukakis was at the time working on mercenary spyware stories in Greece, following a major scandal known as the “Greek Watergate”, which involved the illegal targeting of more than 80 people in Greece, including politicians, journalists and military officials. Koukakis was among the targeted victims and had earlier testified about his experience in front of the Pega committee.
Kouloglou’s device was hacked again, Citizen Lab said, on 6 and 7 March 2023, when Pega was involved in intensive discussions related to the final drafting of its report. The hacking coincided with Kouloglou travelling from Athens to Brussels.
Citizen Lab said the revelations in their report marked the first time that a member of the Pega committee is known to have been targeted with spyware. And it comes as the committee’s recommendations have essentially been ignored, said John Scott-Railton, a senior researcher at Citizen Lab.
He said: “This case is the ultimate irony of Europe’s spyware crisis. Someone on the very committee tasked with investigating Pegasus gets infected by it. And what has happened since? The parliament looks the other way when new European spyware abuses emerge.
“I can tell you how the next chapter will go: more hacked parliamentarians. In fact, I suspect there are members voting and attending high-level meetings with no idea that their phone has been turned into a spy in their pocket.”
While Citizen Lab could not pinpoint the probable government client that used the spyware against the then MEP, researchers said they believed the same operator who targeted him also targeted seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe, who were found to have been targeted or infected with Pegasus spyware.
The researchers identified a unique Apple ID email used in the attacks, which suggests they were by the same government client. The client also probably had licences to operate in Belgium and Greece, Citizen Lab said.