A European politician’s phone was hacked with Pegasus spyware while working on an investigative committee investigating misuse of the notorious surveillance tool, security researchers have confirmed. This is rekindling a new controversy over governments misusing spyware to collect information about their critics.
Researchers at the University of Toronto’s digital rights arm The Citizen Lab say the confirmed hacking of the phone of Greek journalist and former politician Stelios Kologlou during 2022 and 2023 marks the first time that a member of the European Parliament’s PEGA committee, tasked with investigating phone spyware attacks by European governments, has been publicly identified as a victim of spyware.
Kouloglu told TechCrunch in a phone call that the intentional compromise of his phone was “reckless.” A serving European parliamentarian described the hacking of Culoglou’s phone as a “direct attack on the rule of law” and called on the European Commission to take concrete action by imposing strict limits on the use of spyware in the 27 member-state bloc.
While spyware attacks on MPs are rare, the timing and targeting via the same spyware under investigation by a committee investigator shows an intense focus on the inner workings of the committee ahead of the widely anticipated report’s findings. The hacks have raised new questions about how governments use spyware to identify serious crime but then get caught spying on the communications of journalists, lawmakers and critics.
Citizen Lab researchers did not blame any specific country for the phone hacking, but said the government client used the same Pegasus-loaded email address that was used in a previous campaign that hacked the phones of journalists across Europe. The identity of the customer is not known, but the reuse of the same attacking email address indicates that the customer had NSO Group’s authorization to use its Pegasus spyware to spy on phones in several countries in Europe.
A European Commission spokesperson did not respond to TechCrunch’s request for comment. NSO Group also did not respond to a request for comment about the Citizen Lab report before publication.
Citizen Lab said in its report on Friday that Kouloglu was hacked in October 2022 and at least twice during March 2023, which compromised a security vulnerability in Apple’s iPhone software. The vulnerability was patched but the fix had not yet been installed on Kouloglu’s phone. This exploit was a “zero-click” bug, meaning the spyware broke into and stole her data without requiring any interaction on her part.
The bug exploited a previously discovered flaw in Apple’s smart home software used in iPhones. This allowed the spyware to extract private data from Kouloglu’s phone without his knowledge, such as his text messages and other correspondence, location data, and photographs.
The timing of the October 2022 hack coincides with intensive discussions over emails and text messages in October and November 2022 before the distribution of the first draft describing spyware abuses focusing on Cyprus, Greece, Hungary, Poland and Spain.
The hack coincided with the exact time Culoglou was in the hospital for a pre-scheduled surgery, which would have allowed spyware operators to listen to ambient audio about his health care or other interactions he had with visitors at that time.
Months later on 6 and 7 March, Citizen Lab said that Kuloglou’s phone had been hacked again by the same Pegasus operator while Kuloglou traveled from Athens to Brussels during the period of the Committee’s hearings and a few months before the Committee finalized and adopted its written draft report.
In a call, Culoglou told TechCrunch that he didn’t know why he was specifically targeted, but he believed it was because of his work on the European Parliament committee investigating Pegasus abuse.
When he came to know that his phone had been hacked, he expressed anger.
“You realize that all your personal data [was taken] – Not all professional exchanges or messages with ministers – but also very personal things, like happy moments and sad moments,” he told TechCrunch.
Kouloglu said he plans to sue Israeli-headquartered spyware maker NSO Group. NSO has been largely banned from use in the United States following a Biden-era executive order that outlawed the government’s use of spyware that could violate people’s human rights.
Last year, the spyware maker confirmed that an unnamed US investment group had invested millions of dollars in the company, possibly as part of an effort to rehabilitate NSO’s troubled brand linked to enabling human rights abuses.
Kuloglu said he was bringing his story to the public “to fight for democracy, human rights and corruption.”
“Everyone is worried about corruption,” he said.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.