The Pegasus Investigators Got Pegasus

24

Stelios Kouloglou knew the game. He was an MEP, part of the EU’s special task force hunting down spyware. In the summer of 2022 he traveled the continent, sitting with victims of digital surveillance, peeling back layers on a scandal that involved journalists, police chiefs, and politicians alike. He thought he was holding the magnifying glass. He didn’t know the lens was turning back on him.

Then the data came out. His iPhone was compromised. By Pegasus. The very same tool he was hired to expose.

“It was something really too reckless,” he says.

It is a dark joke. An investigator hacked by the crime he investigates. Kouloglou spent years digging into this stuff before joining the parliament, so he wasn’t naive about the threats. Still. Shock hits different when it’s your own phone ringing with malware. Now he’s angry. Rightfully so.

Here is the background you probably know but need to hear again. Pegasus isn’t just an app you download by accident. It exploits holes in iOS and Android to slip past the defenses. Once inside? The camera rolls. The mic stays open. Messages, photos, contact lists, everything goes to whoever paid for it. Developed by NSO Group, an Israeli firm that recently saw a majority of its shares bought by US investors in 2025, the spyware is sold to governments. Theoretically for catching terrorists. In practice? Often used on journalists, activists, and annoying politicians.

The University of Toronto’s Citizen Lab dropped the forensic report this past Friday. The timing couldn’t be worse. Or better, depending on if you like drama. Kouloglou’s phone was targeted not once. But multiple times. First on October 21, 2202, while he was in the hospital recovering from elective surgery. Imagine. Lying there. Vulnerable. Then a Greek investigative journalist—Thanasis Koukakis—who had himself been hacked by another piece of spyware called Predator, visits him. They talk. Maybe about the committee. Maybe about the case.

Then silence. Until March 2023. The committee was gearing up for key hearings. They were about to interrogate spyware vendors. That is when Pegasus strikes again. On March 6th and 7th. Coincidence? You tell me.

The irony is suffocating.

Hannah Neumann, another MEP on the committee who is green-leaning and definitely not subtle about this, called it absurd. The attackers weren’t just watching the guy. They were watching the investigation.

“We spied on the spying investigation,” Neumann tells WIRED. That is how it played out.

The Citizen Lab researchers did a deep dive. They couldn’t pinpoint who ordered the hits. No smoking gun pointing at a specific government agency. They explicitly ruled out the Greek government this time, which matters because Greece was in the middle of its own “Watergate” style spyware mess involving Intellexa’s Predator software around the same time. But the fingerprints match. The attack vectors overlapped with attempts against seven Russian and Belarusian-speaking journalists between late 2020 and early 2023. It’s a pattern. It’s always a pattern.

John Scott-Railton from Citizen Lab puts it bluntly.

“It’s open spyware season on European lawmakers.”

No one is prepared. National parliaments? Defenseless. The EU? Sleeping.

Kouloglou admits he probably saw Apple’s “Lockdown” warnings—the alerts that say ‘hey, someone might be hacking you.’ He got them in March and August 2303. Again in April 2404. But notifications arrive late. By the time the letter comes, the burglary is done. He doesn’t remember seeing them anyway. Who looks at their screen for errors when they are busy saving democracy?

What bothers the most people is that nothing has changed. The PEGA Committee finished its work. It handed over a list of demands. Build an EU tech lab for forensic analysis. Create a spyware task force for elections. Secure the channels. Years passed. The dust settled. And then bam. A committee member gets rooted.

Europe has ignored the problem until the problem bit the hand feeding it.

The European Parliament spokesperson wouldn’t give WIRED details but pointed to some “screening systems” for MEPs. Measures. Expansions of protection. Sounds like tech jargon for “we are trying.” But try harder. The recommendations are gathering digital mold.

Scott-Railton calls the situation an embarrassment. And he isn’t wrong. Other nations have moved. The US has sanctioned vendors, banned visas, used executive orders to chill the spyware market. Europe just debates. Meanwhile AI is making this cheaper. Easier. Faster. The barrier to entry is vanishing.

Kouloglou looks at the breach as a violation of his personal life. Messages with kids. With relatives. Not just work stuff. Life.

“It’s not a matter only of privacy. It is justice. Democracy.”

He wants accountability. But accountability requires action. So far, the silence is louder than the spyware alarms.