Citizen Lab's forensic report documents that a sitting MEP on the very committee investigating Pegasus was successfully infected during the live investigation, with high-confidence evidence of compromise on October 21, 2022 and again in March 2023. Because Pegasus is sold only to sovereign customers under NSO's stated policy, targeting a supranational parliamentary investigator is definitionally outside any lawful-use doctrine — yet it happened anyway, and persisted long enough to expose both go
Citizen Lab pointedly declines to name the operator but notes the first infection window overlaps a known Pegasus campaign against Russian- and Belarusian-speaking exiles in Europe, implying a customer authorized to spy across multiple European jurisdictions. Combined with the surrounding Greek Predatorgate context, this reframes the incident not as a rogue abuse but as evidence that EU member states are using mercenary spyware against each other's democratic institutions.
By surfacing the Citizen Lab piece under the framing 'Espionage Against the European Parliament,' the submitter treats this as an institutional attack on the EP itself rather than a one-off targeting of an individual MEP. The emphasis is on the political actor behind the operation and the failure of EU-level protections, not on NSO as a vendor.
Citizen Lab published forensic evidence that former Member of the European Parliament Stelios Kouloglou's iPhone was infected with NSO Group's Pegasus spyware while he was serving on PEGA — the European Parliament's special committee established specifically to investigate Pegasus and other mercenary spyware abuses across Europe. Kouloglou was hacked by the exact product his committee was chartered to investigate, and it happened while the investigation was live.
The timeline is specific. Kouloglou contacted Citizen Lab in May 2026. Forensic analysis of artifacts from his device concluded, with high confidence, that Pegasus successfully infected the phone on or around October 21, 2022, and again on March 6 and 7, 2023. Citizen Lab notes the first infection window overlaps with a previously identified Pegasus campaign that targeted Russian and Belarusian-speaking exiled journalists and activists in Europe — meaning the operator is a Pegasus customer with authorization to spy across multiple European jurisdictions.
Citizen Lab does not name the customer, and that ambiguity is the whole story. NSO's stated policy is that Pegasus is sold only to sovereign customers and only for lawful use. A working member of a supranational parliamentary committee, sitting on the file that names your product, is definitionally not a lawful target under any democratic doctrine — and yet, per Citizen Lab, the compromise persisted long enough that both confidential government material and private medical information could plausibly have been exfiltrated from the same device.
There is a European context here that isn't just background color. Around 2022, a large number of Greek politicians, journalists, and business figures had their phones compromised by Predator and Pegasus in what Greek media christened the *Predatorgate* scandal — an affair widely reported to involve the Prime Minister's office and Greek intelligence (EYP), and one that, as HN commenter *elorant* notes, "never got fully resolved." Kouloglou is Greek. He sat on the EU committee investigating exactly this class of abuse. The overlap is not subtle.
The structural problem Pegasus reveals isn't a zero-day; it's a governance vacuum. Poland's PiS government used Pegasus against opposition figures. Spain's CNI used it against Catalan independence politicians. Hungary, per repeated Citizen Lab and Amnesty reports, has used it against journalists. NSO has publicly cut ties with some European customers — Italy being the most recent high-profile example — after abuses became too visible to underwrite. But no European government has been meaningfully sanctioned for domestic misuse, and the PEGA committee's final recommendations, delivered in 2023, were largely non-binding.
The HN thread surfaces a second, more practitioner-shaped complaint. Commenter *bawolff* asks the obvious question: "Does EU parliament not have a policy of separating work and personal devices?" The Citizen Lab report implies the same iPhone held both medical records and committee documents. That is not a Pegasus problem. That is a threat-model problem that any org handling classified material solved decades ago with GFE (government-furnished equipment), MDM enrollment, and hardware separation. A legislator investigating state-grade spyware was carrying committee documents on a personal iPhone with no visible compartmentalization — and the EU has no rule against it.
The technical reality of Pegasus in 2022-2023 is that iOS Lockdown Mode was new, exploit chains were still frequently zero-click via iMessage or FORCEDENTRY-style vectors, and detection required post-hoc forensic sweeps of the type Citizen Lab performs. A senior legislator on a sensitive committee should have been on Lockdown Mode from day one, on a dedicated device, with iCloud disabled, iMessage disabled, and periodic MVT (Mobile Verification Toolkit) sweeps against Amnesty's IOC set. None of that appears to have been mandated.
If you are anywhere near policy, defense, journalism, or corporate M&A work — the operational takeaways are unglamorous and well-known, but this incident is a reminder that they are not being followed even where the stakes are literally *investigating spyware*:
Compartmentalize devices ruthlessly. One phone for sensitive work with Lockdown Mode on, iMessage/FaceTime off, no personal apps, no SMS, no iCloud backup. A second, cheap phone for everything else. The cost is a burner and 20 minutes of setup. The alternative is what happened to Kouloglou.
Run MVT (github.com/mvt-project/mvt) against your device sysdiagnose or a full iTunes backup on a quarterly cadence, using Amnesty's continuously updated IOC feed. It is not perfect — mercenary spyware operators clean up after themselves — but it catches the sloppy campaigns, and Pegasus operators have historically been sloppy.
Assume your MDM does not protect you from a nation-state Pegasus customer. It protects you from a lost phone at an airport. Those are different threat models and conflating them is how organizations end up believing they are covered when they are not. If you would be a plausible target of a Pegasus customer — investigative journalism, dissident diaspora work, corporate espionage-adjacent M&A, defense contracting — a corporate MDM is a floor, not a ceiling.
And for anyone building the *other* side of this: enterprise EDR/XDR for mobile is still an underdeveloped market. The current tools (Lookout, Zimperium, iVerify) mostly detect known-bad hashes and behavioral heuristics. What actually works against Pegasus-class threats — kernel telemetry, memory forensics, decrypted iMessage attachment scanning — remains gated behind Apple's platform decisions.
The PEGA committee is dissolved. Its final report was ignored. Its members were, at minimum in Kouloglou's case, surveilled by the vendor they were investigating. The lesson from Kouloglou isn't that Pegasus is powerful — everyone already knew that — it's that European democratic institutions have no working immune response to commercial spyware, and the vendors know it. The next mercenary-spyware scandal will not be smaller. It will be Paragon, Intellexa, Candiru, or a Chinese entrant nobody is watching yet, and it will find another Kouloglou. The only real question is whether any EU government finds the political will to mandate the boring hygiene — separate devices, Lockdown Mode by default, mandatory MVT sweeps for anyone on a sensitive committee — before the next report lands on Citizen Lab's desk.
> we note an overlap between the first infection and a previously identified Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe, suggesting a Pegasus customer with authorization to spy in multiple European countries is responsible.Who has "a
> It is important to note that threat notifications from Apple and other companies are not real-time alerts. They are typically sent to users in batches, often months or more after targeting takes place.Wow, so Apple is able to detect threat, but does not remove or prevent it, and waits silently
Around that time a lot of politicians in Greece had their phones hacked by Pegasus. It's an ongoing scandal in Greece that never got fully resolved, although all evidence indicate that it was an operation orchestrated by the office of the prime minister in coordination with the local intelligen
Isn't it the problem with software architecture choices like large monolitic kernels, lots of unnecessary telemetry/marketing services, legacy APIs, unsafe languages like C, lack of static analysis, etc?You should threat a phone as an infected ground and do not keep anything important ther
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> In May 2026, Kouloglou contacted the Citizen Lab and we conducted a forensic analysis of artifacts from his iPhone. We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.