EU urged to act after Pegasus infects phone of spyware inquiry MEP
Civil liberties groups have accused the EU of dragging its feet in implementing key measures to prevent spyware infections after Citizen Lab revealed a former member of European Parliament was placed under surveillance during his time in office.
Stelios Kouloglou, a former investigative journalist, served as a Greek MEP between 2014 and 2023 and was a substitute member of the inquiry into the use of Pegasus and other spyware (PEGA Committee). After Citizen Lab forensically analyzed his device, the research organization revealed on Friday that his iPhone was infected with Pegasus in October 2022 and again in March 2023, when key hearings about the committee's formal recommendations were taking place.
"The fact that Stelios Kouloglou's device was infected with an intrusive form of spyware that only governments can procure, while he was actively involved in the parliamentary inquiry committee that was investigating spyware abuse by European countries, raises serious concerns about the integrity of independent oversight at the highest levels in Europe," said Elina Castillo Jiménez, advocacy and policy advisor for the Security Lab at Amnesty International.
"The brazen targeting of someone in his position underlines how inadequate the current system is, and is yet another wake-up call that the protections that were put in place to prevent this kind of abuse are still not being implemented in Europe."
Amnesty International is one of the civil liberties groups to co-sign the joint statement to the EU, which lists several demands to ensure spyware abuse "is met with accountability, not impunity."
The signatories called for the EU's Directorate-General for Information Technologies and Cybersecurity (DG ITEC) to launch a robust investigation into the hacking of Kouloglou's iPhone and pinpoint who was responsible.
Attribution is notoriously difficult in cyberattacks, especially spyware cases.
Citizen Lab was unable to definitively pinpoint the NSO Group customer that launched the attacks on Kouloglou, but said it had found no indications that the Greek government was responsible, despite its "extensive" historical abuse of Intellexa's Predator spyware.
However, the research unit posited that the same Pegasus operator that was behind the attacks on seven targets in 2024, all of whom were exiled activists and journalists from Russia, Latvia, or Belarus, was behind the attack on Kouloglou.
The statement also called on the EU to "urgently and publicly" respond to the PEGA Committee's recommendations issued in May 2023, and disclose which of its key points have or have not yet been implemented.
The recommendations fell short of prohibiting spyware sales outright, instead favoring the tight regulation of spyware sales and use within the EU.
Member states seeking to use spyware lawfully would have to involve Europol, be subject to independent oversight, and thoroughly investigate all allegations of abuse.
The statement's signatories, however, believe that the EU has failed to deliver a meaningful response to the PEGA Committee's recommendation, leaving the bloc exposed to repeated spyware scandals.
The signatories further called on the EU to "guarantee effective remedies for victims," which could include access to evidence, notifications of when surveillance occurred, and ensuring those behind the spyware are held accountable.
Campaigners also want to see meaningful reform of the 2021 Dual-Use Regulation. The EU's framework for safely exporting spyware products is currently under evaluation, and the statement calls for any updates to reflect the PEGA Committee's recommendation.
The EU has updated the Regulation several times since adopting it in 2021, and has routinely stood by the system, which aims to reduce the risk that cyber-surveillance tools are exported for use in human rights abuses.
Critics remain unconvinced that the EU is enforcing the Regulation effectively, believing that the required level of monitoring is not being met, which in turn is allowing spyware to spread.
For example, the Centre for Democracy and Technology Europe (CDT), which examined the export controls in four EU countries, said in December that spyware traveling across borders within the EU is not subject to the requisite licensing or accountability measures to effectively prevent abuse.
The statement, to which CDT was also a signatory, stated: "Europe cannot continue moving from scandal to scandal without consequence. The targeting of a Member of the European Parliament involved in investigating spyware abuse should mark a turning point. The EU must act now to defend independent oversight, protect fundamental rights, and ensure that spyware abuse in Europe is met with accountability, not impunity."
Spyware: Not just for foreign adversaries
While regimes such as Russia, Saudi Arabia, Rwanda, and others have been accused of high-profile spyware attacks on specific individuals – of which Jamal Khashoggi was arguably the most infamous – the EU itself has faced various scandals concerning member states.
In February, Greece sentenced four individuals connected with Intellexa to more than 126 years in prison each for their role in the spyware scandal that rocked the country in 2022. Domestic law caps this sentence at eight years, although it is currently suspended pending appeals.
The case involved journalist Thanasis Koukakis and politician Nikos Androulakis, a then-serving MEP, who both discovered they had been infected with Predator spyware.
It would later be revealed that they were among 87 high-profile Greeks to be targeted via hundreds of SMS messages.
Critics suspect Greece and its intelligence agencies played roles in the infections, but they have consistently denied wrongdoing, and its Supreme Court cleared them in 2024.
Elsewhere, Citizen Lab was instrumental in bringing to light what would go on to be dubbed "CatalanGate" – Spain's spyware scandal.
It found that the devices of at least 65 people associated with the Catalan separatist movement were infected with Pegasus or Candiru spyware strains between 2017 and 2020, and at least two were infected with both.
In 2022, Spain dismissed its national intelligence director, Paz Esteban López, after high-ranking ministers, including Prime Minister Pedro Sánchez, were infected with spyware.
In Poland, former intelligence officials and ministers were also charged with using Pegasus spyware in February 2026 after Donald Tusk's government previously committed to an inquiry into the targeting of politicians with spyware in 2024.
Hungary, too, was embroiled in its own spyware scandal in 2021 after it was rumored that Viktor Orbán's government targeted journalists, lawyers, and politicians, as well as people under national security investigation.
The Pegasus Project found evidence of infections on civilians' devices, and a government official confirmed that the country was a Pegasus customer later that year after initially denying the allegations. ®
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Wow
0
Sad
0
Angry
0
Comments (0)