Pegasus Spyware Hit EU Parliament Spy Probe Member Twice
Citizen Lab has confirmed that Stelios Kouloglou, a former Member of the European Parliament (MEP) and member of the PEGA committee investigating spyware abuses, was infected with NSO Group's Pegasus spyware on two separate occasions: October 21, 2022, and March 6-7, 2023. This marks the first time a sitting PEGA committee member has been publicly identified as a Pegasus victim.
Technical Infection Details
Forensic analysis of Kouloglou's iPhone revealed Pegasus infections via the PWNYOURHOME zero-click exploit. On October 21, 2022, at 10:16, a HomeKit email address lookup (rauharepo888@gmail.com) occurred. Two minutes later, a Pegasus process used mobile data. The exploit chain involved a crafted NSKeyedArchive landing in HomeKit, followed by malicious content in MessagesBlastDoorService. Apple mitigated HomeKit in iOS 16.3.1 and the MessagesBlastDoorService issue earlier, likely in iOS 16.1. At infection, the device ran iOS 15.5 (19F77). The second infection on March 6-7, 2023, used the same exploit. Apple sent threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024, though Kouloglou didn't recall receiving them.
Timing and Committee Activities
The first infection coincided with intense PEGA committee activity: hearings on "Big Tech and Spyware" (October 26), "Spyware and e-privacy" (October 26), and fundamental rights (October 27). The committee was drafting its first report, delivered November 8, 2022, covering Poland, Hungary, Greece, Cyprus, and Spain. Kouloglou was also planning research visits to Greece and Cyprus (November 1-4, 2022). On the exact infection day, he was in hospital for elective surgery and met with journalist Thanasis Koukakis, a known spyware victim. The second infection occurred during final drafting of the PEGA report, adopted May 8, 2023, while Kouloglou traveled from Athens to Brussels.
Attribution and Broader Context
Citizen Lab did not attribute the attacks to a specific government. No evidence suggests Greek government involvement; Greece is not known to use Pegasus, though it has used Intellexa's Predator spyware. The first infection overlaps with a previously identified Pegasus campaign targeting Russian and Belarusian-speaking exiled journalists in Europe, suggesting a customer authorized to spy in multiple EU countries. Other MEPs have been targeted: four Catalan MEPs (Diana Riba, Jordi Solé, Clara Ponsati, Carles Puigdemont) and French MEP Nathalie Loiseau. The European Parliament's IT Services found spyware on devices of MEPs on the security and defence subcommittee in February 2024.
Implications
These infections likely exposed non-public communications about committee activities, potentially breaching EU parliamentary confidentiality and privilege frameworks. The hospital infection also risked capturing medical data, implicating Greek data protection laws (Law 4624/2019). Developers working on secure communication tools should note that even zero-day exploits can bypass Apple's security, and threat notifications may arrive months late. The use of HomeKit as an attack vector underscores the need to minimize attack surface in messaging and smart home integrations.
What Developers Should Do
- Audit third-party integrations: HomeKit's NSKeyedArchive parsing was exploited; validate all deserialization.
- Implement exploit mitigation: Use techniques like PAC (Pointer Authentication Codes) and JIT hardening.
- Monitor threat notifications: Apple's alerts are batched; set up additional real-time monitoring where possible.
- Assume zero-click risk: For high-value targets, consider hardware-backed isolation or dedicated devices.
- Stay updated: iOS 16.3.1 fixed HomeKit, but earlier versions remain vulnerable.
This case demonstrates that spyware operators actively target investigators. The technical community must prioritize defensive tooling and rapid patching to counter nation-state-level threats.


