The investigation into digital surveillance technologies took a troubling turn when the investigator himself became a target. Stelios Kouloglou, a journalist and former member of the European Parliament, discovered that his iPhone had been repeatedly compromised by Pegasus, the controversial spyware manufactured by Israeli company NSO Group, during the period when he was actively scrutinising the very technology that would breach his device. According to research published on July 3 by the University of Toronto's Citizen Lab, the intrusions occurred on at least two separate occasions spanning 2022 and 2023, while Kouloglou was working on the European Parliament's PEGA Committee dedicated to examining surveillance tool trafficking.

The implications of this security breach extend far beyond a single politician's compromised device. Kouloglou's iPhone contained highly sensitive material including private communications with Alexis Tsipras, Greece's former prime minister, confidential medical records, and contact details for his journalistic sources. The exposure of such information could have political ramifications within Greece while simultaneously endangering the safety of journalists and sources who had shared information with him in confidence. When confronted with the evidence of the breach, Kouloglou expressed uncertainty about which government entity might have orchestrated the attack, though he pledged to pursue accountability for whoever was responsible.

Pegasus represents a sophisticated tier of digital weaponry that operates unlike conventional malware. NSO Group markets the technology exclusively to government agencies and law enforcement bodies, positioning it as a tool for monitoring terrorism suspects and serious criminals. In practise, the spyware enables authorities to remotely penetrate mobile devices, intercepting voice calls and encrypted messages while extracting stored data without the owner's knowledge or permission. The technology operates across multiple platforms and has proven remarkably difficult for users to detect or prevent. However, the gap between the stated purpose and actual deployment has become increasingly evident to researchers and civil society organisations monitoring surveillance practices globally.

What distinguishes the Kouloglou case is not merely that he was hacked, but that the attack employed exceptionally advanced techniques. Citizen Lab identified the use of a zero-click exploit in at least one instance, meaning the iPhone was silently penetrated without requiring Kouloglou to interact with any suspicious link or file. Such zero-day vulnerabilities represent some of the most expensive and technically sophisticated attack vectors available in the digital security landscape, typically costing hundreds of thousands of dollars to develop and deploy. That such resources were directed at a European politician investigating surveillance technology suggests either significant institutional concern about the investigation or a worrying lack of discrimination in how these tools are deployed.

The broader pattern of Pegasus abuse has become increasingly difficult to ignore within European political circles. Citizen Lab's investigation uncovered evidence suggesting the same actor that targeted Kouloglou had also attacked a network of seven Russian and Belarusian-speaking independent journalists and opposition activists living in Europe. This clustering of targets hints at coordinated surveillance campaigns potentially extending across multiple countries and spanning both political and journalistic spheres. Previous incidents involving European parliamentarians targeted by Pegasus include four Catalan lawmakers between 2019 and 2020 and a French representative in 2023, yet none of those cases involved someone simultaneously investigating the technology itself.

The PEGA Committee's work, which culminated in a 2023 report, reached stark conclusions about surveillance technology's threat to democratic governance. The committee's final analysis characterised Pegasus and similar tools as posing a "threat to democracy and fundamental rights," recommending stricter European Union regulations governing how such technologies could be manufactured, sold, and deployed within member states. These recommendations carried the weight of institutional authority and were based on extensive evidence gathering and expert testimony. Yet the fact that Kouloglou became a victim of the very surveillance tool his committee was evaluating raises uncomfortable questions about whether such investigations can occur in an environment where the subjects of scrutiny maintain technological superiority.

John Scott-Railton, a senior researcher at Citizen Lab, characterised the situation with a sharp observation about the contradictions inherent in Europe's current approach to surveillance regulation. He noted that the European Commission bore responsibility for translating the PEGA Committee's recommendations into enforceable policy, yet had largely allowed those proposals to languish. Scott-Railton framed Kouloglou's hacking as symptomatic of a wider institutional failure, where the very body tasked with combating Pegasus proved unable to protect even its own investigators from the technology. The comment underscores a fundamental tension between identifying problems and possessing the political will or technical capacity to address them.

The European Commission's response to the Kouloglou case demonstrated a measured but somewhat defensive posture. Antoine Lomba, speaking for the Commission, affirmed that the institution was pursuing multilayered approaches to counter illegal spyware deployment, invoking both legislative and non-legislative mechanisms. The Commission explicitly condemned attempts to illegally access citizens' data, particularly targeting journalists and political opponents, while simultaneously characterising the situation as complex and demanding comprehensive solutions. This framing, while technically accurate, appeared to some observers as an attempt to acknowledge the problem without committing to specific timelines or enforcement mechanisms for remedying it.

Sophie in 't Veld, a Dutch former MEP who served as rapporteur for the PEGA Committee, adopted a more unsparing assessment of the European response. She rejected the notion that Kouloglou's targeting represented an isolated incident, instead characterising it as symptomatic of systematic abuse without corresponding accountability. In 't Veld's assessment, five years of Pegasus scandals had produced zero consequences for perpetrators, fostering an environment of complete impunity where governments recognised minimal risk in deploying surveillance tools against political opponents and independent media figures. Her characterisation of Europe's institutional response as inaction reflected growing frustration within civil society circles about the gap between investigative findings and policy outcomes.

For Southeast Asian observers, the Kouloglou case carries particular relevance given the region's own complex relationship with surveillance technology and digital governance. Several Southeast Asian nations have faced international criticism regarding surveillance practices and restrictions on digital freedoms, making the question of how democracies should regulate powerful surveillance tools distinctly pertinent. The European experience demonstrates that even wealthy, established democracies with robust institutional frameworks struggle to effectively constrain surveillance tool abuse once such technologies proliferate among state agencies. The case also illustrates how surveillance technology can function as a tool for silencing investigations into surveillance itself, creating perverse incentives where those attempting to increase accountability face heightened security risks.

The unresolved question of who actually hacked Kouloglou's device remains a critical gap in the narrative. While Citizen Lab can identify that Pegasus was used and can attribute the attack to a particular operator, definitively determining which government deployed the spyware requires additional intelligence that the research group has not yet disclosed publicly. This ambiguity itself constitutes a problem, as it prevents targeted accountability and allows potential perpetrators to maintain plausible deniability. For Kouloglou and other victims of similar intrusions, the absence of clear attribution means that seeking redress or deterring future attacks becomes substantively more difficult, even when technical evidence proves conclusively that an attack occurred.

Moving forward, the Kouloglou case may serve as a catalyst for renewed European efforts to address surveillance technology regulation, though such transformation remains uncertain. The incident provides undeniable evidence that Europe's existing oversight mechanisms proved inadequate to protect even senior investigators from compromise, suggesting that institutional reforms may be necessary regardless of political preferences regarding surveillance regulation. Alternatively, the case might simply become another data point in a lengthening list of documented abuses, with policy responses continuing to lag behind the evolution of surveillance capabilities and their proliferation among government agencies. The outcome will likely depend on whether civil society and concerned politicians can convert the embarrassment of this incident into sustained political pressure for binding enforcement mechanisms and meaningful consequences for surveillance abuse.