The Spy Who Hacked the Investigator

There is a particular kind of dark comedy that only the surveillance state can produce: a politician tasked with investigating spyware abuses gets hacked by the very spyware he is investigating. Stelios Kouloglou, a Greek journalist-turned-MEP serving on the European Parliament's PEGA committee, didn't just stumble into a trap — he was deliberately targeted with Pegasus, the crown jewel of NSO Group's arsenal, while his committee probed how European governments weaponize such tools against their own citizens. If this were a novel, reviewers would call the plot too on the nose. But this is Brussels, where irony is not a literary device — it's a governance model.

The Anatomy of a Zero-Click Betrayal

Citizen Lab's forensic report is damning in its precision. Kouloglou's iPhone was compromised in October 2022 and twice in March 2023 via a zero-click exploit in Apple's HomeKit framework — a vulnerability already patched, but not yet installed on his device. No phishing link, no malicious attachment. The spyware simply walked in, harvested messages, location data, photos, and walked out. This wasn't opportunistic crime; it was surgical intelligence gathering. The reused attack infrastructure — the same Pegasus-loaded email address seen in previous campaigns against European journalists — screams state actor with an NSO license. Yet NSO Group, as ever, stays silent. The European Commission, tasked with guarding the rule of law across 27 member states, also stayed silent when pressed for comment. Silence, in this business, is complicity.

A Pattern, Not an Anomaly

Let's not pretend this is an isolated incident. Since 2021, the Pegasus Project has revealed a rogues' gallery of victims: Jamal Khashoggi's inner circle, French journalists, Hungarian opposition figures, Catalan separatists, Polish prosecutors. The common thread? Governments buying "lawful intercept" tools and pointing them at critics, not criminals. NSO claims it vets customers; the evidence says it vets checks. The PEGA committee was formed precisely because the European Parliament finally caught on that spyware had become the favorite toy of illiberal democracies inside the EU. Now, one of its own investigators is a data point in the very scandal he was hired to dissect.

The Rule of Law, Hacked

One serving MEP called the hack a "direct attack on the rule of law." That's not rhetoric — it's a legal description. Parliamentary immunity exists to let lawmakers scrutinize power without fear of retaliation. When a foreign (or domestic) intelligence service penetrates a legislator's phone during an active investigation, they aren't just stealing data; they're sabotaging democratic oversight. The timing — October 2022, amid intense committee deliberations — suggests the attackers wanted a front-row seat to the PEGA committee's internal drafts, witness lists, and strategy. They got it. And because the exploit used a patched vulnerability, the only defense was digital hygiene — a burden placed on the victim, not the vendor or the state sponsor.

Europe's Regulatory Theater

The European Commission loves a good regulatory framework. It gave us GDPR, the Digital Services Act, the AI Act. Yet on spyware, it has produced nothing but worried statements and a non-binding recommendation urging restraint. Meanwhile, NSO Group — effectively an arms dealer for digital authoritarianism — still operates with an Israeli export license, selling to EU members like Hungary and Poland, whose governments have been caught red-handed. The Commission's silence on Kouloglou is telling: it would rather not confront the uncomfortable truth that some member states treat the EU's values as optional and its investigators as targets.

No More Studies. Bans.

Editorials like this have been written before. They will be written again. The cycle — revelation, outrage, committee, report, silence — is the spyware industry's best friend. What breaks the cycle? Not another "expert group." Not a "code of conduct." A blanket EU ban on the sale, transfer, and use of mercenary spyware against civilians, with criminal liability for officials who authorize it and companies that enable it. Apple's Lockdown Mode is a admirable technical mitigation, but security shouldn't depend on a toggle buried in Settings. The PEGA committee's final report, due this year, must recommend prohibition — not regulation. Regulation implies a legitimate dual-use market for Pegasus. There isn't one. Every documented use in Europe has targeted journalists, lawyers, or politicians. The product is the abuse.

Kouloglou called the hack "reckless." He's wrong. It was calculated. Reckless implies disregard for consequences; the perpetrators knew exactly what they were doing — silencing an investigation by compromising the investigator. They calculated that Europe would do what it always does: express concern, commission a study, and move on. So far, they're right. The question isn't whether the rule of law was attacked. It's whether the rule of law has the teeth to bite back. Based on the Commission's silence, the answer is still pending.