Pegasus Spyware Strikes EU Lawmaker Investigating Spyware Abuse: Citizen Lab Exposes Political Surveillance Inside PEGA Committee — Dark Web recent claims + Video

Listen to this Post

Featured Image

Introduction: When the Watchers Become the Watched

The latest investigation by the Citizen Lab has uncovered a disturbing breach at the very heart of Europe’s attempt to regulate commercial spyware. A former Member of the European Parliament, Stelios Kouloglou, who actively served on the PEGA Committee investigating spyware abuses, was himself targeted and infected multiple times with the infamous Pegasus spyware developed by the NSO Group. The findings suggest not only a technical intrusion but a political paradox: the investigator of surveillance abuse became a surveillance target during active legislative scrutiny. The timing, scope, and sophistication of the attack reveal how mercenary spyware continues to operate inside democratic institutions with minimal attribution and maximum stealth.

Expanded Case Summary: The Forensic Breakthrough That Changed the PEGA Narrative

The Citizen Lab forensic report details repeated compromises of Kouloglou’s iPhone across late 2022 and early 2023, specifically around October 21, 2022, and again on March 6 and 7, 2023. Researchers found evidence that the infections were consistent with Pegasus spyware activity, including zero-click exploitation techniques that require no user interaction. A key exploit, internally tracked as “PWNYOURHOME,” was believed to have leveraged Apple’s HomeKit framework, enabling attackers to silently deploy spyware through mobile data processes. Apple later patched the vulnerability in iOS 16.3.1, but at the time of infection, Kouloglou’s device was running iOS 15.5, leaving it exposed.

The report further highlights that Kouloglou received Apple threat notifications on multiple occasions, indicating repeated targeting rather than a single isolated compromise. The infection coincided with critical political events, including PEGA Committee deliberations, hearings, and final drafting stages of the spyware investigation report. This timing raises concerns that sensitive parliamentary discussions may have been exposed in real time.

Adding another layer of complexity, forensic indicators such as a unique email address (“rauharepo888[@]gmail.com”) were also observed in parallel campaigns targeting Russian and Belarusian-speaking journalists and activists in Europe. This overlap suggests that a Pegasus operator with multi-jurisdictional licensing may be responsible, though attribution remains unconfirmed. The Citizen Lab carefully avoids assigning blame to any single government, including Greece, while emphasizing the operational sophistication and geographic reach of the attacker.

The case also intersects with broader surveillance abuse patterns across Europe, where spyware tools marketed for counterterrorism and organized crime investigations are increasingly deployed against journalists, lawmakers, and human rights defenders.

Technical Exploitation Chain: How Pegasus Likely Entered the Device

The infection chain described by researchers reflects a highly advanced zero-click exploit model. In October 2022, the device reportedly triggered a HomeKit-related lookup tied to a specific email address, followed within minutes by Pegasus processes activating over mobile data channels. This suggests a silent remote execution chain requiring no phishing or user interaction.

Apple’s iOS ecosystem, despite its strong security reputation, was exploited through a logic flaw in connected services architecture rather than a traditional app vulnerability. The same exploitation pattern appears again in March 2023, indicating either persistent access or re-infection by the same operator.

The fact that Pegasus remained undetected until forensic analysis in May 2026 highlights a core weakness in endpoint detection systems for mobile devices used by high-level political figures.

Institutional Impact: PEGA Committee Under Surveillance

Kouloglou’s role in the PEGA Committee, formally known as the Committee of Inquiry into the use of Pegasus and equivalent spyware, makes this case particularly significant. The committee was established in March 2022 to investigate violations of EU law related to spyware deployment across member states.

The infection during active committee work introduces a chilling implication: deliberations intended to regulate surveillance technologies may themselves have been exposed to those same technologies. This represents not just a privacy breach but a structural democratic vulnerability.

The Citizen Lab emphasizes that this is the first publicly confirmed case of a PEGA Committee member being targeted while in office, marking a turning point in understanding the risks faced by lawmakers investigating surveillance industries.

Attribution Complexity: The Multi-Jurisdiction Spyware Ecosystem

Despite strong forensic evidence, attribution remains unresolved. The Citizen Lab notes that the infrastructure overlaps with campaigns targeting Russian and Belarusian dissidents in Europe, implying a Pegasus customer with broad regional authorization.

Pegasus, developed by NSO Group, is licensed to governments under strict conditions, but enforcement of those conditions remains opaque. The spyware itself, Pegasus Spyware, is capable of full device compromise including microphone activation, message extraction, and real-time location tracking.

Researchers suggest that only a limited number of operators with multi-country licensing could execute such parallel campaigns, narrowing—but not identifying—the responsible actors.

Cross-Case Correlation: From Journalists to Lawmakers

The same infrastructure used in Kouloglou’s compromise has been linked to surveillance campaigns against journalists and political dissidents across Europe. The reuse of identifiers such as the same email artifact indicates either centralized operational control or shared tooling between multiple Pegasus customers.

The Citizen Lab warns that such overlaps make attribution difficult and allow surveillance ecosystems to blend state intelligence operations with commercial spyware services. This blending reduces accountability and increases the risk of abuse across borders.

Broader Surveillance Landscape: Beyond Pegasus

The Kouloglou case is part of a wider global surveillance pattern. The Citizen Lab recently documented how forensic tools like Cellebrite UFED were used by Russian authorities to extract intelligence from detained opposition figures, enabling downstream targeting by hacking groups.

This demonstrates a multi-layered surveillance pipeline: device extraction tools, spyware deployment, telecom exploitation, and signaling protocol abuse all operate in parallel ecosystems.

Additionally, researchers identified telecom-based surveillance systems exploiting SS7 and Diameter protocols, enabling location tracking without malware installation. These systems effectively turn global telecom infrastructure into passive intelligence networks.

What Undercode Say:

The Pegasus targeting of a PEGA Committee member exposes a structural contradiction in European digital governance frameworks where oversight bodies are not insulated from surveillance risk

Zero-click exploitation demonstrates that modern mobile OS security models are insufficient against state-grade intrusion chains

The overlap between journalist targeting and parliamentary surveillance suggests convergence of intelligence priorities across civilian and political domains

The use of HomeKit-based exploitation indicates that smart home integrations expand attack surfaces beyond traditional mobile vectors

Multi-jurisdiction Pegasus licensing creates attribution ambiguity that weakens international accountability mechanisms

The delayed detection until forensic review in 2026 highlights the failure of real-time mobile intrusion detection systems

Repeated infections suggest either persistent implants or operational redundancy in spyware deployment

Apple’s threat notification system appears reactive rather than preventive in high-value targeting scenarios

Telecom signaling exploitation shows that surveillance is not limited to endpoints but embedded in infrastructure

The case demonstrates how regulatory bodies investigating spyware are inherently high-value targets

The reuse of email identifiers across campaigns suggests operational reuse or centralized command structure

The absence of attribution underscores geopolitical shielding in commercial spyware ecosystems

Mobile OS patch cycles remain slower than exploit deployment cycles

Legislative transparency does not translate into operational security for lawmakers

PEGA Committee findings may have been partially exposed during active deliberation phases

Surveillance vendors operate in overlapping intelligence markets across Europe and beyond

Commercial spyware is effectively indistinguishable from state intelligence tools in operational use

Cross-border licensing weakens legal enforcement under EU digital law frameworks

Attack surface expansion via IoT ecosystems increases zero-click vulnerability probability

The case illustrates the collapse of traditional perimeter-based mobile security models

Intelligence collection is increasingly embedded in commercial software ecosystems

Forensic detection is becoming the primary method of spyware discovery rather than prevention

Political surveillance risk now includes elected officials investigating surveillance itself

Mobile threat notifications indicate partial ecosystem awareness but limited mitigation capability

Pegasus operations continue despite increased public scrutiny and regulatory pressure

Evidence suggests coordinated infrastructure reuse across multiple campaigns

Telecom operators inadvertently function as surveillance transit nodes

Attribution ambiguity enables plausible deniability for state-linked operators

Smart device integration expands intelligence gathering vectors significantly

European digital sovereignty frameworks remain technically vulnerable

The spyware economy continues to evolve faster than defensive regulation

High-value targets are increasingly identified through political activity rather than technical exposure

Cross-campaign correlation strengthens hypothesis of shared operator infrastructure

Endpoint compromise remains invisible without forensic intervention

Legislative committees lack hardened digital security architecture

Mobile devices remain primary intelligence targets for modern surveillance operations

Exploit chains are becoming modular and reusable across operating systems

Surveillance ecosystems now integrate telecom, software, and forensic toolchains

The boundary between lawful intercept and unlawful espionage is increasingly blurred

This case represents a systemic failure of digital trust in political oversight environments

Accuracy Assessment of Key Claims

✅ Citizen Lab is a credible digital rights research organization with a strong track record in spyware investigations

❌ Exact attribution of the Pegasus operator remains unconfirmed, despite infrastructure correlation

⚠️ Claims of specific exploit usage (PWNYOURHOME) are based on forensic inference, not publicly verifiable exploit code disclosure

❌ No definitive evidence publicly identifies a specific government as responsible for the attack

⚠️ Cross-campaign email correlation suggests linkage but does not prove shared command infrastructure

Prediction: Future Surveillance and Political Risk Trajectory

(+1) Increased regulatory scrutiny across the EU will likely expand legal restrictions on commercial spyware deployment and export licensing
(+1) Mobile OS vendors such as Apple will accelerate zero-click exploit mitigation and expand threat notification systems
(-1) Spyware vendors and state-linked operators will continue adapting to evade attribution through infrastructure fragmentation
(-1) Political figures involved in surveillance oversight will remain high-priority targets for intelligence collection operations
(+1) Public exposure of cases like this may strengthen whistleblower protections and digital security funding in EU institutions

Deep Analysis: Mobile Forensics and Surveillance Detection Layer

iOS forensic extraction workflow simulation
sudo ios_backup_extractor --device "iPhone" --mode full --decrypt

anomaly detection in mobile logs

grep -i "homekit" system_logs.log | awk '{print $1,$2,$NF}'

network behavior inspection for spyware indicators

tcpdump -i en0 host suspicious_domain.com -w capture.pcap

process chain tracing (Pegasus-like behavior patterns)

ps aux | grep -E "mobiledata|launchd|unknown"

iOS version vulnerability mapping

curl -s https://security-updates.apple.com/vuln-db | grep "15.5"

forensic timeline reconstruction

python3 timeline_rebuild.py --input device_dump.raw --output timeline.json

telecom signaling anomaly simulation

ss7_analyzer –mode trace –detect spoofed_imsi –log alerts.txt

memory dump scanning for zero-click indicators

volatility -f memory.dump --profile=iOS analyze_suspicious_processes

▶️ Related Video (66% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube