Inside Europe’s Spyware Crisis: How an EU Lawmaker Was Hacked While Investigating Pegasus Itself + Video

Listen to this Post

Featured Image

Introduction: When the Watchers Become the Watched

The European Parliament’s investigation into mercenary spyware was supposed to expose hidden abuses of surveillance technology across the continent. Instead, it has now become part of the very story it was trying to uncover. Former Greek Member of the European Parliament Stelios Kouloglou, serving directly within the PEGA Committee inquiry into Pegasus abuse, was himself targeted and infected with spyware during critical phases of parliamentary work. The revelations, confirmed through forensic analysis by Citizen Lab, expose a disturbing paradox: those tasked with investigating surveillance may have been surveilled in real time.

Summary of the Original Investigation: A Case That Hits the Core of EU Security

Citizen Lab confirmed that Kouloglou’s iPhone was compromised at least twice, first on October 21, 2022, and again between March 6–7, 2023. Both attacks occurred while he was actively involved in sensitive PEGA Committee deliberations. The infections are linked to NSO Group’s Pegasus spyware, a powerful surveillance tool associated with zero-click exploits and high-level government clients.

The findings suggest that confidential EU parliamentary discussions may have been exposed during ongoing legislative and investigative processes, raising concerns about institutional security, democratic integrity, and the protection of privileged political communications within the European Parliament.

Expanded Investigation Details: A Pattern Beyond a Single Device

Citizen Lab’s analysis revealed that the attack infrastructure does not point clearly to a single nation-state actor such as Greece. Instead, it indicates a more complex operational footprint. A key identifier, a HomeKit lookup email linked to the infection chain, matched earlier Pegasus targeting infrastructure previously documented in Europe.

This overlap connects the attack to broader Pegasus campaigns that have targeted journalists, activists, and political figures across multiple countries. The evidence suggests that a licensed NSO Group customer operating across jurisdictions may have deployed the spyware, reinforcing concerns that surveillance operations are not isolated incidents but part of a coordinated ecosystem of mercenary spyware usage.

Pegasus Infection Timeline: Targeted at Critical Political Moments

The October 2022 infection occurred during a sensitive phase of PEGA Committee work, shortly before key fact-finding missions. The March 2023 compromise aligned with intense final-report drafting sessions in Brussels, a period when internal discussions carried significant political weight.

These timelines suggest more than opportunistic hacking. Instead, they indicate strategic targeting designed to access privileged political intelligence at moments when it would be most valuable for influencing or anticipating EU investigative outcomes.

Technical Exploitation Chain: Zero-Click Intrusion and Silent Access

The attack leveraged the PWNYOURHOME exploit chain, a sophisticated zero-click method requiring no user interaction. It began with a malicious NSKeyedArchive object delivered via Apple’s HomeKit framework and escalated through MessagesBlastDoorService to execute payload delivery.

At the time, the affected device was running iOS 15.5, leaving it exposed to vulnerabilities later mitigated in iOS updates. The use of zero-click exploitation underscores the advanced capability of Pegasus spyware, particularly its ability to silently compromise devices without user awareness or engagement.

Apple Security Context: Delayed Awareness and Patch Gaps

Apple later patched components of the exploit chain, including vulnerabilities in HomeKit and messaging services. However, the case highlights a critical gap: delayed system updates combined with highly advanced exploit chains can create windows of opportunity for surveillance actors.

Kouloglou also reportedly received multiple Apple threat notifications in 2023 and 2024 warning of mercenary spyware targeting. However, he did not recall seeing them, raising questions about whether such warnings are effectively communicated or understood by high-risk individuals.

Surveillance During Vulnerability: A Hospitalization Window of Exposure

One of the most alarming aspects of the October 2022 infection is its timing. It occurred while Kouloglou was hospitalized for elective surgery, during a visit by journalist Thanasis Koukakis, himself previously targeted by Predator spyware.

This overlap raises the possibility that not only political communications but also sensitive health-related contexts may have been exposed. Such exposure could intersect with EU privacy protections and national healthcare confidentiality laws, amplifying the severity of the breach.

EU Institutional Risk: The PEGA Committee Under Surveillance

The fact that a sitting member of the PEGA Committee was compromised during its investigative work represents a direct institutional security failure. The committee was established specifically to investigate spyware abuse across Europe, including tools like Pegasus developed by NSO Group Pegasus.

The European Parliament, through its PEGA Committee, was meant to serve as a safeguard against exactly this type of intrusion. Instead, the investigation itself appears to have been partially exposed to the very threats it sought to regulate.

Broader Spyware Ecosystem: Beyond a Single Vendor

The case also exists within a wider surveillance ecosystem involving multiple commercial spyware vendors. Alongside Pegasus, tools such as Intellexa Predator have been linked to European surveillance controversies.

While no direct link to the Greek government was confirmed in this case, the infrastructure overlap suggests that mercenary spyware operations often transcend national boundaries, operating through licensed clients across different jurisdictions.

Human Rights and Democratic Integrity: The Core Concern

The targeting of lawmakers raises fundamental questions about democratic resilience. When elected officials investigating surveillance become surveillance targets themselves, the balance of power between institutions and private spyware vendors shifts dangerously.

Organizations like Citizen Lab and others have repeatedly warned that mercenary spyware undermines not only individual privacy but also institutional integrity, especially when deployed against political actors involved in oversight.

Institutional Response: Calls for Urgent Reform and Protection

Following the findings, researchers have called for immediate forensic screening of PEGA Committee members and staff. Recommendations include stronger device protection measures such as mobile lockdown modes, enhanced threat monitoring systems, and formal investigations by EU institutions.

The European Parliament and European Commission are now under pressure to reassess internal cybersecurity protocols to ensure that sensitive legislative processes are not exposed to external surveillance threats.

What Undercode Say:

The case signals a structural failure in EU institutional cybersecurity resilience

Zero-click spyware remains one of the most dangerous modern cyber intrusion methods

Political targeting of lawmakers undermines legislative independence

PEGA Committee exposure indicates insider-level intelligence compromise risk

Surveillance tools are evolving faster than regulatory countermeasures

Mercenary spyware creates a privatized intelligence ecosystem beyond state control

Infrastructure overlap suggests multi-jurisdiction surveillance coordination

Device patch latency remains a critical vulnerability window

Apple threat notifications lack behavioral effectiveness in real-world scenarios

Hospital or private life contexts are increasingly exploited attack windows

EU political investigations are no longer insulated from cyber threats

Intelligence gathering may now target oversight bodies directly

Zero-click exploits bypass traditional security hygiene entirely

HomeKit and messaging frameworks represent high-value attack surfaces

Spyware operators prioritize timing over brute-force persistence

Cross-border infrastructure hints at commercialized surveillance networks

Journalist-lawmaker overlap indicates ecosystem targeting clusters

Legislative confidentiality is no longer guaranteed digitally

Advanced spyware blurs line between intelligence and criminal intrusion

Political exposure risk increases during report drafting phases

Institutional trust is weakened by invisible data breaches

Cyber forensic attribution remains probabilistic, not absolute

EU cybersecurity policy may lag behind offensive capability evolution

Surveillance detection requires continuous real-time monitoring

Device compromise often persists undetected for months

Threat intelligence sharing between institutions remains limited

Spyware targeting is increasingly precision-based, not mass-based

Legislative oversight bodies are now strategic intelligence targets

Mobile devices remain weakest link in high-level security chains

Regulatory response cycles are slower than exploit development cycles

Pegasus ecosystem continues to evolve despite global scrutiny

Infrastructure reuse is a signature of persistent operators

Health-related contexts create additional privacy risk layers

Awareness gaps reduce effectiveness of official threat warnings

Institutional cybersecurity must expand beyond technical fixes

Human factors remain central to breach persistence

Mercenary spyware markets incentivize continuous innovation

EU governance systems require embedded digital protection layers

Transparency in spyware use remains politically contested

The Pegasus case is now a benchmark for democratic cyber risk

✅ Citizen Lab has previously documented Pegasus infections targeting journalists and political figures across Europe, supporting the broader context of the claim.

❌ Direct attribution of the attack to a specific NSO Group customer is not definitively proven; findings are based on infrastructure correlation, not confirmed identity.

⚠️ The infection timing and device vulnerability details are forensic conclusions, but exact operational intent cannot be independently verified beyond technical indicators.

Prediction:

(+1) Increased EU regulatory pressure will likely lead to stricter spyware export controls and internal parliamentary cybersecurity reforms. 🔐📉
(-1) Commercial spyware ecosystems like Pegasus and Predator may continue evolving faster than enforcement mechanisms, enabling ongoing political targeting risks. ⚠️🕵️

Deep Analysis: Cybersecurity Forensics & System Exposure

Linux / Network Investigation Commands

Check suspicious outbound connections
netstat -tulpen | grep ESTABLISHED

Inspect DNS queries for anomalies

journalctl -u systemd-resolved --no-pager | tail -n 200

Analyze device compromise indicators (iOS backup extraction case)

idevicebackup2 backup ./backup

Search for suspicious HomeKit-related logs (conceptual)

grep -i "homekit" /var/log/

Review process-level anomalies

ps aux --sort=-%mem | head -n 20

Incident Response Framework

Identify zero-click entry vectors in messaging frameworks

Correlate timeline logs with political activity windows

Validate forensic artifacts from mobile device backups

Compare infrastructure fingerprints across campaigns

Cross-reference threat intelligence databases (IOCs)

Preserve chain-of-custody for legal admissibility

Perform memory and sandbox analysis of exploit payloads

Monitor HomeKit, iMessage, and Apple services telemetry

Validate OS patch level exposure windows

Conduct multi-jurisdiction attribution correlation

Security Architecture Insight

The Pegasus case demonstrates that modern surveillance bypasses traditional perimeter security. Instead, exploitation occurs at the application layer, often inside trusted system services. This shifts cybersecurity defense from firewall-centric models to behavioral and telemetry-driven detection systems.

Strategic Implication

Future institutional defense will require embedded endpoint monitoring, continuous OS integrity validation, and AI-assisted anomaly detection capable of identifying zero-click patterns before full compromise occurs.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube