Threat Intelligence Very Bearish 7

Zero-Click Pegasus Exploit PWNYOURHOME Hit MEP's iPhone Twice in 6 Months

· 4 min read · Verified by 2 sources ·
Share

Key Takeaways

  • Citizen Lab’s deep-dive forensic analysis reveals a zero-click Pegasus infection on an EU official’s device, demonstrating the stealth and persistence of state-sponsored mobile spyware.

Mentioned

Stelios Kouloglou person European Parliament organization PEGA Committee organization Citizen Lab organization Pegasus technology NSO Group company Sophie in 't Veld person PWNYOURHOME technology

Key Intelligence

Key Facts

  1. 1Stelios Kouloglou, MEP and substitute member of the PEGA spyware inquiry committee, was infected with Pegasus on two separate occasions: October 21, 2022, and March 6–7, 2023.
  2. 2The attack used the zero-click PWNYOURHOME exploit, requiring no user interaction, with a suspicious HomeKit email lookup (rauharepo888@gmail.com) detected minutes before data exfiltration.
  3. 3Kouloglou was actively serving on the committee investigating Pegasus misuse when his own device was compromised, potentially exposing committee communications.
  4. 4The infection was discovered only in May 2026 after Kouloglou voluntarily contacted Citizen Lab, who then conducted forensic analysis of his iPhone.
  5. 5The European Parliament’s PEGA committee was established on March 10, 2022, and concluded on July 18, 2023, during which time the undisclosed attacker may have had access to sensitive deliberations.
  6. 6The spyware maker, NSO Group, was not directly attributed to this specific attack, but Pegasus is exclusively licensed to government clients.
Zero-Click Exploit Used
PWNYOURHOME

First detected on Oct 21, 2022; a HomeKit email lookup was the initial indicator

Analysis

The phone of an MEP sitting on the EU’s spyware inquiry committee was infected via a zero-click exploit—without a single tap—using the PWNYOURHOME vulnerability. This isn’t a proof-of-concept; it’s a real-world, repeated hit with forensic traces that paint a stark picture of the surveillance capabilities deployed against democratic institutions.

In July 2026, the University of Toronto’s Citizen Lab uncovered a stunning security breach at the heart of European democratic institutions: Stelios Kouloglou, a Greek Member of the European Parliament and substitute member of the committee investigating spyware abuse, was himself infected with the Pegasus spyware while the committee was active. The forensic analysis of Kouloglou’s iPhone revealed high-confidence evidence of two separate infection periods—on or around October 21, 2022, and again on March 6–7, 2023—both occurring while he sat on the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee). Kouloglou, a prominent investigative journalist and former Syriza party MEP, had contacted Citizen Lab in May 2026, well after his term ended, seeking answers. The discovery exposes not only the targeting of an elected official but the potential compromise of an official EU investigation into spyware misuse, raising urgent security, legal, and political questions.

Such zero-click capabilities are characteristic of state-grade spyware, and while the client behind this attack is not named in the Citizen Lab report, the use of Pegasus—developed by Israel’s NSO Group—points to a government customer.

The political context is damning. The PEGA Committee was established on March 10, 2022, in the wake of the 2021 Pegasus Project revelations that multiple European governments had used spyware against journalists, activists, and political opponents. Kouloglou was appointed a substitute member on March 24, 2022, meaning he was actively probing the unlawful use of surveillance tools when his own device was broken into. The irony is sharp: a spyware investigator became a spyware victim. The committee, led by Dutch MEP Sophie in ‘t Veld, was tasked with assessing the contravention of EU law and making recommendations to safeguard fundamental rights. Its work culminated in a final report in mid-2023. The fact that a member’s communications were potentially accessible in real time to an unknown actor during this process could undermine the integrity of the inquiry and raises fears that other committee members or staff may also have been targeted.

Technically, the attack used the PWNYOURHOME zero-click exploit, a highly sophisticated tool that requires no user interaction—typically delivered via a malicious iMessage or network packet. On October 21, 2022, at 10:16 UTC, the device performed a lookup for the suspicious HomeKit email address rauharepo888@gmail.com; two minutes later, a Pegasus process was observed using mobile data, consistent with data exfiltration. The second infection wave on March 6–7, 2023, suggests that the attacker maintained persistent interest, possibly to re-infect after a patch or to update their access. Such zero-click capabilities are characteristic of state-grade spyware, and while the client behind this attack is not named in the Citizen Lab report, the use of Pegasus—developed by Israel’s NSO Group—points to a government customer. The incident fits a grim pattern: Citizen Lab and other watchdogs have documented numerous cases of Pegasus being used against journalists, lawyers, activists, and politicians across Europe and beyond.

What to Watch

For the European project, the implications are severe. The attack on an MEP participating in a sensitive inquiry constitutes a breach of parliamentary privilege and a direct assault on EU sovereignty. It exposes the failure of existing cybersecurity measures to protect the European Parliament’s own members. Despite the EU’s General Data Protection Regulation and ongoing discussions on an ePrivacy Regulation, state-sponsored spyware continues to exploit legal gaps and technological asymmetry. The European Commission has long faced calls to ban the export and use of Pegasus-like tools within the Union, but member states have resisted, citing national security prerogatives. This case may reignite those debates, particularly as Greece—a country where Kouloglou was politically active—faces questions about its own possible involvement or tolerance of such surveillance.

Forward-looking, the discovery underscores the chronic delay in detecting and responding to cyber intrusions against high-profile targets. Kouloglou only learned of the compromise thanks to a non-governmental research lab, not any official EU cybersecurity mechanism. This highlights the urgent need for the European Parliament to establish a dedicated, proactive threat-hunting capacity and to mandate prompt disclosure when spyware is detected on EU officials’ devices. The episode may also pressure the incoming European Commission to fast-track legislative proposals on targeted surveillance and to consider sanctions against entities like NSO Group. Ultimately, the hack of an MEP investigating spyware with spyware is not just a personal security failure—it’s an institutional and legal crisis that tests the EU’s ability to defend its democratic processes in the digital age.

Timeline

Timeline

  1. PEGA Committee established

  2. Kouloglou appointed to PEGA

  3. First Pegasus infection

  4. Second infection wave begins

  5. Second infection wave ends

  6. PEGA Committee concludes

  7. Kouloglou's term ends

  8. Contact with Citizen Lab

  9. Public disclosure

Sources

Sources

Based on 2 source articles

Cite This Page

"Zero-Click Pegasus Exploit PWNYOURHOME Hit MEP's iPhone Twice in 6 Months." Cyber Intelligence Brief, July 4, 2026. https://getcyberbrief.com/story/cyber-pegasus-mep-exploit

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.