Zero-Click Pegasus Exploit PWNYOURHOME Hit MEP's iPhone Twice in 6 Months
Key Takeaways
- Citizen Lab’s deep-dive forensic analysis reveals a zero-click Pegasus infection on an EU official’s device, demonstrating the stealth and persistence of state-sponsored mobile spyware.
Mentioned
Key Intelligence
Key Facts
- 1Stelios Kouloglou, MEP and substitute member of the PEGA spyware inquiry committee, was infected with Pegasus on two separate occasions: October 21, 2022, and March 6–7, 2023.
- 2The attack used the zero-click PWNYOURHOME exploit, requiring no user interaction, with a suspicious HomeKit email lookup (rauharepo888@gmail.com) detected minutes before data exfiltration.
- 3Kouloglou was actively serving on the committee investigating Pegasus misuse when his own device was compromised, potentially exposing committee communications.
- 4The infection was discovered only in May 2026 after Kouloglou voluntarily contacted Citizen Lab, who then conducted forensic analysis of his iPhone.
- 5The European Parliament’s PEGA committee was established on March 10, 2022, and concluded on July 18, 2023, during which time the undisclosed attacker may have had access to sensitive deliberations.
- 6The spyware maker, NSO Group, was not directly attributed to this specific attack, but Pegasus is exclusively licensed to government clients.
First detected on Oct 21, 2022; a HomeKit email lookup was the initial indicator
Analysis
The phone of an MEP sitting on the EU’s spyware inquiry committee was infected via a zero-click exploit—without a single tap—using the PWNYOURHOME vulnerability. This isn’t a proof-of-concept; it’s a real-world, repeated hit with forensic traces that paint a stark picture of the surveillance capabilities deployed against democratic institutions.
In July 2026, the University of Toronto’s Citizen Lab uncovered a stunning security breach at the heart of European democratic institutions: Stelios Kouloglou, a Greek Member of the European Parliament and substitute member of the committee investigating spyware abuse, was himself infected with the Pegasus spyware while the committee was active. The forensic analysis of Kouloglou’s iPhone revealed high-confidence evidence of two separate infection periods—on or around October 21, 2022, and again on March 6–7, 2023—both occurring while he sat on the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee). Kouloglou, a prominent investigative journalist and former Syriza party MEP, had contacted Citizen Lab in May 2026, well after his term ended, seeking answers. The discovery exposes not only the targeting of an elected official but the potential compromise of an official EU investigation into spyware misuse, raising urgent security, legal, and political questions.
Such zero-click capabilities are characteristic of state-grade spyware, and while the client behind this attack is not named in the Citizen Lab report, the use of Pegasus—developed by Israel’s NSO Group—points to a government customer.
The political context is damning. The PEGA Committee was established on March 10, 2022, in the wake of the 2021 Pegasus Project revelations that multiple European governments had used spyware against journalists, activists, and political opponents. Kouloglou was appointed a substitute member on March 24, 2022, meaning he was actively probing the unlawful use of surveillance tools when his own device was broken into. The irony is sharp: a spyware investigator became a spyware victim. The committee, led by Dutch MEP Sophie in ‘t Veld, was tasked with assessing the contravention of EU law and making recommendations to safeguard fundamental rights. Its work culminated in a final report in mid-2023. The fact that a member’s communications were potentially accessible in real time to an unknown actor during this process could undermine the integrity of the inquiry and raises fears that other committee members or staff may also have been targeted.
Technically, the attack used the PWNYOURHOME zero-click exploit, a highly sophisticated tool that requires no user interaction—typically delivered via a malicious iMessage or network packet. On October 21, 2022, at 10:16 UTC, the device performed a lookup for the suspicious HomeKit email address rauharepo888@gmail.com; two minutes later, a Pegasus process was observed using mobile data, consistent with data exfiltration. The second infection wave on March 6–7, 2023, suggests that the attacker maintained persistent interest, possibly to re-infect after a patch or to update their access. Such zero-click capabilities are characteristic of state-grade spyware, and while the client behind this attack is not named in the Citizen Lab report, the use of Pegasus—developed by Israel’s NSO Group—points to a government customer. The incident fits a grim pattern: Citizen Lab and other watchdogs have documented numerous cases of Pegasus being used against journalists, lawyers, activists, and politicians across Europe and beyond.
What to Watch
For the European project, the implications are severe. The attack on an MEP participating in a sensitive inquiry constitutes a breach of parliamentary privilege and a direct assault on EU sovereignty. It exposes the failure of existing cybersecurity measures to protect the European Parliament’s own members. Despite the EU’s General Data Protection Regulation and ongoing discussions on an ePrivacy Regulation, state-sponsored spyware continues to exploit legal gaps and technological asymmetry. The European Commission has long faced calls to ban the export and use of Pegasus-like tools within the Union, but member states have resisted, citing national security prerogatives. This case may reignite those debates, particularly as Greece—a country where Kouloglou was politically active—faces questions about its own possible involvement or tolerance of such surveillance.
Forward-looking, the discovery underscores the chronic delay in detecting and responding to cyber intrusions against high-profile targets. Kouloglou only learned of the compromise thanks to a non-governmental research lab, not any official EU cybersecurity mechanism. This highlights the urgent need for the European Parliament to establish a dedicated, proactive threat-hunting capacity and to mandate prompt disclosure when spyware is detected on EU officials’ devices. The episode may also pressure the incoming European Commission to fast-track legislative proposals on targeted surveillance and to consider sanctions against entities like NSO Group. Ultimately, the hack of an MEP investigating spyware with spyware is not just a personal security failure—it’s an institutional and legal crisis that tests the EU’s ability to defend its democratic processes in the digital age.
Timeline
Timeline
PEGA Committee established
European Parliament sets up an inquiry committee to investigate Pegasus and equivalent spyware misuse in the EU.
Kouloglou appointed to PEGA
Greek MEP Stelios Kouloglou becomes a substitute member of the PEGA Committee.
First Pegasus infection
Kouloglou's iPhone is compromised via the PWNYOURHOME zero-click exploit, with forensic evidence of a HomeKit email lookup and mobile data exfiltration.
Second infection wave begins
A second Pegasus infection period starts, indicating renewed or sustained targeting against the MEP.
Second infection wave ends
The second infection event concludes, as per forensic timeline.
PEGA Committee concludes
The committee finalizes its work, publishing a report on spyware contraventions of EU law.
Kouloglou's term ends
Kouloglou leaves the European Parliament after elections, no longer holding office.
Contact with Citizen Lab
Kouloglou reaches out to Citizen Lab to investigate potential spyware on his device.
Public disclosure
Citizen Lab publishes its findings, revealing the Pegasus infections during the PEGA inquiry.
Sources
Sources
Based on 2 source articles- citizenlab.caEspionage Against the European ParliamentJul 3, 2026
- Mep Sophie (us)Espionage Against the European ParliamentJul 3, 2026
Cite This Page
"Zero-Click Pegasus Exploit PWNYOURHOME Hit MEP's iPhone Twice in 6 Months." Cyber Intelligence Brief, July 4, 2026. https://getcyberbrief.com/story/cyber-pegasus-mep-exploit
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |