First Confirmed: Pegasus Reuses Attack Email to Hack EU Spyware Investigator
Key Takeaways
- The reuse of a Pegasus-loaded email address across multiple campaigns, including the hack of a PEGA committee member, highlights the operational persistence of state-linked spyware customers and the inadequacy of current defenses.
- This incident provides a critical case study for cybersecurity professionals analyzing zero-click exploit chains and infrastructure tracking.
Mentioned
Key Intelligence
Key Facts
- 1Stelios Kouloglou, a Greek journalist and former politician, served on the European Parliament’s PEGA committee investigating spyware abuses.
- 2Citizen Lab confirmed Kouloglou's phone was infected with NSO Group’s Pegasus spyware during 2022 and 2023, marking the first publicly identified hack of a committee member.
- 3The attack reused the same Pegasus-loaded email address previously employed in a campaign that targeted journalists across Europe.
- 4The unknown government customer’s reuse of the email infrastructure implies NSO Group authorized continued access to its spyware.
- 5An EU lawmaker called the hack a “direct attack on the rule of law” and urged the European Commission to impose strict limits on spyware across the 27-member bloc.
- 6The hack raises concerns that the PEGA committee’s internal communications and confidential findings may have been compromised.
Who's Affected
First time a member of the EU spyware inquiry committee has been confirmed as a Pegasus target
Analysis
For cybersecurity analysts, the Kouloglou case is a textbook example of spyware tradecraft gone wrong. The identical attacker email infrastructure linking two separate campaigns suggests a high degree of operator carelessness—or confidence—that could be exploited for attribution. The attack underscores the persistent threat posed by commercial spyware like Pegasus, which continues to bypass modern endpoint protections.
The confirmation by the University of Toronto’s Citizen Lab that Greek journalist and former politician Stelios Kouloglou was targeted with NSO Group’s Pegasus spyware while serving on the European Parliament’s PEGA committee marks a watershed moment in the ongoing saga of commercial spyware abuse. Kouloglou, a member of the very committee tasked with investigating illicit surveillance across the EU’s 27 member states, had his phone infected during 2022 and 2023—coinciding with the committee’s active inquiry into the misuse of Pegasus and equivalent tools. The deliberate targeting of an oversight body investigator with the same spyware under probe shatters the pretense that such tools are used only against serious criminals, and it elevates the scandal to a direct assault on parliamentary sovereignty and the rule of law.
The attack underscores the persistent threat posed by commercial spyware like Pegasus, which continues to bypass modern endpoint protections.
The forensic link to a reused Pegasus-loaded email address—previously deployed in a campaign that hacked journalists across Europe—underscores the brazenness of the unidentified government customer. While Citizen Lab stopped short of attributing the attack to a specific country, the reuse of attack infrastructure implies that the customer retained NSO Group’s authorization and operational support, raising acute questions about the Israeli company’s vetting and enforcement of its own human rights policies. For years, NSO has claimed it cooperates with investigations and terminates contracts with abusive clients, yet the persistence of the same email vector suggests either complicity or a profound failure of oversight. European lawmakers have seized on the incident, with one describing it as a “direct attack on the rule of law” and demanding the European Commission impose binding limits on spyware across the bloc.
The timing of the hack—during the PEGA committee’s evidence-gathering phase—raises grave concerns about the integrity of its forthcoming report, which is widely expected to call for strict EU-wide regulation. If the attacker gained access to Kouloglou’s communications, they could have monitored internal deliberations, identified witnesses, and gained insight into the committee’s strategies. This constitutes not merely a privacy violation but a potential interference in a sovereign parliamentary process. The legal implications are profound: it may trigger Article 7 proceedings against the member state responsible, expose the spyware vendor to sanctions under the EU’s dual-use export control regime, and open the door for lawsuits before the European Court of Human Rights. For regulators, the incident serves as a catalyst to accelerate the long-stalled European initiative to ban or heavily restrict government-use spyware.
What to Watch
From a cybersecurity perspective, the operational security (OpSec) failure of reusing the same attacking email address provides a rare glimpse into the tradecraft of state-sponsored cyber operators. Pegasus is a zero-click, fileless spyware that exploits undisclosed vulnerabilities to gain full device access, and it has historically been difficult to link campaigns. The common denominator not only aids attribution efforts by groups like Citizen Lab but also signals that the operators may have grown complacent—or that they felt protected by geopolitical considerations. The incident reinforces the urgent need for the security community to intensify tracking of infrastructure reuse, develop better detection heuristics, and pressure mobile operating system vendors to harden defenses against memory corruption exploits.
The market impact is likely to be severe for NSO Group and the broader intrusion software industry. Already facing reputational damage and US export restrictions, NSO could now see EU member states impose coordinated bans, cutting off a significant revenue stream. For corporations, the case underscores the risk of corporate espionage via state-aligned spyware, and it may prompt firms to invest more heavily in mobile threat detection and countersurveillance. Looking forward, the Kouloglou case will almost certainly become a reference example in international law debates on cyber surveillance, parliamentary privilege, and the responsibility of technology providers. The EU’s response—whether through regulation, sanctions, or diplomatic pressure—will set a precedent that could reshape the global governance of surveillance technologies for years to come.
Sources
Sources
Based on 2 source articles- TechCrunchPolitician who investigated spyware abuses had his phone hacked with Pegasus spywareJul 3, 2026
- Zack Whittaker (us)Politician who investigated spyware abuses had his phone hacked with Pegasus spywareJul 3, 2026
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |