Threat Intelligence Bearish 8

First Confirmed: Pegasus Reuses Attack Email to Hack EU Spyware Investigator

· 4 min read · Verified by 2 sources ·
Share

Key Takeaways

  • The reuse of a Pegasus-loaded email address across multiple campaigns, including the hack of a PEGA committee member, highlights the operational persistence of state-linked spyware customers and the inadequacy of current defenses.
  • This incident provides a critical case study for cybersecurity professionals analyzing zero-click exploit chains and infrastructure tracking.

Mentioned

NSO Group company Pegasus product Stelios Kouloglou person Citizen Lab company European Parliament company European Commission company

Key Intelligence

Key Facts

  1. 1Stelios Kouloglou, a Greek journalist and former politician, served on the European Parliament’s PEGA committee investigating spyware abuses.
  2. 2Citizen Lab confirmed Kouloglou's phone was infected with NSO Group’s Pegasus spyware during 2022 and 2023, marking the first publicly identified hack of a committee member.
  3. 3The attack reused the same Pegasus-loaded email address previously employed in a campaign that targeted journalists across Europe.
  4. 4The unknown government customer’s reuse of the email infrastructure implies NSO Group authorized continued access to its spyware.
  5. 5An EU lawmaker called the hack a “direct attack on the rule of law” and urged the European Commission to impose strict limits on spyware across the 27-member bloc.
  6. 6The hack raises concerns that the PEGA committee’s internal communications and confidential findings may have been compromised.

Who's Affected

NSO Group
companyNegative
Pegasus
productNegative
Citizen Lab
companyPositive
European Parliament
companyNegative
Confirmed PEGA Committee Hack
1st

First time a member of the EU spyware inquiry committee has been confirmed as a Pegasus target

Analysis

For cybersecurity analysts, the Kouloglou case is a textbook example of spyware tradecraft gone wrong. The identical attacker email infrastructure linking two separate campaigns suggests a high degree of operator carelessness—or confidence—that could be exploited for attribution. The attack underscores the persistent threat posed by commercial spyware like Pegasus, which continues to bypass modern endpoint protections.

The confirmation by the University of Toronto’s Citizen Lab that Greek journalist and former politician Stelios Kouloglou was targeted with NSO Group’s Pegasus spyware while serving on the European Parliament’s PEGA committee marks a watershed moment in the ongoing saga of commercial spyware abuse. Kouloglou, a member of the very committee tasked with investigating illicit surveillance across the EU’s 27 member states, had his phone infected during 2022 and 2023—coinciding with the committee’s active inquiry into the misuse of Pegasus and equivalent tools. The deliberate targeting of an oversight body investigator with the same spyware under probe shatters the pretense that such tools are used only against serious criminals, and it elevates the scandal to a direct assault on parliamentary sovereignty and the rule of law.

The attack underscores the persistent threat posed by commercial spyware like Pegasus, which continues to bypass modern endpoint protections.

The forensic link to a reused Pegasus-loaded email address—previously deployed in a campaign that hacked journalists across Europe—underscores the brazenness of the unidentified government customer. While Citizen Lab stopped short of attributing the attack to a specific country, the reuse of attack infrastructure implies that the customer retained NSO Group’s authorization and operational support, raising acute questions about the Israeli company’s vetting and enforcement of its own human rights policies. For years, NSO has claimed it cooperates with investigations and terminates contracts with abusive clients, yet the persistence of the same email vector suggests either complicity or a profound failure of oversight. European lawmakers have seized on the incident, with one describing it as a “direct attack on the rule of law” and demanding the European Commission impose binding limits on spyware across the bloc.

The timing of the hack—during the PEGA committee’s evidence-gathering phase—raises grave concerns about the integrity of its forthcoming report, which is widely expected to call for strict EU-wide regulation. If the attacker gained access to Kouloglou’s communications, they could have monitored internal deliberations, identified witnesses, and gained insight into the committee’s strategies. This constitutes not merely a privacy violation but a potential interference in a sovereign parliamentary process. The legal implications are profound: it may trigger Article 7 proceedings against the member state responsible, expose the spyware vendor to sanctions under the EU’s dual-use export control regime, and open the door for lawsuits before the European Court of Human Rights. For regulators, the incident serves as a catalyst to accelerate the long-stalled European initiative to ban or heavily restrict government-use spyware.

What to Watch

From a cybersecurity perspective, the operational security (OpSec) failure of reusing the same attacking email address provides a rare glimpse into the tradecraft of state-sponsored cyber operators. Pegasus is a zero-click, fileless spyware that exploits undisclosed vulnerabilities to gain full device access, and it has historically been difficult to link campaigns. The common denominator not only aids attribution efforts by groups like Citizen Lab but also signals that the operators may have grown complacent—or that they felt protected by geopolitical considerations. The incident reinforces the urgent need for the security community to intensify tracking of infrastructure reuse, develop better detection heuristics, and pressure mobile operating system vendors to harden defenses against memory corruption exploits.

The market impact is likely to be severe for NSO Group and the broader intrusion software industry. Already facing reputational damage and US export restrictions, NSO could now see EU member states impose coordinated bans, cutting off a significant revenue stream. For corporations, the case underscores the risk of corporate espionage via state-aligned spyware, and it may prompt firms to invest more heavily in mobile threat detection and countersurveillance. Looking forward, the Kouloglou case will almost certainly become a reference example in international law debates on cyber surveillance, parliamentary privilege, and the responsibility of technology providers. The EU’s response—whether through regulation, sanctions, or diplomatic pressure—will set a precedent that could reshape the global governance of surveillance technologies for years to come.

Sources

Sources

Based on 2 source articles

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.