EU Urged to Act After Pegasus Hit Its Spyware Inquiry
Civil society groups and MEPs demand the European Commission finally answer for Europe’s spyware crisis, after the watchdog itself was bugged.
July 6, 2026 – 5:23 pm
Image by: MarcelX42
Summary
Civil society groups and MEPs are demanding urgent European Commission action on spyware after Citizen Lab confirmed that Stelios Kouloglou, a member of the Parliament’s PEGA spyware inquiry, was himself hacked with Pegasus in 2022 and 2023. The attacker is unknown, the Commission is silent, and the PEGA committee’s 2023 recommendations remain largely unanswered.
Pressure Mounts on European Commission
Forensic evidence reveals one of the EU’s own spyware investigators was hacked with Pegasus. Civil society groups issued a joint statement demanding the abuse be met with accountability, “not impunity”.
Citizen Lab confirmed last week that Stelios Kouloglou, a Greek former MEP, was infected in October 2022 and again in March 2023. The infections occurred while he served on the PEGA committee, the European Parliament’s inquiry into exactly this kind of abuse.
The attacker remains unidentified, and Citizen Lab has no indication the Greek government was responsible. The same Pegasus-linked email address appeared in an earlier campaign against journalists across Europe, suggesting a customer authorised to deploy the NSO Group tool in multiple countries.
Concerns and Demands
Whoever was behind the hack could have accessed confidential committee documents and deliberations. Lawmakers have described the incident as an attack on the rule of law, and the Parliament’s left grouping is demanding strict EU-wide limits on spyware use.
The Commission did not respond to requests for comment from TechCrunch. It has yet to publicly account for its implementation of the PEGA committee’s 2023 recommendations, the gap campaigners now want closed with a public roadmap.
A Pattern of Spyware Scandals
The statement’s signatories list a pattern of European scandals:
- Spyware used against exiled journalists in Latvia, Lithuania, and Poland
- Targeting of the Parliament’s president with Predator
- Graphite infections in Italy, where spyware-laced fake WhatsApp apps have also surfaced.
EU public money has meanwhile flowed to the surveillance industry itself, according to EUobserver. Enforcement of the bloc’s dual-use export rules remains patchy, as leaked Bulgarian export licences to governments accused of repression showed. On paper, the EU regulates spyware sellers, and in practice it sometimes funds them.
NSO Group and Accountability Questions
NSO Group has meanwhile explored selling Pegasus altogether, a prospect that raises its own accountability questions. The tool’s customers, whoever they are, keep finding European targets.
The PEGA committee spent two years documenting Europe’s spyware problem, and one of its own members was bugged while doing it. If that does not trigger the urgent response campaigners want, it is hard to imagine what would.