Pegasus Spyware Infected the Phone of an MEP Investigating Spyware, TechCrunch and WIRED Report

A pointed export-control-policy disclosure — the spyware-inquiry rapporteur becomes the target.

Share

Key Takeaways

  • On or around July 3, 2026, TechCrunch and WIRED reported that a Member of the European Parliament (MEP) who had served on the EU's spyware-abuse inquiry — the Committee of Inquiry into the use of Pegasus and equivalent surveillance spyware, known as the PEGA Committee — had a phone found to be infected with Pegasus spyware, the surveillance product made by Israel's NSO Group.
  • The forensic analysis was published by Citizen Lab, which identified the target as former Greek MEP Stelios Kouloglou and dated the infections to periods in 2022 and 2023 that overlapped with his committee work; Citizen Lab said it found no indication the Greek government was responsible and, based on an overlap with a separate campaign, assessed that a Pegasus customer authorized to operate across multiple European countries was the likely operator, while stopping short of naming that customer.
  • The disclosure reframes the EU's long-running spyware debate as an export-control and oversight-integrity story: the person tasked with scrutinizing mercenary spyware was himself surveilled with it, and civil-society groups including Amnesty International used the finding to press the EU for concrete action; whether sanctions or export-control measures follow is not yet known.

The person tasked with investigating mercenary spyware in Europe was, forensic analysts say, surveilled with it — turning a technical disclosure into an export-control and oversight-integrity test for the EU.

BRUSSELS — A Member of the European Parliament who sat on the bloc's own inquiry into spyware abuse had a phone infected with Pegasus, the surveillance tool sold by Israel's NSO Group, according to reporting published on or around July 3, 2026 by TechCrunch and WIRED. The forensic work underpinning the reporting was published by the University of Toronto's Citizen Lab, which named the target as former Greek MEP Stelios Kouloglou and tied the intrusions to his time on the European Parliament's Committee of Inquiry into the use of Pegasus and equivalent surveillance spyware — the body known as the PEGA Committee.

The finding lands as an oversight-integrity and export-control story rather than a fresh technical mystery: the same class of mercenary spyware the PEGA Committee was convened to investigate was, analysts say, deployed against one of its own members. Citizen Lab said it found no indication that the Greek government was behind the targeting and, citing an overlap with a separate Pegasus campaign, assessed that a customer authorized to operate across multiple European countries was the likely operator — without naming that customer. Civil-society groups including Amnesty International seized on the disclosure to renew calls for EU-level action, echoing the pressure The CyberSignal has tracked in adjacent surveillance and messaging-security cases such as Germany's attribution of Signal phishing to Russia.

At a Glance
FieldDetails
WhoFormer Greek MEP Stelios Kouloglou, a substitute member of the European Parliament's PEGA Committee (per Citizen Lab)
WhatPhone found infected with Pegasus spyware, the surveillance product made by NSO Group
Reported byTechCrunch and WIRED (~July 3, 2026); follow-up by The Register (~July 6, 2026)
ForensicsPublished by Citizen Lab; response and joint statement backed by Amnesty International and other civil-society groups
TimingInfections dated to periods in 2022 and 2023 overlapping the MEP's committee work
AttributionNo indication of Greek-government responsibility; a Pegasus customer authorized across multiple EU countries assessed as likely operator — customer not named
Policy angleRenewed civil-society calls for EU action on export controls and spyware oversight
Open itemsSpecific NSO customer; whether EU sanctions or export-control measures follow

What TechCrunch and WIRED Reported

The core of the reporting is straightforward and, for anyone who followed the EU's spyware saga, pointed. TechCrunch and WIRED reported that a Member of the European Parliament involved in the EU's spyware-abuse inquiry had a phone found to be infected with Pegasus spyware, the tool made by NSO Group. The reporting drew on forensic analysis published by Citizen Lab, which identified the target as former Greek MEP Stelios Kouloglou and connected the infections to his role on the Committee of Inquiry into the use of Pegasus and equivalent surveillance spyware — the PEGA Committee — which the Parliament stood up in 2022 to examine spyware abuse across the bloc.

Per Citizen Lab's account, Kouloglou was a substitute member of that committee, and the analysts dated the intrusions to periods in 2022 and 2023 that overlapped with the committee's active work. The significance the outlets drew out is not the mechanics of the infection — which The CyberSignal does not detail here — but the target selection: the individual assigned to help scrutinize mercenary spyware in Europe was, forensic analysts concluded, surveilled with exactly the product his committee was investigating. That framing is what turned a single-target forensic report into a European policy story within hours of publication.

It is worth being precise about what is confirmed versus what remains open. The MEP's identity, the Pegasus attribution, and the committee connection rest on Citizen Lab's forensic publication and were carried by TechCrunch, WIRED, and other outlets. What the reporting does not settle is which specific NSO Group customer operated the spyware, and whether any EU sanctions or export-control response will follow. Those are the load-bearing unknowns, and the coverage has been careful to preserve them as such.

Why a Spyware-Inquiry MEP Is the Story

The PEGA Committee was the European Parliament's formal answer to a wave of Pegasus revelations that swept the continent starting in 2021, when journalists, activists, and politicians across several member states were found on target lists. Kouloglou, a longtime Greek investigative journalist elected to the Parliament in 2015, sat on that committee as a substitute member — placing him among the people with direct access to the inquiry's deliberations, witnesses, and draft findings. Citizen Lab's assessment is that the intrusions could have exposed confidential committee material, which is why the disclosure reads less as an individual privacy harm and more as a strike at the integrity of the oversight process itself. The pattern of surveillance aimed at elected officials and their communications is one The CyberSignal has followed in cases like the breach of France's Tchap government messenger.

That is the defender-relevant heart of the matter: when the person investigating a surveillance tool becomes a target of it, the incident stops being about one compromised device and starts being about whether independent oversight can function at all. For any institution that runs sensitive investigations — legislative committees, regulators, courts, newsrooms — the lesson is that the investigators themselves are part of the attack surface, and their communications and devices warrant the same threat modeling as the systems they scrutinize. High-risk-user protection is not a courtesy extended to a handful of dignitaries; it is a structural requirement for keeping an oversight body's work confidential.

The reporting also underscores why the mercenary-spyware market keeps returning to the policy agenda. Pegasus and tools like it are sold as government-only products, which means that whenever a European official is found to have been targeted, the immediate question is which state authorized the operation and under what legal basis. Here Citizen Lab explicitly declined to pin responsibility on the Greek government and instead pointed, on the basis of overlapping infrastructure, to a customer operating across multiple European countries — a distinction that matters enormously for accountability but that the analysts did not resolve into a name.

The Export-Control and Oversight-Policy Implications

The clearest policy line running through the coverage is export control. Mercenary spyware sits at the intersection of dual-use export regimes, national-security licensing, and human-rights conditionality, and the EU has spent years debating whether its existing frameworks — including dual-use export rules and member-state licensing regimes — are adequate to constrain how tools like Pegasus are sold and used within the bloc. A disclosure that an EU lawmaker was surveilled while investigating spyware gives that debate a concrete, high-salience example: it is difficult to argue the status quo is working when the oversight body itself was penetrated by the product under review.

Civil-society groups moved quickly to convert the finding into pressure. Amnesty International and allied organizations issued statements framing the case as evidence of "painful inaction" on spyware and calling for an independent assessment of continued Pegasus use in Europe, along with an accounting of progress on the PEGA Committee's earlier recommendations. Whether that pressure produces sanctions, tightened export licensing, or binding oversight measures is precisely the open question the reporting flags — the disclosure creates momentum, but the policy outcome is unwritten. The dynamic mirrors the enforcement-versus-inertia tension The CyberSignal has covered in litigation such as Meta's contempt motion against NSO Group in the WhatsApp case.

For policy watchers, the export-control implication cuts two ways. On one hand, the case strengthens arguments for restricting the sale, transfer, and use of highly invasive spyware — including calls for moratoria, licensing reform, and cross-border transparency about which authorities hold which capabilities. On the other, it exposes the enforcement gap that has dogged the entire debate: attribution to a specific customer is hard, mercenary vendors distance themselves from operator conduct, and the multi-country nature of the assessed operator here complicates any single-jurisdiction remedy. Export controls only bite if they can be traced to a responsible party, and this disclosure illustrates how difficult that tracing remains.

Coordination With Citizen Lab and Amnesty Tech

The forensic backbone of this disclosure came from Citizen Lab, the University of Toronto research group that has been central to public Pegasus attribution for years. In its published analysis, Citizen Lab said it confirmed the infections with high confidence, dated them to 2022 and 2023, and assessed — without naming the operator — that a Pegasus customer authorized to spy across multiple European countries was likely responsible, having found no indication of Greek-government involvement. That measured, evidence-bounded framing is characteristic of the group's public reporting and is worth preserving intact rather than sharpening into a firmer accusation than the analysts made.

Alongside the forensic publication, Amnesty International — whose Security Lab and broader technical program have repeatedly corroborated Pegasus findings — helped anchor the civil-society response, joining a coordinated statement pressing the EU to act. The pairing of independent forensic authorship with human-rights advocacy is the well-worn model of the mercenary-spyware accountability ecosystem: technical researchers establish what happened with methodological care, and advocacy organizations translate that into a policy demand. Readers should keep the two roles distinct, because the strength of the case rests on the forensic finding, while the calls for sanctions and moratoria are the advocates' interpretation of what should follow.

For defenders and institutions, the coordination model is itself instructive. Neither the technical attribution nor the policy campaign would carry the same weight alone; it is the combination — reproducible forensic analysis published openly, then amplified by organizations with standing to demand redress — that has proven durable against the vendor deflection that typically follows spyware disclosures. Any organization concerned about targeted surveillance of its high-risk members can learn from that division of labor: preserve forensic evidence rigorously, and route it to parties equipped to act on it.

Scope and Impact

The direct scope of this incident is a single individual's device, but its impact is deliberately outsized because of who that individual was and what he had access to. As a substitute member of the PEGA Committee, Kouloglou was positioned near the inquiry's confidential deliberations, and Citizen Lab's assessment that the intrusions could have exposed committee material is what elevates the case from a personal compromise to an institutional one. The affected "surface," in other words, is not one phone but the confidentiality of a parliamentary investigation into surveillance abuse — a striking inversion for a body created precisely to hold spyware to account.

The second-order impact is reputational and political. A finding that an EU lawmaker was surveilled while probing spyware feeds directly into the Parliament's own credibility on the issue and hands civil-society groups a vivid case study for their long-standing argument that European institutions have under-responded to mercenary spyware. It also raises uncomfortable questions about how many other officials involved in sensitive oversight may have been targeted without detection, given that Pegasus-class infections are, by design, engineered to evade the notice of the people they surveil. The disclosure is thus likely to function as a catalyst for further forensic scrutiny of other committee members and staff.

For the wider defender community, the practical impact is a reminder about high-risk-user threat models. Journalists, human-rights defenders, opposition figures, and the officials who investigate them remain the recurring targets of government-grade spyware, and the controls that matter for that population — hardened device configurations, restricted-mode protections, disciplined compartmentation of sensitive communications, and access to trusted forensic support — are distinct from ordinary enterprise security. This case is a reminder that the highest-value targets are often the people scrutinizing the very capabilities used against them, and that protecting them is an oversight-integrity issue, not just an IT one.

Open Questions

Several central questions remain unresolved at the time of publication, and the reporting is careful to leave them open. The most consequential is attribution of the operator: Citizen Lab assessed that a Pegasus customer authorized across multiple European countries was likely responsible and expressly found no indication of Greek-government involvement, but it did not name the specific NSO Group customer. Follow-up coverage, including The Register's account of the EU's response, has centered on the political fallout rather than resolving that identification, and it should not be treated as settled.

A second open question is the policy outcome. Civil-society groups have called for an independent assessment of continued Pegasus use in Europe, for progress on the PEGA Committee's recommendations, and for concrete export-control or sanctions measures — but whether the EU or individual member states will act, and how forcefully, is unknown. The disclosure has generated momentum and a scheduled debate, yet momentum is not the same as enacted policy, and the history of the EU spyware file counsels caution about predicting a decisive response.

Finally, there is the question of breadth. Because government-grade spyware is engineered to evade detection, the discovery of one committee member's infection raises the natural question of how many others — members, staff, witnesses — may have been targeted without knowing it. Whether additional forensic examinations surface further victims, and whether they point toward the same or different operators, will shape how this incident is ultimately understood. For now, the confirmed facts are enough to make the point that landed hardest in the reporting: the person investigating mercenary spyware in Europe was, analysts say, surveilled with it.


The CyberSignal Analysis

The reported facts above come from TechCrunch, WIRED, The Register, and Citizen Lab's forensic publication; what follows is The CyberSignal's editorial reading of what defenders and policymakers should take from them. None of the judgments below are new reported facts, and all hedges in the original reporting are preserved.

Signal 01 — Investigators Are Part of the Attack Surface

The durable lesson here is not that Pegasus exists but that it was pointed, analysts say, at the person investigating it. When an oversight body's own member is surveilled with the capability under review, the confidentiality of the investigation — its witnesses, deliberations, and draft findings — becomes part of the attack surface. Our reading is that any institution running sensitive investigations should threat-model its investigators and their devices with the same rigor it applies to the systems they scrutinize, because compromising the overseer is often more valuable to an adversary than compromising any single system under oversight.

That reframing has operational consequences. High-risk-user protection — hardened device configurations, restricted operating modes, disciplined compartmentation of sensitive communications, and standing access to trusted forensic support — should be treated as a structural requirement for oversight bodies, not a discretionary perk. The controls that defend an ordinary enterprise user are not calibrated for a target facing government-grade spyware, and this case is a reminder that the gap between those two threat models is where oversight integrity is won or lost.

Signal 02 — Attribution Discipline Is the Story's Backbone

The most credible thing about this disclosure is what its authors declined to claim. Citizen Lab confirmed the infections with high confidence, dated them, and assessed a multi-country Pegasus customer as the likely operator — while explicitly finding no indication of Greek-government responsibility and stopping short of naming the customer. Our assessment is that this restraint is a feature, not a hedge: it is precisely the discipline that has made independent forensic attribution durable against the vendor deflection that reliably follows spyware findings.

For readers and policymakers, the actionable interpretation is to resist collapsing a bounded forensic finding into a firmer accusation than the evidence supports. The strength of the case rests on the reproducible technical analysis; the calls for sanctions and moratoria are the advocates' interpretation of what should follow. Keeping those two things distinct is what lets the underlying finding survive scrutiny — and it is the same distinction that separates accountability from allegation in every mercenary-spyware case we have covered.

Signal 03 — Export Controls Only Bite If Attribution Can Reach a Party

This disclosure is being read, correctly, as an export-control story — and it also exposes why export controls have been so hard to enforce. Mercenary spyware is sold as a government-only product, yet vendors distance themselves from operator conduct, and the assessed operator here spans multiple European jurisdictions rather than resolving to one accountable authority. Our view is that the case simultaneously strengthens the argument for tighter licensing, transparency, and human-rights conditionality, and demonstrates the enforcement gap that has blunted every prior attempt at those measures.

The forward-looking watch item is whether the EU converts this momentum into anything binding. A scheduled debate and a civil-society campaign are inputs, not outcomes, and the history of the European spyware file counsels caution. We would treat the coming months as a test of whether export-control and oversight reform can be traced to a responsible party at all — because a regime that cannot name the operator cannot readily sanction it, and that tracing problem, more than any single infection, is what determines whether disclosures like this one change anything.


Sources

TypeSource
ReportingTechCrunch — MEP investigating spyware had phone infected with Pegasus
ReportingWIRED — An EU politician who investigated Pegasus ended up with it on their phone
ReportingThe Register — EU urged to act after Pegasus infects phone of spyware inquiry MEP
PrimaryCitizen Lab — Member of Committee Investigating Spyware Hacked with Pegasus
PrimaryAmnesty International — Brazen hacking of former MEP investigating Pegasus abuses
RelatedThe CyberSignal — Meta's Contempt Motion Against NSO Group in the WhatsApp Case
RelatedThe CyberSignal — Germany Blames Russia for Signal Phishing Attacks on MPs
RelatedThe CyberSignal — Tchap French Government Messenger Breach
RelatedThe CyberSignal — Morpheus Android Spyware: Fake Updates and WhatsApp Hijacking