Saturday 04 July 2026 13:52:38 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Warfare & Nation-State Operations

When the Watchers Were Watched: Pegasus Case Puts Spyware Oversight Under the Lens

Published: 03 July 2026 14:08Category: Cyber Warfare & Nation-State OperationsGeo: Europe / GreeceAuthor: AGONY

A high-confidence forensic finding on a former Greek MEP’s iPhone shows how mercenary spyware can intersect with democratic oversight, even when the target sits on a committee built to examine Pegasus itself.

Few cases capture the logic of mercenary spyware as sharply as this one. A former member of the European Parliament was reported to have had his iPhone compromised twice while serving on the Parliament’s PEGA committee, the body created to examine Pegasus and equivalent surveillance spyware. That combination of target, timing, and tooling makes the incident more than a personal intrusion. It is a case study in how elite surveillance operations can collide with institutions trying to document them.

Fast Facts

  • Citizen Lab assessed the iPhone compromise with high confidence.
  • The forensic timeline points to two compromise windows: October 21, 2022, and March 6 to 7, 2023.
  • The device belonged to former Greek MEP Stelios Kouloglou.
  • He was serving on the European Parliament’s PEGA committee at the time.
  • The broader risk is delayed detection, because sophisticated spyware can leave only limited traces for later forensic review.

What the compromise suggests

The important technical detail is not just that a phone was reportedly targeted, but how investigators could still reconstruct the event afterward. High-end iPhone intrusions often rely on carefully chained exploits and short-lived artifacts, which means defenders may not see an obvious alert at the moment of compromise. In this kind of case, forensic review becomes the primary way to establish a timeline.

Citizen Lab’s broader Pegasus research has shown that NSO-linked operators have used sophisticated iOS attack chains in recent years. That context matters, but it should not be flattened into certainty about this specific case. Here, the firm claim is narrower: the phone was judged, with high confidence, to have been compromised on two separate dates.

That distinction matters because attribution in spyware investigations is often probabilistic rather than absolute. A forensic assessment can be strong without revealing every operational detail, including who initiated the tasking, what data may have been accessed, or how long access persisted.

Why the PEGA angle matters

The incident is politically sensitive because the target was working inside a committee focused on spyware abuse. From a defensive perspective, that raises a familiar but uncomfortable lesson: people involved in oversight, journalism, legal defense, and human-rights monitoring can become high-value targets precisely because they are trying to expose surveillance activity.

It also reinforces a practical security truth. For people at elevated risk, ordinary mobile hygiene is not enough. Apple’s threat notifications and Lockdown Mode exist for a reason: targeted surveillance is a recognized threat model, not a theoretical one. But those controls are mitigations, not guarantees. The safer assumption for high-risk users is that compromise may only become visible after the fact, when logs, alerts, and forensic artifacts are pieced together.

At the time of writing, public information has not fully established the complete scope of any downstream access or whether additional systems were affected. The available evidence supports risk analysis, not sweeping claims.

Conclusion

The lesson here is bigger than one device or one committee. Mercenary spyware succeeds when targets underestimate how closely surveillance and power can track each other. The stronger the oversight role, the more attractive the target can become. In that sense, the real story is not just that a phone was compromised, but that democratic scrutiny itself is now part of the attack surface.

TECHCROOK

Hardware security key: A small physical key adds strong two-factor authentication for email, cloud, and other accounts. For journalists, investigators, and officials handling sensitive material, it is a practical way to reduce reliance on SMS codes or reusable passwords. Keep a spare key in a separate place.

Scheda Techcrook: Hardware security key

WIKICROOK

  • Mercenary spyware: Commercial surveillance malware sold for highly targeted operations, often against specific individuals rather than the public.
  • Forensic analysis: The examination of device artifacts and logs to reconstruct how a compromise likely happened.
  • High-confidence assessment: A conclusion supported by strong evidence, though not necessarily every operational detail.
  • Lockdown Mode: An Apple security feature that reduces attack surface for users at elevated risk of targeted attacks.
  • Threat notification: A device alert indicating a user may have been targeted by sophisticated spyware activity.