Inside the European Surveillance Collapse

Inside the European Surveillance Collapse

A European lawmaker tasked with investigating state-sponsored spyware abuses became the target of the exact technology he was auditing. Digital forensics experts at Citizen Lab confirmed that Stelios Kouloglou, a former Greek member of the European Parliament, had his iPhone successfully infected with Pegasus spyware three times during his tenure on the special investigatory committee. The intrusion strikes at the core of European sovereignty. It proves that the mercenary surveillance industry operates with total impunity inside democratic institutions, weaponizing unpatched vulnerabilities against the very officials writing the rules to restrain them.

The compromise of Kouloglou’s device did not happen in a vacuum. It occurred while the European Parliament’s PEGA committee was aggressively drafting its final report on government espionage across Greece, Spain, Poland, and Hungary. The timing points to a calculated intelligence operation aimed at tracking the inner workings of an institutional probe.

The Anatomy of a Zero Click Ambush

Mercenary software operates in absolute silence. For Kouloglou, the first successful breach occurred in October 2022. He was lying in a hospital bed recovering from a scheduled surgery. While he was incapacitated, an unknown government client deployed a zero-click exploit against his iPhone. This method requires no interaction from the victim. No malicious links were clicked. No deceptive attachments were opened. The software simply found an unpatched vulnerability in the device's operating system, slipped through the defense perimeter, and established total administrative control.

The spyware turned the phone into a live surveillance beacon. It gained full access to encrypted messages, photo libraries, location logs, and real-time microphone feeds. The attackers had a front-row seat to his recovery room conversations, his private medical updates, and his strategic political exchanges.

Two more infections followed in March 2023. These hits landed within twenty-four hours of each other as Kouloglou traveled between Athens and Brussels. This was a critical juncture for the PEGA committee. Lawmakers were locked in fierce negotiations over the final wording of their investigative report. The draft explicitly accused several European governments of using commercial hacking tools to spy on political opposition, journalists, and civil society. By monitoring Kouloglou, the operators obtained an unfiltered view of the committee's momentum, its internal fissures, and its upcoming testimonies.

Forensic analysis conducted by Citizen Lab indicates that the infrastructure behind these specific attacks shared a specific email address previously tied to spyware campaigns targeting journalists across Europe. The reuse of this digital footprint suggests a single, highly active government client with broad authorization from NSO Group to conduct multi-jurisdictional espionage within the borders of the European Union.

The Greek Context and the Architecture of Denial

Greece has spent years at the epicenter of the European wiretapping crisis. The revelation that Kouloglou was targeted aligns with a long-standing pattern of domestic surveillance that has routinely shaken Athens. Journalists like Thanasis Koukakis and opposition politicians like Nikos Androulakis have previously found their phones targeted by either Pegasus or a rival commercial spyware variant known as Predator.

The standard political response to these discoveries follows a predictable playbook. Governments issue blanket denials. They hide behind the expansive, opaque shield of national security exemptions. Because NSO Group exclusively sells its product to sovereign states and law enforcement entities, the presence of Pegasus on an EU lawmaker’s phone confirms state involvement. Yet, the corporate structure of the spyware market allows both the vendor and the buyer to maintain plausible deniability.

The vendor points to contract clauses that forbid illegal use. The buyer relies on classification laws to block parliamentary oversight. This leaves victims in a legal void where courts lack the jurisdiction or the political will to compel disclosure from intelligence agencies.

European security agencies have increasingly turned to commercial vendors to bypass traditional legal limitations on wiretapping. Traditional interception requires telecom warrants and leaves a paper trail. Commercial spyware provides an end-to-end extraction capability that operates entirely outside traditional regulatory frameworks.

The Weaponization of Bureaucratic Inertia

The European Parliament's response to these systemic breaches reveals a fundamental structural weakness. The PEGA committee spent two years gathering testimonies, reviewing forensic data, and issuing blistering warnings about the decay of democratic norms. Its final report called for a strict moratorium on spyware sales, tighter export controls, and a dedicated task force to investigate abuses.

None of these recommendations have been converted into binding legislation. The European Commission has consistently deflected responsibility, arguing that national security remains the exclusive domain of individual member states. This regulatory paralysis creates an ideal environment for mercenary software vendors.

While Brussels debates definitions and jurisdictions, European lawmakers are left to defend their communications with basic consumer security settings. The European Parliament's internal IT department has offered spyware screening to members since 2022. It remains a voluntary measure. It is a reactive patch applied to a structural hemorrhage.

The lack of consequences has normalized espionage as a standard tool of European statecraft. When a state can deploy military-grade cyber weapons against an active investigator without facing economic or diplomatic sanctions, the message to the market is clear. The risks are negligible. The rewards are absolute.

The Myth of Corporate Accountability

NSO Group has repeatedly claimed that its technology is designed solely to combat terrorism and serious crime. The company maintains that it vets its clients and terminates contracts when abuses are uncovered. The empirical reality documented by digital rights groups directly contradicts this public relations narrative.

The targeting of Kouloglou demonstrates that the corporate compliance mechanisms of mercenary tech firms are entirely broken. The reuse of attacking infrastructure across different European operations over multiple years proves that NSO Group either cannot monitor how its software is used, or chooses not to look. The financial incentives favor continued operation over strict ethical vetting.

Suing these entities is an uphill battle. Kouloglou has stated his intention to file a lawsuit against NSO Group, joining a growing list of global figures attempting to hold the company liable in court. These legal efforts face massive procedural hurdles. Mercenary tech firms frequently restructure, exploit state-immunity doctrines, and shield their financial operations through complex webs of international subsidiaries.

The commercial spyware ecosystem has expanded beyond a single prominent vendor. The market now features a multitude of smaller, agile firms operating from jurisdictions with minimal export oversight. Cheap commercial alternatives and localized hacking outfits have emerged to fill any potential void, ensuring that the supply of invasive surveillance tools remains constant regardless of the legal pressure placed on high-profile companies.

Democratic governance relies on the security of its communications. If an elected representative cannot investigate state overreach without having their private life, medical history, and legislative strategy laid bare by an anonymous state actor, the concept of parliamentary independence ceases to exist. The compromise of the PEGA committee investigator is not an isolated technical glitch. It is the definitive proof of a profound systemic failure.

TC

Thomas Cook

Driven by a commitment to quality journalism, Thomas Cook delivers well-researched, balanced reporting on today's most pressing topics.