You probably think your phone is relatively safe. But if the people investigating state-sponsored spyware can’t protect their own devices, what chance do you have?
In May 2026, researchers at Citizen Lab confirmed something out of a bad spy thriller: Stelios Kouloglou, a Member of the European Parliament actively investigating the use of spyware, was himself infected with Pegasus. Not once, but twice—on or around October 21, 2022, and again in March 2023.
The people tasked with investigating the surveillance state were being surveilled the entire time.
This wasn’t just a breach of a politician’s phone. Evidence points to an operation orchestrated by the office of the Greek Prime Minister in coordination with local intelligence. The very institutions meant to protect democratic oversight were compromised by the tools they were trying to regulate.
But here is the twist nobody is talking about. The real systemic failure isn’t just the Greek PM’s alleged espionage. It’s the European Parliament’s gross negligence in basic operational security.
According to the findings, both confidential government documents and personal medical records might have been compromised via the exact same phone. Does the EU Parliament not have a policy of separating work and personal devices? Apparently not.
You cannot run a modern democracy on consumer tech that is structurally indefensible against state-sponsored zero-day exploits.
By failing to separate their confidential work from their personal lives, lawmakers effectively handed state secrets and private medical data to whoever bought the spyware license. They didn’t just leave the front door unlocked; they taped the keys to it and walked away.
This creates a chilling paradox. The tools of modern democratic governance have become its greatest vulnerability. The commercialization of state-level cyber espionage has democratized wiretapping. You don’t need a massive intelligence apparatus anymore; you just need a budget and a target’s phone number.
If the lawmakers investigating spyware cannot secure their own devices against state actors, the average citizen’s data is entirely defenseless against unchecked power.
We like to think there are adults in the room, that our institutions have protocols to protect the systems governing our lives. The Kouloglou hack proves that assumption wrong. Democratic oversight is an illusion when the overseers are carrying compromised microphones in their pockets.
Your privacy isn’t slipping away. It’s already gone. The only question left is who is listening.
FAQ
Q: Isn't this just a one-off political hit in Greece?
A: No, it's an industry. The commercialization of cyber espionage means spyware like Pegasus is sold globally to any state actor with a budget, turning targeted wiretapping into a scalable service.
Q: What should the EU Parliament actually do to fix this?
A: Enforce strict operational security immediately. Lawmakers must be required to separate work and personal devices entirely, treating consumer smartphones as inherently compromised when handling state secrets.
Q: Maybe lawmakers deserve this for failing to regulate tech?
A: No, because when their security fails, our democratic integrity fails with them. Lawmakers carrying compromised devices means confidential investigations, state secrets, and whistleblower identities are exposed to unchecked power.