> In May 2026, Kouloglou contacted the Citizen Lab and we conducted a forensic analysis of artifacts from his iPhone. We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.
>> Further validating our finding of targeting, our forensic analysis shows Kouloglou received multiple Apple threat notifications about targeting with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024. It is important to note that threat notifications from Apple and other companies are not real-time alerts. They are typically sent to users in batches, often months or more after targeting takes place.
>> Kouloglou reports to us that he did not recall receiving the Apple notifications we observed.
Am I understanding this correctly that Apple sent him notifications that he was being monitored and he ignored them?
That is kind of surprising given he is on the comittee investigating pegasus. I'd assume someone on the comittee would be paying much more attention to this than a normal person.
I wonder what triggered him to suspect he was hacked then. Since presumably something triggered him to have his phone forensically investigated.
Or that Apple could either run searches on the names of affected users against publicly known members of government or have close relationship with governments to flag exactly this.
If he knew he was compromised, and was okay with it for one reason or another (like money or other coercion), this is what his cleanup would look like.
Not saying this is likely. Just another possibility.
Do they send them via notification infrastructure or email? Personally I almost never check the email associated with my Apple ID so I would miss those. But if all my Apple devices were notifying me and I had a badge in Settings.app, I’d notice.
Then again, you’d think that’s the kinda thing malware developers would spend some time learning to hide from the user.
It's possible, if the attacker controls the device enough. I don't think a big "you're being targeted" warning is something you don't notice, or forget.
I wonder how they detect it, is it for known IOCs that they've already found elsewhere, or do they have heuristic detection that flags things that might need further investigation.
Kouloglou is a famous investigative journalist, not you and me. Yes you and I might think we're being scammed, but someone who actually spent a lot of their life getting death threats probably would pay more attention.
Fairly sure that if anybody using a advanced piece of hacking software, they are also going to delete any messages that are related to detection of such hardware.
PC viruses used to do that stuff going back so many years ago. Suppressing any notification under Windows, by disabling the AV software, its notifications, windows notifications related to it.
So it will amaze me that this is not done by any modern espionage software. Especially as the notification methods are known. Given that his device is hacked, that means a lot of avenues are under control of the espionage software. Even mails etc ... So impersonating the end user, to confirm they read a warning, is extreme easy.
I find it rather odd that people are so fixated on the idea if Kouloglou read it or not.
If i was going to write software on this level, that will be used by governments. There is no way, its going to be a nice little program that only extract information.
Its going to have every trick in the book (and outside it), to stay hidden. And it will have payloads to alter its behavior, updates, etc...
Nobody is going to pay you big fat money envelops for software that anybody can write in a afternoon. You want it to be as capable as ever, and you do not want it found!
That seems to be the case, although he claims to have somehow missed them. Overall this is one of those stories that's obviously an outrage, except for the fact that every country on Earth spies on the rest, and quite a few private entities do as well. Still the way the game is played if you get caught you have to act ashamed, and the people catching you get to gloat.
It's silly, but it's a show the public never tires of.
The US does not spy on Five Eyes government leadership or that of Israel. And perhaps more: in the wake of Snowden, which obliterated many diplomatic relationships the U.S. has with other countries, Obama issued a directive that the U.S. would not monitor heads of state and government of close friends and allies (even outside Five Eyes) unless there was a compelling national security reason. As far as we know that directive has remained in force with each successive administration as well.
They spy on most others though. Germany’s Merkel, successive French presidents etc all had their phones hacked by US there is widely reported news of.
"In December 2010, leaked US diplomatic cables indicated senior New Zealand Defence Ministry officials had been spying for the United States, secretly briefing the United States embassy on Cabinet discussions about the Iraq War."
> As far as we know that directive has remained in force with each successive administration as well.
People can state a lot, as long as your not caught.
Nothing prevent you from having the UK spy on the Germans, and feeding that intel back. Or Israel, or ... Hey, the US did not spy on a EU ally. Well, not directly and it neatly bypassed any official statements.
They might have simply gone to one of those secret court hearings and have it bypassed with a gag order in place. Officially its not done, unofficially, its been approved.
The whole "as long as you do not tell me your doing it" approach, and the politicians involve maintain deniability (even if they had the wink).
And you do not need to specific target the head off state. Plenty of side routes to still get information on meetings, that involve those heads of states. Even if your not "directly" spying on them.
So no, its a naïve way of thinking. Maybe in 20 years from now we find out, that they did spy on EU leaders. Maybe directly, maybe indirectly ... even with that directive in place. I will be amazed if they did not. Its the US we are talking about.
Sure. The NSA exists, and it routinely violates the rights of the USA's own citizens, the ones that actually have constitutional rights. The idea that it would suddenly draw the line on foreigners is just absurd.
Absolutely, and there's the same compelling reason for them to spy on the on the US in turn. I can't emphasize this enough, everyone is spying on everyone else. Close alliances give the impression that they don't because they tend to handle scandals in-house, it's for everyone's benefit to do so in most cases. Snowden's disclosure was a very unusual event and put everyone in a position of needing to act shocked, appalled, and put on a big show for the public; sweeping it under the rug was impossible. For all that many here would wish otherwise, Snowden wasn't a watershed though, it was a blip.
In this case he was investigating misuse of Pegasus spyware specifically, and was targeted with it while doing so. That's obstruction of justice, morally speaking, and would feel very scary, in that it would make you feel that this company might be so powerful that investigating it is personally dangerous.
Around that time a lot of politicians in Greece had their phones hacked by Pegasus. It's an ongoing scandal in Greece that never got fully resolved, although all evidence indicate that it was an operation orchestrated by the office of the prime minister in coordination with the local intelligence service. So I wouldn't call that an attack against the European parliament.
One interesting thing here, is they imply that both confidential personal medical information and confidential gov docs might have been compromised via the same phone.
Does EU parliment not have a policy of seperating work and personal devices?
Having a policy and what happens in the real world are most of the time very different things (Understandably, as the line between work and personal time is often blurry).
From what I understood, he took his compromised work phone to the hospital, and the concern is that it may have recorded conversations that contained personal medical information.
Just for context, some european contries have been abusing spyware such as Pegasus so much Israeli firms have cut ties with them, one such example below with Italy. Others have pointed out Greece and Poland. It's quite laughable that a member of the EU parliament would be subject to the same kind of spying activities innocent journalists, activists and possibly normal people are, all of that by the member states of the union, directly contributing to the Israeli companies developing and spreading malware.
Cutting ties after there has been an outcry is damage controll. I would assume that the product is still available under another sub vendor to the same people.
If he was using any phone other than an iPhone or Pixel it would have been easier and cheaper to infect him. If he was using GrapheneOS, it could have prevented and or raised the cost of these attacks.
Apple and Google should stop locking essential hardening features behind the 1-toggle lockdown mode and whatever Google's version of it is. It causes less people to use the features because of one specific protection that's a deal breaker.
It's common that someone would be willing to use lockdown mode but choose not to because of a single problem they have with it, like shared albums. GrapheneOS enables all hardening by default and will guide you simply through disabling exploit protections if an app breaks because of them.
GrapheneOS has a detailed exploit protection section of their features explaining how they harden the device against unkown vulnerabilities.
> In May 2026, Kouloglou contacted the Citizen Lab and we conducted a forensic analysis of artifacts from his iPhone. We found with high confidence that his device was successfully infected with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.
I wonder if we can forensically analyze our own phones to see if some nutjob with Pegasus has targeted us as well.
Looks like we can: https://docs.mvt.re/en/latest/
Thanks!
How many nutjobs with Pegasus are really running around out there?
I think OP is more worried about one nutjob with a lot of targets.
>> Further validating our finding of targeting, our forensic analysis shows Kouloglou received multiple Apple threat notifications about targeting with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024. It is important to note that threat notifications from Apple and other companies are not real-time alerts. They are typically sent to users in batches, often months or more after targeting takes place.
>> Kouloglou reports to us that he did not recall receiving the Apple notifications we observed.
Am I understanding this correctly that Apple sent him notifications that he was being monitored and he ignored them?
"he did not recall receiving the Apple notifications" so he didn't notice them.
That is kind of surprising given he is on the comittee investigating pegasus. I'd assume someone on the comittee would be paying much more attention to this than a normal person.
I wonder what triggered him to suspect he was hacked then. Since presumably something triggered him to have his phone forensically investigated.
Or that Apple could either run searches on the names of affected users against publicly known members of government or have close relationship with governments to flag exactly this.
If he knew he was compromised, and was okay with it for one reason or another (like money or other coercion), this is what his cleanup would look like.
Not saying this is likely. Just another possibility.
Do they send them via notification infrastructure or email? Personally I almost never check the email associated with my Apple ID so I would miss those. But if all my Apple devices were notifying me and I had a badge in Settings.app, I’d notice.
Then again, you’d think that’s the kinda thing malware developers would spend some time learning to hide from the user.
Could those have been intercepted or suppressed somehow?
It's possible, if the attacker controls the device enough. I don't think a big "you're being targeted" warning is something you don't notice, or forget.
Do we know how Apple sends these? Is it just a notification, or also email?
https://support.apple.com/en-us/102174
>A Threat Notification is displayed at the top of the page after the user signs into account.apple.com.
>Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple Account.
You can see what it looks like in https://reddit.com/r/iphone/comments/1c10jai/i_have_received...
I wonder how they detect it, is it for known IOCs that they've already found elsewhere, or do they have heuristic detection that flags things that might need further investigation.
I could be wrong here, but I can’t see any way of viewing old notifications.
It isn’t hard to accidentally dismiss one then wonder what it was. Why there isn’t there an interface for looking back?
Edit: below it says there are emails and notices on web login.
I mean his device was pwnd completely. Its not a stretch that attempts to warn are suppressed.
That or he didn't notice or could have assumed the notice itself was one of many phishing attempts against large orgs.
If I saw a notification that my account was compromised by Pegasus I'd personally assume phishing.
Kouloglou is a famous investigative journalist, not you and me. Yes you and I might think we're being scammed, but someone who actually spent a lot of their life getting death threats probably would pay more attention.
Fairly sure that if anybody using a advanced piece of hacking software, they are also going to delete any messages that are related to detection of such hardware.
PC viruses used to do that stuff going back so many years ago. Suppressing any notification under Windows, by disabling the AV software, its notifications, windows notifications related to it.
So it will amaze me that this is not done by any modern espionage software. Especially as the notification methods are known. Given that his device is hacked, that means a lot of avenues are under control of the espionage software. Even mails etc ... So impersonating the end user, to confirm they read a warning, is extreme easy.
I find it rather odd that people are so fixated on the idea if Kouloglou read it or not.
Maybe the software can only exfiltrate information, rather than change it.
If i was going to write software on this level, that will be used by governments. There is no way, its going to be a nice little program that only extract information.
Its going to have every trick in the book (and outside it), to stay hidden. And it will have payloads to alter its behavior, updates, etc...
Nobody is going to pay you big fat money envelops for software that anybody can write in a afternoon. You want it to be as capable as ever, and you do not want it found!
I mean maybe the exploits they found weren't good enough to allow them to do whatever they want with the phone.
That seems to be the case, although he claims to have somehow missed them. Overall this is one of those stories that's obviously an outrage, except for the fact that every country on Earth spies on the rest, and quite a few private entities do as well. Still the way the game is played if you get caught you have to act ashamed, and the people catching you get to gloat.
It's silly, but it's a show the public never tires of.
The US does not spy on Five Eyes government leadership or that of Israel. And perhaps more: in the wake of Snowden, which obliterated many diplomatic relationships the U.S. has with other countries, Obama issued a directive that the U.S. would not monitor heads of state and government of close friends and allies (even outside Five Eyes) unless there was a compelling national security reason. As far as we know that directive has remained in force with each successive administration as well.
They spy on most others though. Germany’s Merkel, successive French presidents etc all had their phones hacked by US there is widely reported news of.
US does spy on Five Eyes
https://en.wikipedia.org/wiki/United_States_espionage_in_Aus...
"In December 2010, leaked US diplomatic cables indicated senior New Zealand Defence Ministry officials had been spying for the United States, secretly briefing the United States embassy on Cabinet discussions about the Iraq War."
https://en.wikipedia.org/wiki/Foreign_espionage_in_New_Zeala...
That’s pre-Snowden
> As far as we know that directive has remained in force with each successive administration as well.
People can state a lot, as long as your not caught.
Nothing prevent you from having the UK spy on the Germans, and feeding that intel back. Or Israel, or ... Hey, the US did not spy on a EU ally. Well, not directly and it neatly bypassed any official statements.
They might have simply gone to one of those secret court hearings and have it bypassed with a gag order in place. Officially its not done, unofficially, its been approved.
The whole "as long as you do not tell me your doing it" approach, and the politicians involve maintain deniability (even if they had the wink).
And you do not need to specific target the head off state. Plenty of side routes to still get information on meetings, that involve those heads of states. Even if your not "directly" spying on them.
So no, its a naïve way of thinking. Maybe in 20 years from now we find out, that they did spy on EU leaders. Maybe directly, maybe indirectly ... even with that directive in place. I will be amazed if they did not. Its the US we are talking about.
> The US does not spy on Five Eyes government leadership or that of Israel.
Doubt.
> unless there was a compelling national security reason
There always is.
> Doubt
Can you substantiate your doubt with even one piece of hard evidence?
Sure. The NSA exists, and it routinely violates the rights of the USA's own citizens, the ones that actually have constitutional rights. The idea that it would suddenly draw the line on foreigners is just absurd.
Absolutely, and there's the same compelling reason for them to spy on the on the US in turn. I can't emphasize this enough, everyone is spying on everyone else. Close alliances give the impression that they don't because they tend to handle scandals in-house, it's for everyone's benefit to do so in most cases. Snowden's disclosure was a very unusual event and put everyone in a position of needing to act shocked, appalled, and put on a big show for the public; sweeping it under the rug was impossible. For all that many here would wish otherwise, Snowden wasn't a watershed though, it was a blip.
In this case he was investigating misuse of Pegasus spyware specifically, and was targeted with it while doing so. That's obstruction of justice, morally speaking, and would feel very scary, in that it would make you feel that this company might be so powerful that investigating it is personally dangerous.
That's certainly the feeling the story is meant to engender yes.
Around that time a lot of politicians in Greece had their phones hacked by Pegasus. It's an ongoing scandal in Greece that never got fully resolved, although all evidence indicate that it was an operation orchestrated by the office of the prime minister in coordination with the local intelligence service. So I wouldn't call that an attack against the European parliament.
small correction, that is predator/intellexa, not pegasus/nso. So this is different
Same story in Poland:
https://notesfrompoland.com/2026/02/26/poland-charges-former...
Everything looks like a nail if you have a hammer.
One interesting thing here, is they imply that both confidential personal medical information and confidential gov docs might have been compromised via the same phone.
Does EU parliment not have a policy of seperating work and personal devices?
Having a policy and what happens in the real world are most of the time very different things (Understandably, as the line between work and personal time is often blurry).
True but one would hope though that people dealing with national security would follow more than your average employee.
> True but one would hope though that people dealing with national security would follow more than your average employee.
The more important you are the more you may think that exceptions can be made for you.
From what I understood, he took his compromised work phone to the hospital, and the concern is that it may have recorded conversations that contained personal medical information.
He didn’t have medical information on the phone.
Just for context, some european contries have been abusing spyware such as Pegasus so much Israeli firms have cut ties with them, one such example below with Italy. Others have pointed out Greece and Poland. It's quite laughable that a member of the EU parliament would be subject to the same kind of spying activities innocent journalists, activists and possibly normal people are, all of that by the member states of the union, directly contributing to the Israeli companies developing and spreading malware.
https://www.bbc.com/news/articles/cvgmzdjw24yo
Cutting ties after there has been an outcry is damage controll. I would assume that the product is still available under another sub vendor to the same people.
If he was using any phone other than an iPhone or Pixel it would have been easier and cheaper to infect him. If he was using GrapheneOS, it could have prevented and or raised the cost of these attacks.
Apple and Google should stop locking essential hardening features behind the 1-toggle lockdown mode and whatever Google's version of it is. It causes less people to use the features because of one specific protection that's a deal breaker.
It's common that someone would be willing to use lockdown mode but choose not to because of a single problem they have with it, like shared albums. GrapheneOS enables all hardening by default and will guide you simply through disabling exploit protections if an app breaks because of them.
GrapheneOS has a detailed exploit protection section of their features explaining how they harden the device against unkown vulnerabilities.
https://grapheneos.org/features#exploit-protection