Stelios Kouloglou spent a year investigating Pegasus spyware abuse for the European Parliament. Turns out he was a target the whole time.

Citizen Lab confirmed the Greek journalist and former MEP was hacked with Pegasus in October 2022 and again in March 2023, while sitting on the PEGA committee tasked with investigating exactly this kind of surveillance. It’s the first time a PEGA member has been publicly confirmed as a spyware victim. The exploit was zero-click, no tap required, and it hit right as the committee was drafting its findings on spyware abuse in Cyprus, Greece, Hungary, Poland and Spain.

If you build software that touches sensitive user data, this is the threat model you’re up against: a fully-patched consumer device beat by a zero-day that didn’t need the user to do anything wrong. Vendor security promises don’t cover that gap, and neither does your own patch cadence if the fix ships after the attack.

NSO Group isn’t a hypothetical bogeyman for US operators either. A Biden-era executive order bars federal agencies from using spyware tools like it, and NSO took an infusion of tens of millions from an American investment group last year to rehab its brand. That’s the kind of counterparty risk that should show up in vendor diligence if you’re anywhere near government contracts.

Kouloglou says he’s suing NSO Group. Worth checking who else on your board or cap table has exposure before that filing lands.

Nathan Zakhary