Nikos Androulakis spent years investigating NSO Group's Pegasus spyware as a member of the European Parliament's inquiry committee. Now we learn his phone was compromised by the very software he was scrutinizing — a development that reads less like irony and more like a warning shot.
The hack, confirmed by forensic analysis, represents something beyond the usual catalogue of spyware abuses against journalists and dissidents. When surveillance technology targets the elected officials tasked with regulating it, the industry has effectively declared that no one is off-limits.
The investigator becomes the investigated
Androulakis served on the European Parliament's PEGA committee, established specifically to examine Pegasus abuses across EU member states. The committee's work documented how the spyware — sold by Israel's NSO Group exclusively to governments — had been deployed against journalists, lawyers, and opposition politicians throughout Europe. Greece featured prominently in these findings.
The targeting of a sitting MEP investigating spyware abuse is not merely hypocritical; it is strategically coherent. If you are a government client of NSO Group facing parliamentary scrutiny, compromising the investigators' communications offers obvious advantages. The chilling effect on future oversight is a bonus.
NSO's eternal defense
NSO Group maintains its standard position: it sells only to vetted government clients, cannot see how the software is used, and bears no responsibility for misuse. This defense has always been structurally convenient — it allows NSO to profit from authoritarian applications while maintaining plausible corporate distance.
But the Androulakis case strains even this elastic logic. European governments are not supposed to be surveilling their own parliamentarians, particularly those conducting official oversight. If NSO's vetting process cannot prevent this, the vetting process is theater.
The regulatory gap widens
The European Union has talked extensively about regulating commercial spyware. The PEGA committee issued recommendations. Member states have nodded along. Yet Pegasus infections continue to surface across the continent, and the companies selling these tools face no meaningful consequences.
The problem is jurisdictional and political. NSO operates from Israel, beyond direct EU regulatory reach. European governments that quietly use Pegasus have little incentive to support restrictions. And the technology's utility for legitimate law enforcement — the fig leaf that justifies its existence — makes outright bans politically unpalatable.
Our take
The surveillance industry has learned that democracies will not defend themselves. When a parliamentary investigator can be hacked with the software he is investigating, and the response is another round of concerned statements, the lesson is clear: there are no red lines. The Androulakis case should prompt emergency legislation, diplomatic consequences, and import bans. It will likely prompt a report that few will read. NSO Group and its competitors are watching, and they are taking notes on exactly how much democratic societies will tolerate.




