In a stunning breach of democratic oversight, a European politician serving on an EU committee investigating spyware abuse had their phone compromised by NSO Group’s Pegasus spyware—wielded by one of the Israeli firm’s own government clients. The hack, first reported by TechCrunch, exposes how surveillance tools sold for counter-terrorism are weaponized against the very officials trying to rein them in. It’s a brazen escalation in the global fight over commercial spyware.

A government customer of NSO Group deployed the company’s notorious Pegasus spyware to infiltrate the phone of a European politician who was, at that very moment, sitting on an EU committee investigating the spyware industry’s abuses. The revelation, broken by TechCrunch, represents one of the most brazen documented cases of surveillance tech being turned against democratic institutions.

The timing couldn’t be more damning. While the politician worked to establish accountability frameworks for commercial spyware vendors, a government client of the very company under scrutiny was reading their messages, listening to their calls, and potentially accessing every file on their device. Pegasus operates as a zero-click exploit, meaning victims don’t even need to tap a malicious link—it just silently takes over iPhones and Android devices.

NSO Group has long maintained that it sells Pegasus exclusively to vetted government intelligence and law enforcement agencies for legitimate counter-terrorism and crime-fighting purposes. The company claims it has no visibility into how clients deploy the tool and can’t control targeting decisions. But this incident punches a hole straight through that defense. When your product is used to surveil lawmakers investigating your industry, the “we’re just selling shovels” argument falls apart.

The European Parliament launched its Committee of Inquiry to investigate Pegasus in 2022, after revelations that the spyware had been used against journalists, activists, and opposition politicians across multiple EU member states. Spain, Poland, Greece, and Hungary all faced scrutiny over documented Pegasus infections targeting civil society figures and political opponents. That committee’s work was supposed to establish guardrails—instead, someone apparently decided to spy on the referees.

Cybersecurity researchers have documented Pegasus infections in over 45 countries, with victims ranging from human rights defenders to heads of state. The spyware gained global notoriety after the 2018 murder of journalist Jamal Khashoggi, when forensic analysis suggested Saudi associates were targeted with NSO tools. Apple sued NSO in 2021, calling the company “amoral 21st century mercenaries.” The U.S. Commerce Department blacklisted NSO that same year, cutting the firm off from American technology suppliers.

But blacklists haven’t stopped the spyware. NSO’s customer roster reportedly includes dozens of governments, many with questionable human rights records. The company restructured in 2022 amid financial troubles and regulatory pressure, yet Pegasus infections keep surfacing. Security researchers at Citizen Lab and Amnesty International’s Security Lab continue documenting new cases monthly, using forensic techniques to detect the spyware’s signatures on compromised devices.

This latest breach will almost certainly accelerate regulatory efforts. The EU has been debating comprehensive spyware export controls and domestic use restrictions, but progress has been slow as member states wrangle over sovereignty and national security carve-outs. When you hack the people writing the rules, you tend to focus their attention. Expect emergency hearings, expanded investigative powers for the committee, and renewed calls for an outright ban on selling surveillance tech to authoritarian regimes.

The identity of which government deployed Pegasus against the politician remains undisclosed, but the list of suspects isn’t long. Only EU member states and close partners typically have access to NSO’s tools, narrowing the field to countries already under scrutiny for past spyware abuses. Poland’s previous government faced a political crisis in 2023 after opposition figures were confirmed as Pegasus targets. Hungary’s Orbán administration has repeatedly been accused of using Israeli spyware against journalists and critics.

For enterprise security teams, this is a wake-up call about state-level threats. If government hackers are willing to surveil lawmakers investigating them, no organization is off-limits. Zero-click exploits like Pegasus bypass traditional security controls—firewalls, VPNs, and endpoint protection can’t stop them. Apple and Google have both hardened their mobile operating systems against these attacks, adding Lockdown Mode and similar features, but sophisticated state actors keep finding new vulnerabilities.

The commercial spyware industry operates in a murky space between legitimate law enforcement tools and weapons-grade cyber capabilities. Companies like NSO, Candiru, and Cytrox sell products that function identically to state-sponsored hacking tools, then disclaim responsibility when clients abuse them. It’s the tech equivalent of selling military-grade assault rifles at a farmers market and claiming ignorance when they’re used in crimes.

This breach strips away any remaining pretense that commercial spyware companies can police their own customers. When governments use surveillance tools to hack the lawmakers investigating surveillance tools, the system has failed. The EU now faces a stark choice: impose binding restrictions with teeth, or accept that democratic oversight can be neutralized with a few lines of code. For tech companies, policymakers, and anyone who carries a smartphone, the message is clear—the spyware wars just escalated, and the targets now include the people we’ve tasked with protecting us from exactly this kind of abuse.