This text is originally published in a monitoring report by the Media Freedom Rapid Response (MFRR) on 16 September and can be downloaded in full here.


Threats posed to journalists by spyware and other surveillance weapons remain a major area of concern for press freedom during the first half of 2022. In addition to the latest exposes about the targeting of journalists in Catalonia using Pegasus spyware, there were major revelations in Greece about the use of a similar malware tool called Predator to hack into the phone of a financial journalist. The same journalist was also revealed to have been wiretapped by a state intelligence agency, illustrating the ongoing threats posed by more traditional monitoring tools.

These disclosures, and the emergence of new cybersurveillance weapons, have added a new dimension to ongoing EU investigations and galvanised efforts to better regulate the mercenary surveillance tools across the bloc. Although greater light is being shed on the spyware-for-hire industry, experts believe figures for the number of journalists within the EU who have been targeted with such tools could still be the tip of the iceberg.

Concern over the use of advanced surveillance technology against journalists in the European Union was ignited in 2021 after the publication of an investigation by the Pegasus project, which revealed the abuse of the spyware by governments around the world, including in Hungary. Pegasus is developed by Israeli cyber-security firm NSO Group and is sold only to state intelligence and law enforcement agencies. It can infect Android and iOS operating systems and turn a smartphone into a surveillance device, giving access to passwords, encrypted chats, contacts, location data, and even turning on the recorder and camera. Unlike malware products which require the target to click on an infected link, Pegasus can infect a phone with “zero-clicks”. The technology poses serious threats to journalistic safety and source confidentiality. According to recent reports, NSO is believed to have contracts with 22 security agencies in 12 EU countries.

In 2022, fresh revelations surfaced about the scale of the use of Pegasus by Spanish authorities. In April it was revealed that at least four Catalan journalists were amongst those to have their smartphones targeted or infected with the spyware between 2017 and 2020, after Catalonia’s failed independence bid. According to Citizen Lab, the journalists targeted included Meritxell Bonet, the spouse of an activist who chaired the Catalan NGO Òmnium. Also targeted were journalist and historian Marcel Mauri, who later became vice-president of Òmnium, as well as journalist and former Catalonia MP Albano Dante Fachin, and journalist Marcela Topor, wife of former president of Catalonia Carles Puigdemont. All those targeted had links to the Catalonian independence movement or figures within it. Separately, Spanish journalist Ignacio Cembrero, a correspondent specialising in coverage of the Maghreb, has been identified as a potential target for surveillance using Pegasus and has alleged Moroccan authorities were responsible.

While Pegasus remains the most well-known spyware tool, a burgeoning commercial market for similar surveillance tools exists within the European Union, and beyond. These hacking systems, which work by exploiting software vulnerabilities, are developed by private companies and secretly acquired by state agencies. Information about the relationships between EU governments and these mercenary companies remains secret or highly opaque, as does the level of operational safeguards in place. While such tools are used primarily by EU intelligence agencies to tackle threats to national security, abuses of such tools against journalists, civil society, and opposition figures are being increasingly identified.

In a major case in Greece, in April 2022 it was revealed that financial and banking journalist Thanasis Koukakis, who works for CNN Greece and other international media, was surveilled for at least ten weeks in summer 2021 using a spyware tool called Predator. It was the first reported case of a journalist having their phone hacked using the technology. Researchers were not able to identify who the source was. The Greek government denied involvement. The tool was initially developed by North Macedonian firm Cytrox, which was acquired by Intellexa, a company which sells digital surveillance products in Greece, and which has an office in Athens.

According to investigative reports, entities linked to Grigoris Dimitriadis, the former general secretary and nephew of the Prime Minister, had dealings with Intellexa. After the revelations first surfaced, a government spokesperson said an “individual” was responsible for targeting Koukakis. However, a licence for the malware reportedly costs €14 million and such sophisticated tools are normally only sold to state agencies. The Greek government has repeatedly said it has no business relationship with Intellexa and does not use its products.

(L-R) Greek Journalists Stavros Malichudis, Eliza Triantafillou, and Thanasis Koukakis attend a hearing by the European Parliament’s Inquiry Committee amid an investigation into the use of the Pegasus surveillance spyware in Greece, in Brussels, Belgium, 08 September 2022. EPA-EFE/OLIVIER HOSLET

These denials have been complicated by the fact that in April 2022 it was revealed that Koukakis had, before the Predator attack, been put under wiretapping surveillance by the Greek National Intelligence Service (EYP) in May 2020. The agency had been placed under the direct supervision of the office of the Prime Minister in 2019. When Koukakis first suspected he was being surveilled, he requested that the Authority for Communication Security and Privacy (ADAE) confirm this. Shortly after, the government changed the law blocking the ADAE to retroactively inform citizens if they had been monitored.

When initially questioned about the wiretapping, the government denied involvement. As evidence mounted, the EYP’s spy chief, who later resigned, admitted during a closed parliamentary session that the agency had bugged Koukakis’s phone under “national security” grounds. No explanation was provided about why a reporter investigating financial corruption at the time posed a threat to national security.

There is evidence that another investigative reporter, Stavros Malichudis, was wiretapped by the EYP in connection with his reporting on refugees and migration. These cases have illustrated the different types of surveillance available to those wishing to target journalists and have led to additional concerns about deteriorating press freedom in Greece.

As the EU Parliament’s Committee of Inquiry continues its investigation into the use of the Pegasus and equivalent surveillance spyware across the EU, it is clear that greater transparency and safeguards are needed to prevent abuses of the technology against journalists and others and to regulate the use of advanced cybersurveillance tools across the bloc.



The MFRR monitoring report  – available to download here – documented violations and attacks on media freedom across European Union Member States and Candidate Countries between January and June 2022. The report was compiled by the International Press Institute (IPI), the European Federation of Journalists (EFJ), and the European Centre for Press and Media Freedom (ECPMF), as part of the Media Freedom Rapid Response (MFRR) project, which monitors and supports journalists, media workers, and media outlets that have been threatened.