The coffee in the European Parliament basement tastes like wet cardboard, but when you are hunting ghosts, you drink it anyway. Thijs Reuten sat at his desk, the fluorescent lights humming overhead, surrounded by mountains of digital forensics reports. It was late 2023. As a Dutch Member of the European Parliament, Reuten was part of the PEGA committee—a specialized group of lawmakers tasked with investigating the rampant, illegal deployment of military-grade spyware across Europe.
He knew the statistics by heart. He knew the names of the victims—journalists in Greece, opposition leaders in Poland, activists in Spain. But knowing a fact is a sterile exercise. Feeling it is something else entirely. For a more detailed analysis into similar topics, we recommend: this related article.
Reuten reached for his phone. It looked identical to the billions of other glass-and-metal rectangles sitting in pockets around the globe. He unlocked it, checking his messages, unaware that an invisible parasite had already burrowed deep into the device's operating system.
This is how modern espionage operates. It does not smash windows. It does not wear a trench coat. It waits for you to pick up your phone, and then it quietly turns your life inside out. For broader context on this issue, extensive coverage is available at Wired.
The Zero-Click Anatomy of a Digital Home Invasion
To understand what happened to Reuten, we have to dismantle a comforting myth. Most of us believe that cybersecurity is a matter of personal hygiene. We think that if we just avoid clicking on sketchy links from unknown numbers, if we don't open strange email attachments, we are safe.
That rulebook has been burned.
The weapon deployed against Reuten belongs to a terrifying class of cyberarms known as "zero-click" exploits. Think of your phone as a heavily fortified house. Traditional hacking requires you to open the front door—even just a crack—by clicking a link. A zero-click exploit bypasses the door entirely. It finds a microscopic flaw in the architectural blueprint of the house itself, perhaps inside a standard system like iMessage or WhatsApp.
The attacker sends data to your phone that you never even see. The device processes that data in the background, stumbles over the hidden flaw, and inadvertently hands over the keys to the entire estate.
You don't click anything. You don't receive a warning. Your phone doesn't flash red or grow warm to the touch. You simply go to sleep, and while you dream, every text message, encrypted chat, photograph, password, and location data point is silently harvested and beamed to a server thousands of miles away.
Consider the psychological weight of that reality. The smartphone is no longer just a tool; it is an externalized brain. It holds our secrets, our private grief, our medical anxieties, and our intimate conversations. When an operative infects an MEP's phone with spyware, they aren't just reading official legislation. They are standing in the bedroom. They are listening to the bedtime story read to a child. They are watching a marriage unravel in real-time.
The Hunter Becomes the Prey
The PEGA committee was created precisely because European democracies were reeling from revelations that governments were using tools like Pegasus to track their own citizens. The committee's job was to dig into the muck, interview victims, demand accountability from shadowy surveillance firms, and draft regulations to stop the bleeding.
But the architecture of modern power is dizzyingly circular.
While Reuten and his colleagues were interrogating the system, the system was quietly analyzing them. In late 2023, Citizen Lab, a digital forensics watchdog based at the University of Toronto, conducted a routine check on the devices of several individuals working closely on the spyware file.
The results were chilling. Reuten’s phone had been targeted with Predator, a notorious rival to Pegasus developed by a complex web of corporate entities operating under the Intellexa alliance.
Imagine the audacity required to execute this maneuver. A European lawmaker, specifically appointed by a democratic parliament to investigate illegal spying, was actively spied upon by the very technology he was investigating. It is the ultimate expression of digital impunity. It sends a message that is both brutal and clear: We see you. We know what you are looking for. And you cannot stop us.
This discovery shattered the illusion that the European Parliament was a safe sanctuary. The threat was no longer an abstract problem affecting dissidents in far-off authoritarian regimes. The contagion was inside the legislative chamber. It was sitting on the committee tables during closed-door hearings.
The Corporate Shell Game
When we talk about spyware, it is easy to slip into the language of science fiction, picturing rogue hackers in dark hoodies operating from subterranean bunkers. The reality is far more bureaucratic, corporate, and mundane. This is an industry populated by lawyers, marketing executives, and glossy brochures.
Companies like NSO Group (creators of Pegasus) and the Intellexa alliance (creators of Predator) operate in a legal gray zone that spans multiple jurisdictions. When a surveillance firm faces scrutiny in one European country, it simply shifts its corporate weight to another. A subsidiary is opened in Cyprus; a holding company is registered in Ireland; an export license is secured through a friendly government in Greece.
It is a shell game designed to induce regulatory vertigo.
By the time investigators trace the origin of a cyberweapon, the corporate entity that sold it has mutated, rebranded, or transferred its intellectual property to a new vessel. This corporate agility allows these firms to sell their products to state actors under the guise of combating terrorism and serious crime.
But the definition of "serious crime" has become dangerously elastic. In the hands of an autocratic government or a corrupt state agency, a journalist exposing government bribery becomes a threat to national security. An opposition politician leading a tight election campaign becomes a suspected subversive. A lawmaker like Thijs Reuten, asking inconvenient questions about who profits from this invisible trade, becomes a target.
The Creeping Normalization of Panoptic Fear
The true damage of spyware cannot be measured solely in stolen gigabytes or compromised servers. The deepest scars are psychological, inflicted upon the fabric of open society itself.
When a journalist or a politician knows their phone can be compromised without their consent or knowledge, their behavior changes. Self-censorship begins as a whisper. You hesitate before typing a message to a sensitive whistleblower. You decide against making a phone call from a public space. You leave your phone in another room during an important meeting, or you turn it off entirely, feeling a strange, hollow anxiety as you look at the black screen.
Distrust becomes the default setting for every human interaction.
This is the invisible tax levied by the surveillance state. It suffocates the friction necessary for democracy to function. Whistleblowers go silent out of fear of exposure. Journalists abandon investigations to protect their sources. Politicians become risk-averse, knowing that any personal vulnerability hidden within their digital history could be weaponized against them at a moment's notice.
The target shifts from the device to the mind of the person holding it. The goal is not just to gather intelligence, but to cultivate a paralyzing awareness of perpetual visibility.
The Illusion of the Digital Fortress
We live in an era defined by our faith in encryption. We celebrate Signal and WhatsApp for protecting our communications from prying eyes through end-to-end encryption. We feel safe knowing that even if a three-letter agency intercepts our data in transit across the fiber-optic cables of the internet, it will appear as an unreadable scramble of noise.
Spyware renders encryption completely irrelevant.
Because tools like Pegasus and Predator compromise the operating system of the device itself, they capture the data before it is encrypted and after it is decrypted. They sit at the endpoint. They watch your screen as you type. They activate your microphone while you speak. The most secure, military-grade messaging app in the world is useless if the adversary is sitting inside the phone, looking out through the camera lens.
This realization brings a profound sense of vulnerability. We have spent two decades building a society that requires digital integration for survival. You cannot do your banking, book a flight, communicate with your employer, or participate in public discourse without a smartphone. We have made these devices mandatory, and in doing so, we have made ourselves permanently exposed.
A Quiet Evening in Brussels
Months after the infection was discovered, the news cycle moved on. Other crises filled the headlines, and the dry reports detailing the targeting of Thijs Reuten were archived in the digital vaults of parliamentary libraries.
But for those who understand what those reports signify, the world looks fundamentally different now.
The sun sets over the European Quarter in Brussels, casting long shadows across the glass facades of the parliament buildings. Thousands of officials, aides, and lawmakers stream out of the exits, their faces illuminated by the pale blue glow of the screens in their palms. They are answering emails, texting their partners, checking the news, completely immersed in their digital lives.
Somewhere in a nondescript office building halfway across the continent, a server blinks to life. A stream of data begins to upload, flowing smoothly through the network, carrying the whispered conversations of a democracy under siege into the hands of an anonymous handler who pays no taxes, answers to no parliament, and leaves no footprint behind.