A researcher at Citizen Lab confirmed this week, in a finding that surfaced on Hacker News, that a sitting member of the European Parliament — specifically a member of the committee chartered to investigate the abuse of commercial spyware — was compromised with Pegasus. The irony is blunt: the person tasked with oversight of surveillance tools was surveilled with one.
The natural response is to file this under "not my problem." Pegasus is sold by the NSO Group to governments. It costs millions to deploy. You are not a parliamentarian. You are managing a mortgage, a couple of kids, and a grocery budget that keeps getting tighter.
That framing is wrong, and here's the mechanism behind why.
What's actually changing
Pegasus and tools like it are the bleeding edge. What was a state-level zero-click exploit in 2021 tends to become a criminal-market commodity by 2025. Citizen Lab has documented Pegasus infections across at least 45 countries, and the targets have expanded well beyond heads of state — journalists, lawyers, labor organizers, and executives at mid-sized companies have all shown up in the data. The threat isn't trickling down to your household yet. But the infrastructure — the zero-day broker market, the mercenary spyware vendors, the techniques for silent device compromise — is becoming more accessible, not less.
The second shift is AI-assisted spear phishing. The reason Pegasus commands such a premium is that it doesn't need you to click anything. Cheaper attacks still do. But large language models have dramatically lowered the cost of crafting convincing, personalized lures. A message that arrives looking like it's from your kid's school district, your bank's fraud team, or your employer's IT helpdesk is now achievable at scale by actors who previously couldn't write convincing English. Recent analysis from several digital-rights organizations has flagged this convergence explicitly: sophisticated intrusion techniques at the top of the market, AI-assisted social engineering flooding the middle.
Your household is in the middle.
What we'd actually do
Enable Lockdown Mode on your iPhone — especially for the adults in the house most likely to be targeted. Apple released Lockdown Mode in iOS 16 specifically as a response to Pegasus-style zero-click attacks. It disables certain features (some link previews, specific messaging attachments, wired connections to unknown devices) in exchange for a meaningfully hardened attack surface. Most families will barely notice the difference. Go to Settings → Privacy & Security → Lockdown Mode. It takes two minutes. If you're on Android, the equivalent hardening is more fragmented, but disabling RCS in Google Messages and keeping your device on the current security patch level covers a significant portion of the risk.
Treat software updates as a security event, not an annoyance. The single most common vector for device compromise below the Pegasus tier is unpatched vulnerabilities in operating systems and apps. Recent BLS consumer tech data suggests a meaningful share of households run devices more than two major OS versions behind. Every week you delay an update is a week an exploit that's already been patched is still available against your household. Set every device in the house to auto-update overnight.
Audit who has physical access to your devices. Zero-click exploits aside, most household-level device compromise still requires a brief physical interaction — a charging cable left plugged into an unknown USB port, a borrowed phone handed to someone for a "quick call." The Citizen Lab report is a reminder that this applies even to professionals trained in these risks. Keep your phone on your person or in a drawer you control when you're outside your home.
Run a family conversation about link discipline, not a lecture. The AI-assisted phishing shift means the barrier for a convincing malicious message is gone. Your teenagers especially need a simple rule they'll actually use: if a link or attachment arrives unexpectedly — even from a known contact — verify through a second channel before clicking. One sentence, one rule. Don't turn it into a 45-minute cybersecurity seminar.
Use a password manager and turn on passkeys wherever they're offered. This is the unglamorous infrastructure that makes every other protection more durable. If your household still relies on reused passwords, a compromised account on one service cascades everywhere. Most major password managers have a family plan under $5 per month. Passkeys, now supported by Google, Apple, and Microsoft accounts, remove the password entirely for supported services.
The bigger picture
The Citizen Lab finding is striking because of its symbolism — an investigator of spyware, compromised by spyware. But the household-level lesson isn't "the world is surveilled and hopeless." It's that digital hygiene has compounding returns. Pegasus exploits unpatched vulnerabilities and design assumptions baked into stock operating systems. Lockdown Mode exists because pressure from researchers like Citizen Lab forced Apple to build it. Every update Apple ships closes attack surface that was open the week before.
The goal here isn't to achieve perfect security. It's to make your household a harder target than the one next to you, and to make the cost of compromising you higher than the value an attacker would get. That's durability. It's achievable this weekend, without spending money you don't have.





