Startup sues Palo Alto Networks' Koi Security, saying an AI-hallucinated report falsely linked it to Chinese espionage
Jump to main content
Search
REG AD
legal
Startup sues Palo Alto Networks' Koi Security, saying an AI-hallucinated report falsely linked it to Chinese espionage
MeetingTV wants to see the evidence
Jessica Lyons
Jessica<br>Lyons
Published<br>thu 2 Jul 2026 // 23:47 UTC
MeetingTV has sued Palo Alto Networks after its newly acquired Koi Security threat-intelligence biz published a blog that linked the video conferencing and webinar startup to a Chinese corporate espionage operation.<br>The legal complaint filed against Koi Security, its researchers, and Palo Alto Networks alleges that Koi used an LLM to generate the threat report, the AI system hallucinated findings about MeetingTV, and the security shop then published those as facts in a December 30 blog.<br>It accuses Koi of “reckless publication of an AI-driven cybersecurity report that falsely accused Plaintiff MeetingTV Inc. of criminal conduct including operating core infrastructure for a well-funded Chinese criminal organization running a large-scale malware and corporate espionage campaign,” according to court documents [PDF].
REG AD
“The false attributions were the direct product of Koi’s unsupervised reliance on their proprietary ‘Wings’ analytical platform, which generated erroneous correlations between the Plaintiff’s business and an alleged cybercriminal actor they called DarkSpectre,” the lawsuit continues.
REG AD
A Palo Alto Networks spokesperson told The Register that the company “is aware of the lawsuit brought by MeetingTV Inc. regarding a threat research report published by Koi Security prior to the acquisition,” but declined to answer our specific questions about MeetingTV’s allegations and the Koi blog.<br>“We believe Koi’s cybersecurity research reflects its commitment to identifying and exposing threats to users and enterprises, and we expect that this dispute will be resolved through the appropriate legal process,” the spokesperson said.<br>Koi’s blog, which has since been silently edited to remove references to MeetingTV’s product called Zoomcorder, originally labeled the meeting recording service as a “public-facing front” for a Chinese criminal operation and said it lent “credibility to the infrastructure while serving as a monetization channel” - allegations MeetingTV disputes in its lawsuit. The blog also claimed the operation was behind a 2.2-million-user campaign stealing corporate meeting intelligence.<br>As a result of the report, MeetingTV says, security companies and service providers around the globe blocked MeetingTV’s domains and services, labeling it as malware and command-and-control infrastructure.<br>The startup’s founder and CEO, longtime entrepreneur Michael Robertson, told us the blocks are the only way he found out about the Koi report in the first place. According to Robertson, Koi did not reach out to MeetingTV prior to publishing its threat report.<br>“Even after publishing they never contacted us,” he told The Register. “I was contacting the security companies one by one asking them to unlock us. Most never respond in any fashion, but one finally did respond and told us he was blocking us because of the Koi report and he gave us the url.”
MORE CONTEXT
Google says criminals used AI-built zero-day in planned mass hack spree
Anthropic co-founder hallucinates ghost in the machine
Palo Alto CEO says AI isn’t great for business, yet
Smooth AI criminal drives 'first' end-to-end agentic ransomware attack
Robertson says he’s still struggling, as providers including Verizon and Palo Alto Networks, which completed its Koi acquisition in April, continue to block his startup. “If people on the internet are blocked from reaching your company, then that's a death sentence,” he said. “Plus all the LLMs now say we're working with Chinese cyber criminals. How will that ever get removed?”<br>After the acquisition closed, Robertson emailed Palo Alto CEO Nikesh Arora directly and asked him to take action.
REG AD
“Now your company owns Koi and is continuing to publish and rely on the false report,” the email said. “Our domain and Google subdomains are blocked and labeled as malware and command and control by your company and others around the world … Take down the false report which is defaming us and in its place put a full retraction. Remove our domains from your own blacklist and help get them removed from others who are blocking us because of the Koi report.”<br>A mysterious extension<br>The December blog linked Zoomcorder to the Zoom Stealer campaign, which it attributed to the Chinese threat actor DarkSpectre, via a browser extension identified as "Twitter X Video Downloader." According to Robertson and the lawsuit, however, this extension doesn’t exist – and Koi “refused to supply information” about the software when MeetingTV requested it.<br>“Koi’s single-actor theory rested on a fabricated technical ‘pivot’ – a single...