Skip to main content
CybersecurityHacking

Startup Sues Palo Alto Networks Unit Over AI-Generated Espionage Claims

Modern office setup with laptop on desk, cityscape through window.

"If people on the internet are blocked from reaching your company, then that's a death sentence," said Michael Robertson, founder and CEO of MeetingTV, after his startup was labeled in a threat report as part of a Chinese espionage operation.

MeetingTV's lawsuit against Koi Security and Palo Alto Networks

MeetingTV has filed suit against Koi Security, its researchers, and Palo Alto Networks, alleging that a December 30 threat report falsely connected the video conferencing and webinar startup to a Chinese corporate espionage operation. The complaint accuses Koi of the “reckless publication of an AI-driven cybersecurity report that falsely accused Plaintiff MeetingTV Inc. of criminal conduct,” according to court documents. MeetingTV says the report named its product Zoomcorder as core infrastructure for a well-funded Chinese criminal organization running a large-scale malware and corporate espionage campaign.

Alleged AI-driven analysis and the Wings platform

The lawsuit asserts that Koi relied on its proprietary “Wings” analytical platform and an LLM to generate the threat report, and that the AI system hallucinated findings about MeetingTV. MeetingTV alleges those hallucinated connections created “erroneous correlations” between the startup’s business and an alleged cybercriminal actor Koi called DarkSpectre. Michael Robertson told The Register that Koi “admit to using AI for their analysis,” and the complaint frames the false attributions as “the direct product of Koi’s unsupervised reliance” on the platform.

The disputed technical link: Zoomcorder, Zoom Stealer, and a missing extension

Koi’s blog originally tied MeetingTV’s Zoomcorder product to a campaign Koi labeled “Zoom Stealer,” attributing that campaign to DarkSpectre via a browser extension identified as “Twitter X Video Downloader.” The lawsuit and Robertson say that the extension does not exist and that Koi “refused to supply information” about the software when MeetingTV requested it. According to the complaint, Koi described the alleged extension as the “critical bridge connecting the Zoom Stealer campaign (defined entirely by Plaintiff’s infrastructure) to ShadyPanda, core DarkSpectre infrastructure.” Koi’s blog has since been silently edited to remove references to Zoomcorder.

Operational effects: blocks, labels, and damaged access

MeetingTV says the report prompted security companies and service providers worldwide to block its domains and services, labeling them as malware and command-and-control infrastructure. Robertson told The Register that the blocks were how he first learned of the Koi report: “I was contacting the security companies one by one asking them to unlock us. Most never respond in any fashion, but one finally did respond and told us he was blocking us because of the Koi report and he gave us the url.” The lawsuit says that providers including Verizon and Palo Alto Networks continue to block MeetingTV’s services.

Palo Alto Networks’ response and the corporate timeline

A Palo Alto Networks spokesperson told The Register the company “is aware of the lawsuit brought by MeetingTV Inc. regarding a threat research report published by Koi Security prior to the acquisition,” and added, “We believe Koi’s cybersecurity research reflects its commitment to identifying and exposing threats to users and enterprises, and we expect that this dispute will be resolved through the appropriate legal process.” Palo Alto completed its Koi acquisition in April; MeetingTV says Koi did not contact it before publishing the report and “Even after publishing they never contacted us,” Robertson said. After the acquisition closed Robertson emailed Palo Alto CEO Nikesh Arora directly seeking retraction and removal of MeetingTV’s domains from blacklists.

How technologists, service providers, and startups are responding

  • Technologists and security teams: The complaint centers on the claimed use of AI and an analytical platform that produced allegedly spurious correlations. Teams that rely on third-party threat intelligence will watch for how Koi’s methods — and the role of the Wings platform and any LLMs it uses — are documented or defended in court.
  • Security companies and service providers: Providers that blocked MeetingTV’s domains are already operational actors in this dispute; MeetingTV reports persistent blocks by multiple vendors, and the company has been forced to request removals individually.
  • Startups and affected enterprises: MeetingTV says the labeling and blocks caused immediate harm and reputational damage. Its CEO framed the issue as an example of how algorithmic findings, once published, can spread to LLMs and control access unless there is human review or a formal retraction.

MeetingTV’s suit frames the episode as more than an isolated research error: it raises a concrete question about how AI-assisted threat analysis is reviewed, published, and operationalized by vendors and providers. The complaint asks the court to address those consequences for MeetingTV; Palo Alto Networks has said it expects the dispute to be resolved through the legal process. For now, MeetingTV remains blocked by multiple providers, its Zoomcorder references removed from Koi’s blog, and the legal record the primary venue where these contested technical claims will be tested.

Original story