MeetingTV sues Palo Alto Networks for allegedly trusting AI to falsely link them to Chinese espionage
When an allegedly AI-hallucinated security report falsely linked MeetingTV to Chinese hackers, its traffic vanished. The startup is trying to fight back.

Image by Cybernews.
- MeetingTV alleges Koi Security published unverified AI-generated findings that falsely implied Chinese espionage ties
- The report triggered widespread domain blocking, devastating traffic, revenue, and MeetingTV’s business operations
- Palo Alto argues the report addressed public cybersecurity concerns, not direct criminal accusations against MeetingTV
- Koi later said additional validation found no evidence linking MeetingTV to malicious infrastructure
MeetingTV, the video conferencing and webinar startup, is fighting allegations that it’s actually a Chinese corporate espionage operation. According to the firm, the fateful security report by Koi Security included AI-hallucinated findings that weren’t double-checked.
For half a year now, MeetingTV has been labeled malware and command-and-control infrastructure by most service providers worldwide. Naturally, revenue has shrunk to the bare minimum.
But in a legal complaint, the firm says that’s because late last year, Koi Security, a subsidiary of Palo Alto Networks, allegedly used AI to generate an inaccurate report and say that MeetingTV is a Chinese corporate espionage operation.
According to the complaint, Koi Security didn’t bother to verify AI-generated findings and published them as facts. Contradictory evidence was allegedly ignored in the December 30th report, published 4 months before Palo Alto Networks acquired Koi Security.
“Koi Security’s reckless publication”
In the report, researchers said they have uncovered malicious browser extension campaigns that have impacted millions of browser users worldwide. The same Chinese threat actor DarkSpectre was thought to be behind the campaigns.
The campaign, codenamed The Zoom Stealer, used 18 extensions across Chrome, Edge, and Firefox to facilitate corporate intelligence by collecting data from online meetings, including meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.
Although Koi didn’t expressly state that MeetingTV itself was a threat actor, it identified MeetingTV’s infrastructure as the operational backbone of the alleged malware campaign.
In the complaint, MeetingTV says: “This action arises from Koi’s reckless publication of an AI-driven cybersecurity report that falsely accused Plaintiff MeetingTV Inc. of criminal conduct, including operating core infrastructure for a well-funded Chinese criminal organization running a large-scale malware and corporate espionage campaign.”
The false attributions were the direct product of Koi’s unsupervised reliance on their proprietary “Wings,” MeetingTV further claims in the complaint – by the way, also drafted with the help of AI.
Check if your data has been leaked
The report associated MeetingTV with allegations of malware distribution, credential theft, corporate espionage, and Chinese cybercrime. The company, of course, is denying all that.
The report has by now been silently edited, but the original version claimed that MeetingTV’s product Zoomcorder was a “public-facing front” for a Chinese threat actor and named Meeting[TV].us as a domain lending credibility to the campaign.
Hallucinated an extension?
MeetingTV founder and CEO Michael Robertson told The Register that Koi Security never reached out to the company before publishing the threat report. He only found out about it when MeetingTV’s domains and services were blocked globally.
According to Robertson, providers, including Verizon, continue to block the startup. He calls the situation “a death sentence.”
In their motion for dismissal, Palo Alto said the report never expressly identified MeetingTV as the criminal organization, never stated that MeetingTV knowingly participated in criminal activity, and never accused MeetingTV itself of committing crimes.
The lawsuit alleges: “Koi’s single-actor theory rested on a fabricated technical ‘pivot’ – a single piece of software they repeatedly identified as the ‘Twitter X Video Downloader’ extension.” MeetingTV says this extension doesn’t actually exist.
“Security vendors, threat intelligence feeds, and network operators automatically ingested the report's false indicators of compromise and began blocking plaintiff's domains worldwide. As a direct result, plaintiff's lawful services were widely classified as malicious infrastructure associated with cybercrime,” the complaint says.
In their motion for dismissal, Palo Alto said the report never expressly identified MeetingTV as the criminal organization, never stated that MeetingTV knowingly participated in criminal activity, and never accused MeetingTV itself of committing crimes.
Allowing lawsuits whenever an affected party disagrees with a threat intelligence report would chill valuable research and undermine information sharing, the firm said.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“The speech at issue – the results of extensive research into cybersecurity threat actors – goes to the heart of an important public issue: safety and security online,” Palo Alto wrote.
“The report, published on a research blog available to the public with no paywall, identified IOCs tied to malware campaigns affecting enterprise users worldwide. The report is safety research, not competitive mudslinging.”
However, already in February, Koi Security said in an update that it conducted “additional validation” regarding MeetingTV and determined there was no evidence “that this domain is connected or related in any way to the malicious infrastructure or the threat actor group described in this report.”