MeetingTV Sues Palo Alto Networks' Koi Security Over AI-Hallucinated Threat Report
Key Takeaways
- ▸AI-generated security reports can cause severe real-world damage when hallucinations are published without proper verification or victim notification
- ▸Koi Security relied on an unsupervised LLM to generate threat correlations that later proved entirely false, raising questions about AI oversight in critical security work
- ▸Global blocking of MeetingTV's services demonstrates how AI-generated misinformation can cascade through the security infrastructure ecosystem with minimal recourse
Summary
MeetingTV, a video conferencing and webinar startup, has filed a lawsuit against Palo Alto Networks and its acquired Koi Security division, alleging that Koi published a false threat report generated using an LLM that hallucinated connections between the startup and Chinese espionage operations. According to court documents, Koi's proprietary 'Wings' analytical platform generated erroneous correlations linking MeetingTV and its Zoomcorder recording service to a fictional criminal group called DarkSpectre, falsely claiming the company provided infrastructure for a large-scale malware and corporate espionage campaign.
The December 30 blog post triggered a global cascade of service blocks, with security companies and providers including Verizon and Palo Alto Networks itself blacklisting MeetingTV's domains as malware and command-and-control infrastructure. MeetingTV's founder Michael Robertson reported that he was never contacted by Koi before or after publication, and discovered the report only after his company began experiencing unexplained service blocks. The blog post has since been silently edited to remove references to MeetingTV.
Palo Alto Networks completed its acquisition of Koi Security in April 2026 and has not commented on the specific allegations, stating only that it believes Koi's research reflects a commitment to identifying threats. Robertson has directly appealed to Palo Alto CEO Nikesh Arora, noting that the continued blocking of MeetingTV's services combined with LLM-generated misinformation creates a potentially existential threat to the startup.
- The silent editing of the blog post and lack of pre- or post-publication communication with the accused party highlights governance gaps in AI-driven threat intelligence publishing



