Lawsuit accuses AI security company of publishing hallucinated findings
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
MeetingTV, an online videoconferencing and webinar startup, is suing Palo Alto Networks and recently acquired threat-intelligence firm Koi Security over a security research report that linked its infrastructure to a Chinese hacking operation.
Why it matters: MeetingTV alleges that a hallucinated finding is behind the mix-up — raising questions about how companies are using AI in threat intelligence and who bears responsibility for the impact of security research.
State of play: MeetingTV filed a complaint against Koi Security on March 18, alleging the company falsely labeled its websites as infrastructure tied to a Chinese hacking operation in a report published on Dec. 30.
- Before filing its complaint, MeetingTV reached out to Koi's leadership asking the company to update its report and contact other security vendors that had labeled MeetingTV's domains as malicious.
- Many cybersecurity firms rely on threat intelligence like Koi's to determine which websites, domains and services should be blocked to protect customers from malicious activity.
Koi updated the report on Feb. 12 and removed one MeetingTV domain.
- "While the domain appeared in code analyzed during our investigation, we have determined that there is no evidence that this domain is connected or related in any way to the malicious infrastructure or the threat actor group described in this report," the update on the research report reads.
- But MeetingTV CEO Michael Robertson says the company's infrastructure remains blocked across multiple security products and services.
- Palo Alto Networks acquired Koi in April and was later added as a defendant in MeetingTV's amended complaint.
What they're saying: "We have expended considerable effort to get unblocked," Robertson told Axios. "It's laborious and often impossible because there are hundreds of lists, and it's unclear which connectivity companies or businesses use which security company."
- Robertson said he has contacted numerous security vendors asking them to remove MeetingTV's domains from their products. Most either did not respond or indicated that enterprise customers would expect them to continue blocking the domains.
- As of early June, some, but not all, cybersecurity vendors had started downgrading MeetingTV's domain from malicious to medium-risk labels, according to scans reviewed by Axios.
The other side: A Palo Alto Networks spokesperson told Axios the company is "aware of the lawsuit brought by MeetingTV Inc." and believes "Koi's cybersecurity research reflects its commitment to identifying and exposing threats to users and enterprises."
- The company declined to answer Axios' questions about Koi's use of AI, the findings in the report or MeetingTV's allegations, but added that "we expect that this dispute will be resolved through the appropriate legal process."
The intrigue: At the center of the lawsuit is MeetingTV's allegation that Koi relied on AI outputs that erroneously linked the company to a broader cybercrime operation.
- In an amended complaint filed in May, MeetingTV focused heavily on Koi's reporting about a browser extension that the report cited as linking the "Zoom Stealer" campaign to a broader DarkSpectre operation.
- MeetingTV argues the extension cannot be identified among the extension IDs listed in the report and says that discrepancy could point to an AI-generated error or another fundamental flaw in Koi's analysis.
Reality check: While Koi uses AI in its products to analyze software, browser extensions and other digital tools, none of MeetingTV's court filings provide direct evidence showing that AI systems generated the allegedly erroneous findings.
The big picture: Whether AI was involved or not, the dispute highlights a broader question facing the cybersecurity industry: How much responsibility do cyber researchers have for the impact of their findings?
- MeetingTV is arguing that once the threat intelligence was published, it quickly spread through security vendors' products and triggered traffic blocks that have been near-impossible to reverse.
Yes, but: Koi argued in an April motion to dismiss the suit that MeetingTV's claims weren't worthy of a hearing because cybersecurity research is protected speech and the report never accused MeetingTV itself of being the threat actor.
- Koi also argues that there are other reasons why security vendors may have blocked MeetingTV's infrastructure, including past online complaints about the platform and another piece of security research from cyber firm Proofpoint that also labeled MeetingTV as malicious. (Robertson told Axios that the dispute with Proofpoint was resolved quickly.)
What to watch: Koi has until June 30 to respond to MeetingTV's amended complaint.
- MeetingTV requested last month that the two parties enter an early discovery phase to ensure that no evidence is deleted or obscured before the hearing.
Go deeper: AI is still getting things wrong, more confidently than ever
