Agentic AI
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
MeetingTV Says Koi’s AI Analysis Tool Wrongly Tied it to Malware Infrastructure

MeetingTV sued Palo Alto Networks subsidiary Koi Security and accused the company of falsely linking the legitimate videoconferencing and webinar startup to a Chinese cybercrime operation.
See Also: Know Thy Enemy: Threats to Cyber Resilience
The San Diego-based company claims Koi published an AI-assisted cybersecurity report without adequate human verification, causing widespread technical blocks, reputational harm and lost business for MeetingTV. Palo Alto Networks said the report reflected protected analytical judgments rather than false statements of fact, and said the suit should be dismissed as an attempt to chill protected speech.
“This action arises from defendants’ publication of a cybersecurity report falsely accusing plaintiff MeetingTV, Inc. of operating infrastructure associated with a large-scale malware and corporate espionage campaign,” MeetingTV wrote in an 137-page complaint filed March 18 in U.S. District Court for the Southern District of California.
The research report in question was published by Koi on Dec. 30, less than four months before the endpoint posture management was acquired by Palo Alto Networks for $231 million. MeetingTV also sued Proofpoint in December for labeling webinartv.us as malicious, with the parties subsequently switching from litigation to alternative dispute resolution. Palo responded Tuesday to MeetingTV (see: Koi Purchase Bolsters Palo Alto’s AI Attack Surface Defense).
MeetingTV: Our Tool Works Like a Legitimate Browser Extension
Koi’s report generated false relationships between browser extensions, domains, cloud infrastructure and malware campaigns, and instead of treating AI-generated output as a lead requiring further probing, Koi allegedly presented them as definitive findings. MeetingTV said Koi failed to conduct basic attribution checks, ignored contradictory evidence and didn’t contact MeetingTV before publication.
“The false attribution resulted from defendants’ reliance on automated and artificial intelligence–assisted analytical tools that generated incorrect correlations between unrelated software artifacts and internet infrastructure,” MeetingTV wrote. “Automated threat-correlation systems are widely known within the industry to produce false positives unless their outputs are independently verified through manual forensic validation.”
Although Koi did not expressly state that MeetingTV itself was a threat actor, it conveyed that implication by identifying MeetingTV’s infrastructure as the operational backbone of the alleged malware campaign. The report associated MeetingTV with allegations of malware distribution, credential theft, corporate espionage and Chinese cybercrime, all of which MeetingTV denies.
“The report identified plaintiff’s domains and software as malicious indicators of compromise associated with a criminal organization allegedly responsible for infecting millions of users,” MeetingTV wrote in its complaint.
Many of the behaviors Koi characterized as malicious are ordinary features of legitimate browser extensions, MeetingTV said. Browser extensions commonly examine webpage URLs to determine context or provide additional functionality. MeetingTV asserts that its software openly disclosed these capabilities through the Chrome Web Store and complied with Google’s disclosure requirements.
“The false attributions were the direct product of Koi’s unsupervised reliance on their proprietary ‘Wings’ analytical platform, which generated erroneous correlations between the plaintiff’s business and an alleged cybercriminal actor they called DarkSpectre,” MeetingTV wrote in an 171-page amended complaint filed May 13.
Once Koi designated MeetingTV’s domains as indicators of compromise, security vendors, internet service providers, enterprise security products and automated threat intelligence feeds incorporated those indicators into their own systems, MeetingTV said. As a result, those systems then began blocking MeetingTV’s domains, warning users away from its services, and classifying its software as malicious.
“The publication triggered a cascading response across the global cybersecurity ecosystem,” MeetingTV wrote. “Security vendors, threat intelligence feeds and network operators automatically ingested the report’s false indicators of compromise and began blocking plaintiff’s domains worldwide. As a direct result, plaintiff’s lawful services were widely classified as malicious infrastructure associated with cybercrime.”
Palo Alto: Koi Never Accused MeetingTV of Committing Crimes
Palo Alto Networks said the report never expressly identified MeetingTV as the criminal organization, never stated that MeetingTV knowingly participated in criminal activity and never accused MeetingTV itself of committing crimes. Allowing lawsuits whenever an affected party disagrees with a threat intelligence report would chill valuable research and undermine information sharing, the firm said.
“The speech at issue – the results of extensive research into cybersecurity threat actors – goes to the heart of an important public issue: safety and security online,” Palo Alto wrote. “The report, published on a research blog available to the public with no paywall, identified IOCs tied to malware campaigns affecting enterprise users worldwide. The report is safety research, not competitive mudslinging.”
Because the report allegedly revealed the facts underlying its analysis, Palo Alto Networks argues that its conclusions constitute protected opinion under the First Amendment rather than actionable factual assertions. In other words, Palo Alto Networks contends that reasonable experts may disagree about attribution, but such disagreement doesn’t convert analytical judgments into defamation.
“All causes of action are premised on the content of a research blog on Koi’s website,” Palo Alto Networks wrote Tuesday in a 39-page motion to dismiss. “This implicates protected speech. Each claim, therefore, falls squarely within the scope of protection.”
Multiple third parties had already identified or questioned MeetingTV’s domains before Koi published the report, including user reports and an earlier Canadian governmental cybersecurity publication. Because MeetingTV’s domains had already attracted scrutiny, Palo Alto said the complaint can’t plausibly attribute all subsequent blocking decisions and reputational harm solely to Koi’s publication.
“The FAC [first amended complaint] tries to satisfy that element by relabeling the same technical report as a “marketing asset,” “commercial speech,” and “integrated sales collateral,” Palo Alto Networks wrote. “Labels do not make it so. The report is cybersecurity research, branded “KOI RESEARCH,” and published under a research-team byline.”
MeetingTV’s response to Palo Alto Networks’ motion to dismiss is due July 15, and Judge Anthony Battaglia has set a hearing for the motion on Oct. 15.
