Koi founders.

Palo Alto Networks and Koi Security sued over alleged AI error in cyber threat report

MeetingTV claims a flawed intelligence classification led to global blocking of its services.

A cybersecurity report intended to map Chinese-linked espionage activity has escalated into a legal dispute spanning Silicon Valley and Israel, after a U.S. startup alleged it was wrongly identified as part of a hostile network due to an artificial intelligence error.
In March, U.S. media company MeetingTV filed a lawsuit in federal court in Southern California against cyber firm Koi Security, and its four Israeli founders, Amit Assaraf, Idan Dardikman, Tuval Admoni, and Gal Hachamov. Cybersecurity giant Palo Alto Networks, which acquired Koi in April for hundreds of millions of dollars, was added as a defendant in May 2026.
1 View gallery
מייסדי KOI
מייסדי KOI
Koi founders.
(Photo: Omer Hacohen)
At the center of the lawsuit is the claim that a flawed artificial intelligence system at the cybersecurity company caused the complete destruction of legitimate business activity due to what is known as “AI hallucination.”
According to the complaint, at the end of December 2025, Koi Security published a threat intelligence report titled “DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers,” which examined espionage and cyber infrastructure linked to an attack group allegedly operating under Chinese state direction. As part of the report, Koi added the domain of MeetingTV to its IOC (Indicators of Compromise) list, effectively marking the company as part of a Chinese-linked espionage infrastructure.
MeetingTV claims the classification was fundamentally incorrect and did not stem from traditional forensic investigation, but rather from an erroneous output generated by Koi’s proprietary AI system, “Wings.” The plaintiff alleges that Koi negligently published the findings without sufficient human oversight or verification.
The consequences, according to the lawsuit, were immediate and severe. Once the report circulated in the cybersecurity community, security vendors, enterprise firewalls, and defense contractors around the world began automatically blocking traffic to MeetingTV’s website and application. The complaint describes a catastrophic collapse in online visibility, operational disruption, and severe damage to revenue and reputation, which the company says effectively destroyed its business continuity.
Koi Security later issued an update to its report, clarifying that a subsequent review found no evidence linking MeetingTV’s domain to Chinese malicious activity. However, MeetingTV argues that by then the damage had already been done.
Palo Alto Networks and Koi Security reject the allegations. They argue that the report concerned broad cybersecurity intelligence analysis and did not amount to a direct accusation of criminal conduct against MeetingTV.
Palo Alto Networks filed a motion to dismiss last week. In its defense, the company argues that the report did not accuse MeetingTV of criminal wrongdoing or intentional collaboration with hackers, but rather presented a broader analysis of internet infrastructure. The legal argument emphasizes that cybersecurity researchers require protection from defamation claims for good-faith analytical errors in matters of public interest.
“The speech at issue, the results of extensive research into cybersecurity threat actors, goes to the heart of an important public issue: safety and security online,” Palo Alto wrote.
“The report, published on a research blog available to the public with no paywall, identified IOCs tied to malware campaigns affecting enterprise users worldwide. The report is safety research, not competitive mudslinging.”