MeetingTV has sued Palo Alto Networks after its newly acquired Koi Security threat-intelligence biz published a blog that linked the video conferencing and webinar startup to a Chinese corporate espionage operation. The legal complaint filed against Koi Security, its researchers, and Palo Alto Networks alleges that Koi used an LLM to generate the threat report, the AI system hallucinated findings about MeetingTV, and the security shop then published those as facts in a December 30 blog. It accuses Koi of “reckless publication of an AI-driven cybersecurity report that falsely accused Plaintiff MeetingTV Inc. of criminal conduct including operating core infrastructure for a well-funded Chinese criminal organization running a large-scale malware and corporate espionage campaign,” according to court documents [PDF]. “The false attributions were the direct product of Koi’s unsupervised reliance on their proprietary ‘Wings’ analytical platform, which generated erroneous correlations between the Plaintiff’s business and an alleged cybercriminal actor they called DarkSpectre,” the lawsuit continues. A Palo Alto Networks spokesperson told The Register that the company “is aware of the lawsuit brought by MeetingTV Inc. regarding a threat research report published by Koi Security prior to the acquisition,” but declined to answer our specific questions about MeetingTV’s allegations and the Koi blog. “We believe Koi’s cybersecurity research reflects its commitment to identifying and exposing threats to users and enterprises, and we expect that this dispute will be resolved through the appropriate legal process,” the spokesperson said. Koi’s blog, which has since been silently edited to remove references to MeetingTV’s product called Zoomcorder, originally labeled the meeting recording service as a “public-facing front” for a Chinese criminal operation and said it lent “credibility to the infrastructure while serving as a monetization channel” - allegations MeetingTV disputes in its lawsuit. The blog also claimed the operation was behind a 2.2-million-user campaign stealing corporate meeting intelligence. As a result of the report, MeetingTV says, security companies and service providers around the globe blocked MeetingTV’s domains and services, labeling it as malware and command-and-control infrastructure. The startup’s founder and CEO, longtime entrepreneur Michael Robertson, told us the blocks are the only way he found out about the Koi report in the first place. According to Robertson, Koi did not reach out to MeetingTV prior to publishing its threat report. “Even after publishing they never contacted us,” he told The Register. “I was contacting the security companies one by one asking them to unlock us. Most never respond in any fashion, but one finally did respond and told us he was blocking us because of the Koi report and he gave us the url.” Robertson says he’s still struggling, as providers including Verizon and Palo Alto Networks, which completed its Koi acquisition in April, continue to block his startup. “If people on the internet are blocked from reaching your company, then that's a death sentence,” he said. “Plus all the LLMs now say we're working with Chinese cyber criminals. How will that ever get removed?” After the acquisition closed, Robertson emailed Palo Alto CEO Nikesh Arora directly and asked him to take action. “Now your company owns Koi and is continuing to publish and rely on the false report,” the email said. “Our domain and Google subdomains are blocked and labeled as malware and command and control by your company and others around the world … Take down the false report which is defaming us and in its place put a full retraction. Remove our domains from your own blacklist and help get them removed from others who are blocking us because of the Koi report.” A mysterious extension The December blog linked Zoomcorder to the Zoom Stealer campaign, which it attributed to the Chinese threat actor DarkSpectre, via a browser extension identified as "Twitter X Video Downloader." According to Robertson and the lawsuit, however, this extension doesn’t exist – and Koi “refused to supply information” about the software when MeetingTV requested it. “Koi’s single-actor theory rested on a fabricated technical ‘pivot’ – a single piece of software they repeatedly identified as the ‘Twitter X Video Downloader’ extension,” the lawsuit alleges. “This alleged extension was described as the critical bridge connecting the Zoom Stealer campaign (defined entirely by Plaintiff’s infrastructure) to ShadyPanda, core DarkSpectre infrastructure.” Robertson said he believes Koi used an LLM to generate the threat report, and it hallucinated findings about MeetingTV’s Zoomcorder product that the security shop published as facts. “They admit to using AI for their analysis,” Robertson said. “Maybe a human made it all up? Maybe it was AI? What's clear is that if the software doesn't exist, then even the most rudimentary analysis is impossible to do, yet they labeled our urls, services, and software as criminals.” The bigger picture in all of this, according to Robertson, is that we know AI systems hallucinate. Their findings should not be accepted as fact without any human review. “We're on the doorstep of an era where AI will be used to make critical life-altering decisions on people's lives: Did you pay your taxes, what your credit rating should be, will you get admitted to the University, do you qualify for the home loan, should you be on the no-fly list, etc.,” Robertson said. “Will these be made without human oversight? Will people have due process – see the accusations against them, present their own evidence, have a neutral arbiter? None of that happened in our case,” he continued. “They just declared us criminals and published it to the world.”®
The office of Rob Bonta, California's attorney general, is suing 23andMe for the data protection failings that led to the genetics company's disastrous 2023 breach. Bonta and his team claim [PDF] that 23andMe failed to implement adequate security controls for the sensitive records it stored, and misled customers about the nature of the mishap after the fact. "23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach," said Bonta on Thursday. "Our investigation found that the company failed to take basic steps to protect users' data – data including the sensitive personal information, family histories, and health conditions of consumers "The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence – and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law." The lawsuit was filed against Chrome Holding Co., formerly known as 23andMe. TTAM Research Institute bought 23andMe's assets last year. TTAM Research Institute was founded and is led by Anne Wojcicki, who was also 23andMe's CEO at the time of the breach and one of the company's co-founders. The nonprofit's purchase of 23andMe assets was completed on July 14, 2025, at which time it promised to run 23andMe charitably, using its data to further medical research and education. 23andMe continues to operate as it always did, taking customers' saliva samples and turning it into fun insights, such as what percentage of their makeup is Neanderthal, and whether their DNA makes them more or less likely to enjoy a scattering of cilantro on their food. 'Disturbing' Announcing the lawsuit, Bonta's office used "disturbing" no less than three times to describe the events that transpired before and after 23andMe's mega breach. To recap, a cybercriminal going by the name Golem popped up on a forum in 2023 claiming to offer a slew of data belonging to millions of 23andMe customers. Investigations carried out by regulators later found that Golem only breached around 14,000 accounts, but because of 23andMe's DNA relatives feature, which allows users to connect with other 23andMe users who share a percentage of the same DNA, the crook was able to access the details of nearly 7 million customers. It also soon emerged that 23andMe failed to spot the intrusion for five months, and the 14,000 or so accounts Golem accessed were compromised as a result of credential-stuffing attacks. What followed was a multi-faceted game of finger-pointing. 23andMe's decision to blame customers for recycling credentials instead of admitting it should have mandated 2/MFA on all accounts by default went down about as badly as one might expect. To this day, 23andMe allows customers to use its service without 2/MFA, although it issues regular prompts to those who don't have it set up. Regulators, on the other hand, highlighted that the company's security practices were less than perfect, while security experts were divided. Many agreed there was blame to be placed on both sides. Then came the fines and the settlements. The UK's Information Commissioner hit the company with a £2.3 million ($3.09 million) fine in June 2025, three months after the bankruptcy filing. In its ruling, it echoed the findings of US authorities from 2023, accusing the company of relying on inadequate password requirements. The Information Commissioner rebuked 23andMe for failing to detect the intrusion promptly and not implementing measures to prevent bulk downloading of genetic data. 23andMe also settled a class action lawsuit for $30 million in 2024. Bonta's office alleged that 23andMe’s statements to customers were "misleading and omitted or misrepresented critical information." "While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the 'DNA Relatives' feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other things, the threat actor removing damaging information regarding the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities, including vulnerabilities the threat actor exploited during the data breach." The Register contacted 23andMe's publicists for a response. We only received one on behalf of the 23andMe Research Institute, which despite managing requests directed to the 23andMe platform's only press contact address, distanced itself from Chrome Holding, which, like TTAM Research Institute, does not have a public-facing contact. It also did not help us contact 23andMe's operator. The institute said: "The 23andMe Research Institute is a newly established independent nonprofit organization and is not involved in the matters described in the California Attorney General's complaint filed against Chrome Holding Co., formerly known as 23andMe. The lawsuit pertains to events and operations associated with the former commercial entity prior to the creation of the 23andMe Research Institute. The institute was not involved in the complaint and has no role in the underlying litigation. "The 23andMe Research Institute is focused on advancing nonprofit scientific and health research with a strong commitment to privacy, ethics, transparency, and responsible data stewardship." ®