Investment firm accused of ‘surveilling’ AI startup founder

MANHATTAN (CN) — The founder of an up-and-coming artificial intelligence company is accusing an investment firm of targeting him with a “premeditated series of cyber intrusions,” possibly stemming from his work in the tech industry.

Michael Lafave, the founder of Cette AI, filed a lawsuit on Tuesday in New York County Supreme Court against Voya Financial, which he accuses of using his personal information to “exfiltrate [his] valuable proprietary AI models” from his personal devices.

“Defendants used sophisticated remote-access capabilities to obtain or attempt root-level access without triggering ordinary security mechanisms,” Lafave claims in a 35-page complaint. “These attacks required prior knowledge of plaintiff’s device environment, including the type of personal device he used, his operating system, his location and related metadata.”

According to Cette’s Instagram account, the AI company uses machine learning to “create rapid innovation in the field of materials engineering.” Lafave’s lawsuit calls it an enterprise “focused on artificial intelligence, quantum computing-related technologies and environmental infrastructure.”

The technology is valuable, Lafave claims. He said a Voya report valued a subset of Cette’s AI portfolio at between $50 million to $100 million, an estimate he called conservative. Voya, which Lafave says operates AI entities of its own, would “materially benefit from [his] stolen intellectual property.”

Lafave says the surveillance by Voya started in 2025 when he filed a claim for long-term disability benefits from Voya, stemming from a car accident two years earlier that left him unable to perform cognitively demanding work.

It was because of that disability claim that Lafave disclosed to Voya his location — a remote cottage in Ontario, Canada — as well as his disability status, treatment needs and valuation materials of his company.

Lafave says Voya used that information to remotely access his devices and accounts without authorization, starting on Christmas Day in 2025.

“Beginning on or about Dec. 25, 2025, plaintiff Lafave’s network and devices began exhibiting unusual and unexplained behavior,” he claims. “Upon information and belief, on Dec. 25, 2025, at least two unauthorized machine-to-machine devices accessed his network.”

The following day, he says he “observed activity consistent with an attempt to erase, overwrite or destroy evidence of the intrusion.”

Among that activity was more than 3 billion dropped packets — data that failed to reach its destination — associated with a nonpublic-facing IP address. That’s rare for a rural location like his family’s rural cottage, and is “consistent with an effort to overwrite, purge or obscure evidence” of an intrusion.

He also claims his home Wi-Fi extender had been spoofed, leading him to believe that the unauthorized device masked itself using the extender’s media access control address.

“The scale and character of the Dec. 26, 2025, activity would have required specialized equipment, infrastructure or machine-to-machine capabilities not ordinarily present in a rural residential network environment, and not sold to retail customers,” Lafave claims.

He noticed similar activity in the weeks that followed. He says a remote root account — the ultimate administrator account in a computer system, with unrestricted privileges — had breached his MacBook Pro using thousands of rapid “bursts” at “extreme speed,” once again leading him to believe he had been subjected to unauthorized remote access and “automated exploitation.”

Lafave additionally claims Voya “hijacked” his GitHub account and transferred some of his code. He even accuses the investment firm of placing him under “physical surveillance or location-based monitoring” after an anti-stalking alert was triggered on one of his Apple devices.

Lafave’s counsel sent Voya a cease-and-desist letter and a preservation notice on Jan. 19, informing the company of these various concerns. According to Lafave, Voya responded nearly two months later and attributed any activity to his disability claim.

“Voya made no mention of the cyber intrusion allegations against it,” Lafave argues.

He claims he’s out thousands of dollars after having to investigate the supposed intrusion, and says he suffered emotional distress and ongoing concern regarding his personal and digital security. In his 11-count complaint, Lafave accuses Voya of violating the Computer Fraud and Abuse Act, misappropriating trade secrets, trespass to chattels, unfair competition, civil conspiracy, unjust enrichment and abetting tortious conduct.

A representative for Voya declined to comment on the lawsuit.

Follow @Uebey Follow @uebey.bsky.social