Google Gemini Hit with 100,000+ Prompts in Sophisticated AI Cloning Attack by Commercial Actors

Google disclosed Thursday that its flagship AI chatbot Gemini has faced sustained "distillation attacks" from commercially motivated actors attempting to clone its capabilities through repeated prompting at massive scale, with one campaign submitting more than 100,000 queries before detection.

The attacks represent what Google calls "model extraction"—systematic attempts to reverse-engineer the patterns, logic, and algorithms that power Gemini by flooding it with carefully crafted questions designed to reveal its inner workings. The company believes attackers are primarily private companies and researchers seeking competitive advantages in the intensifying AI arms race.

Distillation attacks involve submitting thousands or tens of thousands of prompts to an AI system to understand how it processes information and generates responses. By analyzing patterns across massive query volumes, attackers can potentially recreate key aspects of a model's reasoning capabilities without the billion-dollar training costs major AI labs incur.

Many attacks specifically targeted Gemini's reasoning algorithms—the mechanisms that determine how the model processes information and decides on responses. This represents the most valuable intellectual property in large language models, as reasoning capabilities distinguish advanced AI systems from simpler ones.

Google described the activity as intellectual property theft. Tech companies have invested billions developing their AI chatbots and consider their model architectures and training methods extremely valuable proprietary information worth protecting aggressively.

Google identified the 100,000-prompt campaign and adjusted Gemini's systems to better protect against future attacks. However, the company acknowledged that major large language models remain inherently vulnerable to distillation because they're openly accessible to anyone on the internet.

John Hultquist, chief analyst of Google's Threat Intelligence Group, warned that if distillation attacks are happening at scale against Google's well-defended systems, they're likely targeting smaller companies' custom AI tools as well. "We're going to be the canary in the coal mine for far more incidents," Hultquist said.

While Google believes the attacks originated from around the world, the company declined to name specific suspects or provide geographic details. A Google spokesperson confirmed the attacks came from multiple sources but would not elaborate on attribution.

The disclosure follows similar concerns raised by other AI leaders. OpenAI accused Chinese rival DeepSeek last year of conducting distillation attacks to improve its models, highlighting how model extraction has become a standard competitive tactic in the AI industry.

The threat extends beyond consumer-facing chatbots to custom enterprise AI systems trained on proprietary data. Companies building AI models trained on sensitive information—such as trading strategies, customer data, or internal processes—face similar vulnerabilities.

"Let's say your LLM has been trained on 100 years of secret thinking of the way you trade. Theoretically, you could distill some of that," Hultquist explained, illustrating the risks for financial services and other industries deploying custom AI.

The scale of attacks against Gemini confirms that AI intellectual property theft has evolved from theoretical concern to active operational threat. Even though major AI companies have detection mechanisms and blocking capabilities, the open nature of internet-accessible AI systems creates inherent vulnerabilities.

As the AI industry matures and more companies deploy custom models, distillation attacks will likely proliferate. Organizations must balance accessibility for legitimate users against protection from systematic extraction attempts, creating new challenges for AI security and intellectual property protection in an increasingly competitive landscape where model capabilities represent billion-dollar advantages.