Google reports attackers prompt Gemini over 100,000 times in cloning attempts.

Google’s internal threat‑intelligence team says the most aggressive “model‑extraction” campaign it has seen to date involved more than 100,000 prompts directed at Gemini across a range of non‑English languages. The attackers, described by Google as “commercially motivated” actors, were apparently trying to harvest Gemini’s responses in order to train a cheaper, distilled copy of the model, the company disclosed in a quarterly self‑assessment report [Ars Technica].

The report frames the activity as a form of intellectual‑property theft, noting that the adversaries never accessed Gemini’s source code or training corpus but instead relied on a classic distillation technique. By feeding a target LLM thousands of carefully chosen prompts and collecting the output pairs, a smaller model can be taught to mimic the original’s behavior without incurring the billions of dollars and years of compute that Google invested in Gemini [Ars Technica]. Google’s analysts say the campaign focused especially on the model’s simulated‑reasoning algorithms—those components that let Gemini break down complex problems step by step—suggesting the attackers were after the most valuable part of the system’s “brain.”

Google does not identify the perpetrators, but the report indicates the attacks originated from a global pool of private firms and independent researchers seeking a competitive edge. This mirrors earlier concerns about the industry’s “copy‑cat” culture. In 2023, The Information reported that Google’s Bard team was accused of scraping user‑generated ChatGPT conversations from ShareGPT to augment its own training data, a practice that prompted senior AI researcher Jacob Devlin to resign and join OpenAI [Ars Technica]. Google denied the allegation at the time but reportedly ceased using the external data, underscoring the thin line between legitimate data collection and the kind of reverse‑engineering now evident in the Gemini attacks.

The scale of the Gemini extraction attempt is notable because it demonstrates how inexpensive it can be to approximate a leading LLM. Distillation, as described by Google, allows an attacker to sidestep the massive compute costs of training a model from scratch by leveraging the output of an existing system as a “shortcut.” The resulting copycat may be smaller and less capable, but it can still replicate many of the parent model’s strengths, providing a viable product for niche markets or internal use [Ars Technica]. This efficiency is why the technique has gained traction among “commercially motivated” actors who lack the resources to develop a model on the scale of Gemini.

Google’s response, outlined in the same threat report, includes heightened monitoring of prompt‑injection patterns and tighter enforcement of its terms of service, which explicitly forbid the extraction of model outputs for training purposes. While the company declined to name specific suspects, it warned that the wave of distillation attacks is growing, and that future campaigns may target other high‑value components such as Gemini’s multimodal capabilities. The disclosure serves both as a warning to the broader AI ecosystem and as a subtle reminder that the same data‑scraping practices that helped build today’s LLMs can be turned against them, turning creators into victims of their own technology.