Google has disclosed that its artificial intelligence chatbot, Gemini, was targeted in a large-scale attempt to copy how the system works. The company said attackers sent more than 100,000 prompts to Gemini as part of what is known as a model extraction or distillation attack.
The activity was identified by Google’s Threat Intelligence Group and detailed in a recent security report. According to the company, the effort was aimed at studying Gemini’s responses in order to replicate its internal behavior. Google described the attempt as a violation of its policies and characterized it as intellectual property theft.
The company confirmed that its internal systems were not breached and that no user data was exposed during the incident.
More Than 100,000 Prompts Sent to Gemini
Gemini is one of Google’s advanced AI systems designed to understand and respond to natural language. It is used for answering questions, generating text, assisting with research, and supporting various digital tasks.
In this case, Google detected unusual activity involving over 100,000 carefully structured prompts directed at Gemini. These prompts were not typical user questions. Instead, they were designed to test the model’s reasoning, language understanding, and response patterns across a wide range of scenarios.
Google services falter in dozens of countries; Iran-linked Iraqi hackers claim responsibility
By sending a very large number of prompts and collecting the responses, attackers can analyze how the AI behaves. Over time, this data can help them build a separate system that mimics the original model’s outputs.
Google said the accounts responsible for the activity were identified and blocked. The company emphasized that the attack relied on legitimate access to the system rather than exploiting a technical vulnerability. In other words, the attackers used normal channels available to users but in an abnormal and coordinated way.
The company stated that such large-scale automated querying violates its terms of service. Because advanced AI models require significant investment to develop and train, attempts to replicate them without authorization are treated as intellectual property violations.
What a Model Extraction Attack Means
A model extraction attack does not involve stealing source code or directly copying internal files. Instead, it involves repeatedly interacting with an AI system to learn how it responds in different situations.
Artificial intelligence models like Gemini are trained on vast amounts of data using powerful computing systems. The final model contains complex patterns that determine how it answers questions. These patterns are considered proprietary and are central to the system’s value.
macSync malware spreads through Google ads, exposing over 15,000 Mac users
In a distillation attack, attackers send carefully crafted prompts that test specific capabilities. They may vary the wording, context, or complexity of questions to observe how the model adapts. By recording and analyzing thousands of responses, they attempt to approximate the decision-making process of the original model.
Google said that the scale of this activity—exceeding 100,000 prompts—indicated a coordinated effort rather than casual experimentation. The company’s monitoring systems flagged the unusual behavior and allowed security teams to intervene.
According to Google, no evidence suggests that confidential user information or internal infrastructure was compromised. The focus of the activity was on studying the AI model’s external behavior.
Intellectual Property and AI Security Concerns
Google described the incident as intellectual property theft because the core value of Gemini lies in its trained architecture and response behavior. Developing such systems requires extensive research, specialized talent, and substantial computing resources.
The company noted that as AI systems become more advanced and commercially important, they are increasingly targeted through nontraditional methods. Instead of attempting to break into secure networks, attackers may try to replicate model capabilities by analyzing outputs at scale.
Fraud tourists used A1 to fake records in $3.5 million Medicaid housing scam
The Threat Intelligence Group stated that Google continues to strengthen safeguards designed to detect and limit abusive automated querying. These safeguards include monitoring usage patterns and enforcing platform policies.
Google’s disclosure highlights the growing challenge of protecting large language models from misuse while still allowing legitimate public access. The Gemini case demonstrates how model extraction attempts can occur through ordinary interfaces when used in coordinated and excessive ways.
The company reiterated that user data remained secure throughout the incident and that the activity was stopped once detected.
