Hackers Flooded Gemini With 100,000 Prompts to Steal Google’s AI

Someone just tried to clone Google’s AI model. And their method was surprisingly simple.

Hackers bombarded Gemini with over 100,000 carefully crafted prompts. Their goal? Extract enough information to replicate Google’s technology. This type of attack, called “distillation,” represents a new front in the global AI arms race.

Google just published a Threat Tracker report detailing these attempts. Moreover, the company warns that this problem extends far beyond one incident. In fact, AI theft is becoming an industry-wide crisis that most companies aren’t prepared to handle.

How AI Distillation Attacks Actually Work

Think of it like reverse engineering through conversation. Hackers don’t need to breach servers or steal code. Instead, they systematically probe an AI model with thousands of targeted questions.

Each prompt reveals a bit about how the model thinks. After enough interactions, patterns emerge. Plus, those patterns contain enough information to train a copycat model.

Google calls these “model extraction attacks.” The process exploits legitimate access to systematically steal intellectual property. So any company offering public AI interfaces faces this risk.

Here’s what makes it dangerous. Traditional security measures don’t catch these attacks. They look like normal user activity. Just extremely high volumes of it.

The attackers send prompts designed to expose training data. They probe edge cases to understand decision-making logic. Then they use those insights to build competing models without doing the expensive research and development work.

North Korea, Russia, and China Lead the Charge

Google’s threat intelligence team identified attacks coming from adversaries in North Korea, Russia, and China. These aren’t random hackers. They’re state-backed operations with specific goals.

Why target AI models? Because building advanced AI from scratch costs millions. Stealing one costs far less. Plus, cloning Western AI technology helps rival nations close the AI capability gap quickly.

North Korean operatives appear focused on acquiring technology they can’t develop domestically. Meanwhile, Chinese groups aim to replicate models and adapt them for Mandarin-speaking users. Russian attacks target military and intelligence applications.

John Hultquist, chief analyst for Google’s Threat Intelligence Group, told NBC News that Google likely serves as “the canary in the coal mine.” In other words, if hackers target Google’s AI this aggressively, they’re probably hitting everyone else too.

Most companies won’t detect these attacks. They lack Google’s sophisticated monitoring systems. So the real scope of AI theft remains unknown. That’s what makes this threat particularly troubling.

The Bigger Picture: AI Espionage Is Accelerating

This isn’t an isolated incident. It’s part of a broader pattern of AI-focused cyberattacks that Google has tracked over recent months.

The timing matters. Competition in AI has intensified dramatically since late 2024. Chinese companies like ByteDance launched advanced video generation tools that rival American technology. Then DeepSeek rattled the industry with a model that matched top-tier performance at a fraction of the development cost.

OpenAI later accused DeepSeek of training its AI using existing technology in suspicious ways. Those allegations sound remarkably similar to the distillation attacks Google now reports. So the dots connect pretty clearly.

Here’s the uncomfortable truth. The AI industry runs on intellectual property that’s incredibly difficult to protect. Unlike physical products, AI models exist as data and algorithms. Once someone extracts that information through enough prompts, they own a functional copy.

Plus, international law hasn’t caught up to this reality. No clear framework exists for prosecuting AI theft across borders. That creates a lawless environment where sophisticated adversaries operate with minimal consequences.

Who’s Really at Risk Here

Google emphasizes that these attacks don’t threaten Gemini users. Your data and conversations remain secure. Instead, the targets are service providers and model builders.

Any company developing AI faces this vulnerability. That includes startups building specialized models and enterprises training custom AI for internal use. If you expose your model through an API or chat interface, someone can systematically probe it.

Smaller companies face the highest risk. They lack resources for advanced threat detection. Moreover, they often prioritize speed to market over security hardening. That makes them softer targets than giants like Google.

Think about healthcare AI analyzing medical images. Or financial models predicting market movements. If adversaries clone these systems, they gain competitive advantages in critical sectors. The implications extend far beyond tech industry rivalries.

No Easy Defense Exists Yet

Traditional cybersecurity approaches don’t solve this problem. You can’t simply firewall away someone asking your AI legitimate questions. Plus, distinguishing between normal heavy users and extraction attempts is incredibly difficult.

Google hasn’t disclosed specific countermeasures it’s deploying. That makes sense. Broadcasting your defenses helps attackers adapt around them. But the company’s decision to publish this report signals genuine concern about industry-wide vulnerability.

Rate limiting helps but isn’t foolproof. Attackers can spread queries across many accounts and IP addresses. Moreover, aggressive rate limits hurt legitimate users. Finding the right balance proves tricky.

Some researchers suggest watermarking AI outputs to track cloning attempts. Others propose intentionally poisoning responses to sabotage extraction efforts. But these solutions remain experimental. And they introduce new problems around model reliability.

The AI industry needs coordinated response strategies. Individual companies can’t solve this alone. Yet no industry-wide standards exist for detecting or preventing distillation attacks.

What This Means for the AI Race

AI development just got more complicated. Companies must now defend their models against systematic theft while maintaining accessible services. That tension creates difficult tradeoffs.

Expect more closed-source models as companies tighten access. The era of freely available AI interfaces may be ending. Instead, rigorous authentication and usage monitoring will become standard. Plus, that adds friction for developers and researchers.

The geopolitical stakes keep rising. AI capabilities increasingly determine national competitiveness. When adversaries steal models this brazenly, it accelerates their programs while undermining Western AI leadership. So this isn’t just a corporate problem. It’s a national security issue.

Meanwhile, the pace of AI advancement shows no signs of slowing. New models emerge monthly with capabilities that seemed impossible a year ago. Each one becomes a potential target for extraction attacks. The vulnerability scales with progress.

The Industry Needs to Wake Up

Google’s report serves as a wake-up call. AI theft is happening now, at scale, from sophisticated adversaries. And most companies probably don’t realize they’re targets.

If you’re building or deploying AI models, assume someone is trying to clone them. Monitor for unusual usage patterns. Implement robust authentication. Share threat intelligence with peers. Because the next distillation attack might target your technology.

The AI revolution brings incredible opportunities. But it also creates new vulnerabilities that traditional security practices don’t address. We’re still figuring out how to defend this frontier.

One thing is certain. The war over AI intellectual property has moved from theoretical concern to active combat. And the hackers are already adapting their tactics faster than defenses can evolve.