Google Says Attackers Prompted Gemini AI Over 100,000 Times in Cloning Attempts
Google recently revealed that it has been the target of sustained, commercially motivated attacks aimed at replicating its Gemini artificial intelligence chatbot. According to a report published on Thursday, malicious actors repeatedly prompted the AI model – in one instance, more than 100,000 times across multiple non-English languages – to extract information and ostensibly train a competing, lower-cost version. This incident highlights the growing security concerns surrounding large language models (LLMs) and the intellectual property they represent.
The company characterizes this activity as “model extraction,” viewing it as a form of intellectual property theft. This stance, however, is somewhat nuanced given Google’s own history of building its LLMs by scraping vast amounts of data from the internet, often without explicit permission from content creators. The practice of scraping data for AI training has sparked ongoing debate regarding copyright and fair use, and Google’s position reflects the complex legal and ethical landscape surrounding AI development. The incident underscores the challenges of protecting proprietary AI technology in an era of increasingly sophisticated adversarial tactics.
Google’s concerns about imitation aren’t new. In 2023, reports surfaced alleging that Google’s Bard team – the predecessor to Gemini – had utilized outputs from ChatGPT, specifically conversations shared on the ShareGPT platform, to refine its own chatbot. According to The Information, Jacob Devlin, a senior Google AI researcher and creator of the BERT language model, raised concerns that this practice violated OpenAI’s terms of service before resigning and subsequently joining OpenAI. Google denied the allegations but reportedly ceased using the data in question. This past incident demonstrates that the temptation to leverage existing AI models for training purposes exists on both sides of the competitive landscape.
Understanding Model Extraction and ‘Distillation’
The technique employed by the attackers falls under a broader practice known as “distillation” within the AI community. Distillation involves using a pre-trained, powerful LLM – like Gemini – to generate training data for a smaller, more efficient model. As Microsoft explains in a technical blog post, this allows developers to create models that perform well without requiring the immense computational resources and data needed to train a large language model from scratch. Essentially, it’s a shortcut to building AI capabilities, but one that raises significant intellectual property concerns when applied to proprietary models.
Google’s terms of service explicitly prohibit the extraction of data from its AI models, and the company views these attacks as a violation of those terms. The company believes the perpetrators are primarily private companies and researchers seeking a competitive advantage. While Google has not publicly identified the actors involved, they state the attacks originated from various locations around the globe. The scale of the attempted extraction – the 100,000+ prompts in a single session – suggests a coordinated and determined effort to replicate Gemini’s capabilities.
The incident highlights the vulnerability of LLMs to such attacks. While safeguards can be implemented to detect and prevent malicious prompting, the sheer volume and sophistication of potential attacks pose a continuous challenge. Google’s report serves as a warning to the AI industry about the need for robust security measures to protect intellectual property and maintain the integrity of these powerful technologies.
Gemini’s Evolution and Current Capabilities
Gemini, initially launched as Bard in March 2023, has undergone significant development since its inception. According to Wikipedia, the chatbot was rebranded as Gemini in February 2024 and is now powered by a family of large language models. As of February 23, 2026, Google offers several Gemini models, including 3.1 Pro (released February 19, 2026), 3 Deep Think (February 12, 2026), and 3 Flash (December 17, 2025). Earlier models, such as 2.5 Flash-Lite (September 25, 2025) and iOS 1.2025.325080 (August 20, 2025) and Android 1.0 (August 15, 2025) are also available.
The Gemini architecture is designed to process and generate various data types – text, code, images, audio, and video – simultaneously. Google distributes the technology in different configurations, ranging from efficient on-device versions (“Nano”) to high-compute models (“Pro” and “Ultra”) designed for complex reasoning. The 1.5 and 3 model generations have introduced extended context windows, enabling the analysis of large datasets, such as entire codebases or lengthy videos, within a single prompt. This expanded capacity significantly enhances Gemini’s ability to handle complex tasks and provide more comprehensive responses.
Beyond its core chatbot functionality, Gemini offers a range of features, including custom soundtrack creation, video generation, and integration with Google Search. As detailed on the official Gemini website, users can now create custom music tracks based on descriptions, generate 8-second videos from text prompts, and leverage Gemini’s search capabilities to answer complex questions. The platform also supports image generation with the Nano Banana model and offers a live conversation mode for brainstorming and collaborative work. Gemini also integrates with other Google services like Gmail, Calendar, Maps, YouTube, and Photos, streamlining workflows and enhancing user productivity.
The Broader Implications for AI Security
Google’s disclosure of these attempted cloning efforts underscores the escalating security risks facing the AI industry. As LLMs become increasingly powerful and integrated into critical infrastructure, protecting them from malicious actors is paramount. The incident raises questions about the effectiveness of current security measures and the need for more robust defenses against model extraction attacks. The potential consequences of successful model cloning extend beyond intellectual property theft; a compromised model could be used to generate misinformation, create malicious code, or facilitate other harmful activities.
The challenge lies in balancing the need for security with the open-source nature of much of the AI research community. While restricting access to models entirely could stifle innovation, leaving them vulnerable to exploitation poses significant risks. Developing new techniques for detecting and preventing model extraction, such as watermarking or adversarial training, will be crucial in mitigating these threats. Establishing clear legal frameworks and international agreements regarding AI intellectual property rights will be essential to deter malicious actors and protect the integrity of the AI ecosystem.
The ongoing cat-and-mouse game between AI developers and attackers is likely to intensify as LLMs continue to evolve. Google’s proactive disclosure of these attacks serves as a valuable lesson for the industry, highlighting the importance of vigilance, collaboration, and continuous investment in AI security.
Key Takeaways:
- Google has revealed attempts to clone its Gemini AI chatbot through extensive prompting.
- The practice, known as “model extraction” or “distillation,” involves using a powerful LLM to train a cheaper, competing model.
- Google views this as intellectual property theft, but its own AI development has relied on internet scraping.
- The incident underscores the growing security risks facing the AI industry and the need for robust defenses.
- Gemini continues to evolve with new models and features, integrating with other Google services.
Google is expected to provide further updates on its AI security measures in its next quarterly threat assessment. The company encourages researchers and developers to report any potential vulnerabilities they discover. Readers are invited to share their thoughts on the implications of these attacks in the comments below.