In what may be the most audacious documented attempt at AI model theft to date, Google has disclosed that attackers bombarded its Gemini artificial intelligence system with more than 100,000 prompts in a systematic effort to extract enough information to effectively clone the model. The revelation, buried within Google’s latest Threat Intelligence report, underscores a rapidly escalating arms race between AI developers and adversaries who seek to steal the intellectual property embedded in these multibillion-dollar systems.

The attack, detailed by Ars Technica, represents a technique known in the AI security community as “model extraction” or “model stealing.” Rather than hacking into Google’s servers or stealing source code, the attackers used the model’s own interface against it — submitting a relentless barrage of carefully crafted queries designed to map Gemini’s internal decision-making patterns, weights, and behaviors. The goal: to reconstruct a functional replica of the model without ever accessing its underlying architecture directly.

A New Breed of Intellectual Property Theft That Exploits AI’s Own Openness

Model extraction attacks exploit a fundamental tension in the AI industry. Companies like Google, OpenAI, and Anthropic spend hundreds of millions — and in some cases billions — of dollars training their flagship models. These systems represent enormous concentrations of intellectual property, from proprietary training data curation to novel architectural decisions and fine-tuning methodologies. Yet to monetize these investments, companies must make the models accessible through APIs and consumer-facing products, creating an inherent vulnerability.

The mechanics of the attack are deceptively simple in concept but extraordinarily labor-intensive in execution. By submitting over 100,000 prompts and meticulously analyzing Gemini’s responses, attackers can begin to infer the statistical relationships and parameters that define the model’s behavior. Each response provides a tiny window into the model’s internal logic. Aggregated at scale, these windows can theoretically be used to train a “surrogate” model that approximates the original’s capabilities — a process sometimes called “distillation” when done legitimately, but which becomes theft when performed without authorization.

Google’s Threat Intelligence Team Sounds the Alarm on Systematic Exploitation

According to the Google Threat Intelligence report, as covered by Ars Technica, the company’s security teams detected and tracked the extraction campaign as part of broader monitoring of adversarial activity targeting its AI systems. Google did not publicly identify the attackers or attribute the campaign to a specific nation-state or criminal organization, though the scale and sophistication of the effort suggest it was not the work of casual hobbyists.

The 100,000-prompt threshold is significant. Academic research on model extraction has shown that the fidelity of a stolen model improves dramatically with the volume of query-response pairs available to the attacker. A 2020 paper from researchers at the University of Wisconsin-Madison and other institutions demonstrated that with sufficient queries, attackers could replicate the functionality of machine learning models with alarming accuracy. The sheer volume of prompts directed at Gemini suggests the attackers were well-versed in this literature and were making a serious, resource-intensive attempt at replication.

The Economics of Model Theft: Why Cloning a Frontier AI System Is Worth the Effort

To understand why someone would invest the resources required for a 100,000-prompt extraction campaign, consider the economics. Training a frontier AI model from scratch can cost upward of $100 million to $1 billion when accounting for compute, data acquisition, and engineering talent. Google’s Gemini, which competes directly with OpenAI’s GPT series and Anthropic’s Claude, represents one of the most capable AI systems in the world. A successful clone — even an imperfect one — could be worth enormous sums on the black market, to a rival corporation, or to a nation-state seeking to leapfrog its own AI development programs.

The threat is not merely theoretical. In recent years, there have been multiple high-profile cases of AI-related intellectual property theft. In 2024, a former Google engineer was charged with stealing trade secrets related to the company’s AI technology and transferring them to Chinese companies. The U.S. Department of Justice has increasingly prioritized AI-related espionage cases, reflecting the strategic importance of these technologies. The model extraction attack on Gemini represents a different vector — one that doesn’t require an insider — but the motivation is the same: acquiring capabilities that cost billions to develop, for a fraction of the price.

Defensive Measures and the Cat-and-Mouse Game of AI Security

Google and other major AI companies have been investing heavily in defenses against model extraction. These include rate limiting (restricting the number of queries a single user can make), output perturbation (adding small amounts of noise to responses to make extraction less precise), watermarking (embedding hidden signatures in model outputs that can prove provenance), and behavioral analysis (using machine learning to detect patterns of queries that resemble extraction attempts).

The fact that Google detected the 100,000-prompt campaign suggests that at least some of these defensive mechanisms are working — or at minimum, that the company’s monitoring capabilities are sufficiently advanced to identify suspicious activity at scale. However, detection and prevention are two different things. It remains unclear from the public disclosures how many of the 100,000 prompts were successfully answered before the campaign was identified and shut down, and whether the attackers obtained enough data to construct a useful surrogate model.

Industry-Wide Implications as AI Companies Race to Protect Their Crown Jewels

The Gemini extraction attempt has implications far beyond Google. Every company offering AI models through APIs — from OpenAI to Anthropic to Mistral to Meta — faces the same fundamental vulnerability. The more capable and valuable a model becomes, the greater the incentive for adversaries to attempt extraction. This creates a paradox: the most successful AI companies are also the most attractive targets.

The incident also raises difficult questions about the boundary between legitimate and illegitimate use of AI systems. Researchers routinely probe AI models with large numbers of queries for academic purposes, including safety testing and bias detection. Companies that build products on top of AI APIs may inadvertently generate query patterns that resemble extraction attempts. Drawing a clear line between authorized research, normal commercial use, and malicious extraction is a challenge that the industry has yet to fully resolve.

The Regulatory and Legal Frontier for AI Model Protection

From a legal perspective, model extraction occupies a gray area. Traditional intellectual property frameworks — patents, copyrights, trade secrets — were not designed with AI model parameters in mind. While the trained weights of a neural network arguably constitute trade secrets, proving that a competitor’s model was derived from unauthorized extraction rather than independent development is extraordinarily difficult. The AI industry is increasingly lobbying for updated legal frameworks that explicitly address model theft, but legislation has been slow to materialize.

In the European Union, the AI Act includes provisions related to transparency and documentation that could indirectly help companies prove the provenance of their models. In the United States, existing trade secret law under the Defend Trade Secrets Act provides some protection, but enforcement against sophisticated international actors remains challenging. The Google case could become a catalyst for more aggressive legislative action if policymakers recognize the national security dimensions of AI model theft.

What Comes Next in the Battle to Secure AI’s Most Valuable Assets

The disclosure of the Gemini extraction campaign marks a turning point in how the AI industry thinks about security. For years, the primary concerns around AI safety focused on misuse of model outputs — generating misinformation, enabling cyberattacks, or producing harmful content. The Google revelation shifts attention to a different but equally critical threat: the theft of the models themselves.

As AI systems become increasingly central to economic competitiveness and national security, the stakes of model protection will only grow. Google’s willingness to publicly disclose the scale of the attack on Gemini — over 100,000 prompts, a staggering volume of adversarial activity — serves as both a warning to the industry and a signal that the company takes the threat seriously. For competitors, researchers, and policymakers alike, the message is clear: the next great battle in AI may not be about who can build the best model, but about who can keep their model from being stolen.