Google Uncovers Hackers Using Thousands of AI Prompts to Imitate Gemini

Google uncovers hackers using thousands of AI prompts to imitate Gemini, revealing new cyber threats and AI exploitation techniques.

AI Prompts to Imitate Gemini
© AI Prompts to Imitate Gemini
Show summary Hide summary

Imagine discovering that the same Artificial Intelligence system helping your team fight fraud is also quietly being probed by Hackers thousands of times a day, trying to build a cheaper copy. That is exactly what Google just uncovered around Gemini, and the details read like a handbook for the next generation of cybercrime.

How hackers tried to imitate Google Gemini with AI prompts

Google’s Threat Intelligence Group recently described a campaign where adversaries hammered Gemini with more than 100,000 AI Prompts. Their objective was not a quick Data Breach or one-off exploit. They wanted to imitate the model’s behaviour closely enough to reconstruct a competing system at a fraction of the development cost.

Google classifies this pattern as a model extraction or distillation attack. Attackers start from legitimate access to the service, just like an ordinary developer or enterprise user. They then automate requests, sending systematically designed prompts to map how Gemini responds in varied scenarios. Over time, this produces a rich behavioural blueprint that can train a clone.

Good Luck, Have Fun, Don’t Die: A Stylish Rebellion Against AI
Meta Aims to Integrate Facial Recognition Technology into Its Smart Glasses
AI Prompts to Imitate Gemini
AI Prompts to Imitate Gemini

From single experiment to industrial-scale probing

Early experiments in this field involved tens or hundreds of queries, mostly in academic settings. The Gemini incident shows how quickly this has escalated. According to reports echoed by sources such as CNET’s coverage of the cloning attempts, attackers in one case pushed beyond the 100,000-prompt mark before countermeasures kicked in.

Each prompt in such a campaign is carefully scripted. Instead of asking a generic question, the adversary breaks complex tasks into small steps, queries the model for each step, and then records not only the answer but the reasoning style implied. Over thousands of rounds, they approximate Gemini’s decision boundaries, tone, and problem-solving patterns with surprising fidelity.

A tale of two teams: the defender and the imitator

Consider a fictional payment startup, NovaPay, that relies on Gemini-style models to filter fraudulent transactions. NovaPay’s security team assumes their model’s value lies mainly in its code and private training data. The Gemini episode reveals that behaviour exposed through an API can also be copied if rate limits, anomaly detection, and usage review are too weak.

On the other side, picture an adversarial team working in a low-regulation environment. Instead of investing heavily in data collection, they rent access to a commercial model and launch a distillation pipeline. Their clone will not match Gemini exactly, but it can become “good enough” for Malware development, Phishing content generation, or disinformation campaigns, built on stolen insight rather than stolen data.

Who is behind the attacks and what they are seeking

Google’s analysts link these activities to actors operating from North Korea, Russia, China, and other jurisdictions already active in Cybersecurity incident reports. The motivation appears mixed: some attackers pursue commercial gain, others strategic influence, and a few combine both by selling cloned Artificial Intelligence systems to aligned organisations.

The Gemini case is not an isolated anomaly. Google’s own threat-tracking work, also described in its ongoing reporting on AI tool misuse, suggests many state-backed groups now incorporate generative models at every stage of an operation. They use AI Prompts for reconnaissance, exploit development, phishing copy, and even for testing Malware against defensive tools.

Why AI intellectual property is becoming a prime target

For a decade, sensitive databases were the crown jewels of a Data Breach. Training data still matters, but the competitive value has shifted toward tuned model weights and proprietary reasoning strategies. When Google warns that Gemini is being targeted for its intellectual property, it signals that models themselves are becoming strategic infrastructure.

Commercial adversaries see a shortcut: instead of assembling massive datasets and paying for compute, they treat mature systems as oracles. Each response from Gemini becomes a labelled data point. Given enough coverage across languages and domains, the imitator gets a training corpus that would otherwise cost millions in acquisition and annotation.

The geopolitical edge of cloned AI models

In parallel, governments racing to build national champions in Artificial Intelligence see another incentive. Reports about companies such as DeepSeek in China, or video-generation platforms from ByteDance, already stirred debate about training sources and compliance with Western IP rules. When Google connects Gemini probing to adversaries in rival states, this competition gains a sharper security dimension.

A cloned Gemini-like model can be tuned for local languages, propaganda narratives, or information control. It can generate convincing Phishing campaigns targeting foreign institutions, while also powering domestic monitoring tools. The same imitation that lowers barriers for innovation can therefore also lower barriers for surveillance and influence operations.

From AI prompts to real cyberattacks: phishing, malware and fraud

The story does not stop at imitation. Once attackers gain a capable text or code generator, they begin folding it into practical operations. Google’s own threat reports describe Gemini and similar systems being used to craft more persuasive Phishing lures, debug exploit code, and test payloads against common defensive stacks.

For a group targeting finance, for instance, an AI system can generate tailored emails referencing local regulations, company structures, or internal jargon scraped from earlier leaks. Each message appears written by a fluent insider. When a victim clicks a seemingly routine link, the chain progresses toward Malware delivery or credentials theft with fewer obvious red flags.

How AI reshapes the economics of cybercrime

Historically, sophisticated attacks required a blend of technical skill and linguistic nuance. An operation required coders, native speakers, social engineers, and infrastructure specialists. With generative AI, some of those roles compress into a prompt engineer supported by an automated assistant that never tires and scales linearly with compute.

Analyses such as Forbes’ coverage of AI-powered cybercrime emphasise this trend: AI brings industrial discipline to criminal workflows. Attack kits get updated faster, phishing templates adapt to new brands or regulations overnight, and Malware families receive ongoing optimisation without large teams.

Cloned models also open doors to vulnerability research at scale. An attacker can point a stolen or home-grown model at open-source projects and corporate applications, asking it to reason about edge cases, input validation flaws, or misconfigurations. This does not magically reveal zero-days, but it accelerates the screening of promising targets.

When you consider this in combination with automated exploit testing, the concern deepens. A well-tuned imitator of Gemini can be placed in a closed lab, generating and evaluating code variations that probe defenses. Each loop produces feedback, which in turn sharpens future attempts. The same pattern that powers legitimate red-teaming now drives offensive innovation.

Defensive lessons: what security leaders can do now

For security leaders, the Gemini incident offers a set of practical lessons rather than abstract fear. The first is conceptual: AI models should be treated as high-value assets, just like cryptographic keys or production databases. Their behaviour can leak value even without a conventional Data Breach.

A second lesson relates to visibility. Many organisations deploy third-party models without robust logging of AI Prompts and responses. That leaves them blind to slow, systematic probing. Telecom-style monitoring for strange usage patterns, combined with strong authentication, becomes a baseline requirement once an AI system sits near sensitive workflows.

Concrete measures for protecting AI-powered systems

Several operational steps emerge from recent research and Google’s own reaction to the Gemini probes. After detecting abnormal traffic, Google reportedly blocked malicious accounts and tightened protections around Gemini’s reasoning disclosures, making extraction less efficient. Enterprises can adapt similar measures for their own deployments.

To frame an actionable checklist, consider these safeguards:

  • Rate-limit high-volume or highly-structured querying to your AI endpoints.
  • Monitor prompt patterns for repetitive, systematic coverage across domains.
  • Isolate sensitive reasoning or internal tool calls from user-facing outputs.
  • Align terms of service and contracts with explicit bans on model extraction.
  • Regularly red-team your own APIs to simulate distillation attacks and refine defenses.

These controls will not eliminate all risk, but they complicate imitation and raise the cost for adversaries whose success depends on quiet, long-running access.

Learning from adjacent threat landscapes

There are useful parallels with other digital ecosystems. Consider how browser extensions became a fertile ground for malicious code, as described in reports about a new virus threat within the Chrome ecosystem referenced by sources such as recent coverage of Chrome Web Store risks. Weak oversight allowed attackers to sit close to valuable user actions.

AI interfaces now represent a similarly privileged layer. They mediate content, decisions, and in some sectors even transactions. Security teams who learned hard lessons from plugin stores or mobile apps can transfer that mindset: treat every AI integration as a potential attack surface in need of policy, monitoring, and rapid-response capability.

Looking ahead: AI competition, cybercrime and emerging norms

The Gemini story lands at a moment when the AI industry is under pressure from several directions. Lawsuits over training data, regulatory proposals on model transparency, and a race between companies in the United States, Europe, and Asia all converge. Model extraction attacks sit at the intersection of intellectual property, Cybersecurity, and international competition.

For technologists, this is more than a legal dispute. If cloning via AI Prompts becomes routine, incentives may shift toward heavier access restrictions or on-premise deployments, which in turn affect innovation. Organisations that rely on flexible APIs could see rising costs or tighter controls, driven by fears of imitation rather than direct harm to end users.

Why every organisation using AI should care

Even if you never build a foundation model, you are touched by these dynamics whenever you integrate Artificial Intelligence into operations. An AI system that writes marketing copy today might be adapted to screen contracts or assist trading strategies tomorrow. The more strategic its role, the more attractive it becomes to both insider threats and external actors.

Financial institutions already observe attackers turning AI into a weapon against cryptocurrencies, as noted by analyses like reports on AI-enabled crypto targeting. Gemini-style clones raise the ceiling on that trend. Security leaders who internalise this now can tune their architectures, vendor choices, and incident playbooks before the next wave of model thefts hits the headlines.

What is a model extraction or distillation attack against AI systems?

A model extraction, sometimes called a distillation attack, occurs when an adversary uses legitimate access to an AI service to systematically probe its behaviour and record responses. By sending large volumes of carefully structured prompts, the attacker creates a dataset that approximates how the original model thinks and decides. This dataset can then train a new model that imitates the original system’s capabilities without direct access to its code or training data.

Why are hackers interested in copying Google Gemini instead of stealing training data?

Stealing training data is difficult, noisy, and often less valuable than the tuned behaviour of a mature model. Gemini represents years of optimisation, safety work and domain coverage. By copying its behaviour through AI prompts, attackers gain access to a highly capable reasoning engine they can then adapt to their own languages and objectives. Model imitation also reduces infrastructure costs, because the victim has already absorbed much of the research and development effort.

Does the Gemini cloning attempt put everyday users at risk?

According to Google’s threat analysis, the specific Gemini distillation campaigns primarily threaten service providers and model builders, not ordinary users of the platform. The attackers tried to reconstruct the model’s capabilities rather than compromise personal accounts directly. However, once cloned models exist, they can power more advanced phishing, fraud, and malware operations that eventually target individuals and organisations. The long-term risk therefore cascades down to end users.

How can companies detect if someone is trying to clone their AI model?

Discovering Moltbook: The Revolutionary Social Network Connecting AI Agents
Ai emerges as hackers’ weapon of choice in targeting cryptocurrencies

Companies can look for unusual usage patterns in their AI logs, including very high query volumes from a small set of accounts, highly repetitive prompts, or systematic coverage of many knowledge domains. Combining rate limits, behavioural analytics, and strong access controls helps highlight suspicious traffic. Regular internal red-teaming, where defenders simulate model extraction, also reveals detection gaps and informs better safeguards around sensitive reasoning features or tools exposed by the model.

What practical steps should security teams take when deploying AI in production?

Security teams should treat AI endpoints as high-value assets. That means enforcing authentication and authorisation, applying rate limits, logging prompts and responses, and monitoring for anomalies in query behaviour. Sensitive internal tools or data sources invoked by the model should be isolated behind additional controls. Contracts with vendors should address model misuse, including attempts at distillation. Finally, AI deployments need incident response procedures, covering account blocking, configuration changes, and communication when suspicious activity is detected.

Like this post? Share it!

Leave a review