Google's Gemini AI Under Siege: Massive Distillation Attacks Expose New Frontier in AI Espionage

Google’s Gemini AI Under Siege: Massive Distillation Attacks Expose New Frontier in AI Espionage

Google’s Gemini AI Under Siege: Massive Distillation Attacks Expose New Frontier in AI Espionage

February 15, 2026 — In an unprecedented escalation of AI-related industrial espionage, Google has disclosed that its flagship artificial intelligence model, Gemini, has become the target of sophisticated “distillation attacks” involving over 100,000 carefully crafted prompts designed to clone its proprietary capabilities.

The Scale of the Threat

According to Google’s Threat Intelligence Group (GTIG) report released on February 12, 2026, threat actors have been systematically probing Gemini through massive query campaigns aimed at reverse-engineering the model’s internal reasoning and decision-making processes. One documented attack alone exceeded 100,000 distinct prompts, representing what Google characterizes as intellectual property theft on an industrial scale.

“We’re going to be the canary in the coal mine for far more incidents,” warned John Hultquist, chief analyst of Google’s Threat Intelligence Group, suggesting that similar attacks will likely proliferate across the AI industry, particularly targeting smaller companies with custom models.

What Are Distillation Attacks?

Distillation attacks, also known as model extraction, involve systematically querying an AI system to map its response patterns, reasoning logic, and decision-making boundaries. Attackers send waves of structured prompts across different question types, languages, and complexity levels to build a comprehensive understanding of the model’s capabilities.

The stolen data is then used to train “student models” that replicate the original system’s behavior at a fraction of the research and development costs. While legitimate knowledge distillation is a common machine learning technique used to compress models, unauthorized distillation violates terms of service and constitutes IP theft.

The economics are stark: building a state-of-the-art AI model can cost hundreds of millions or even billions of dollars, while distillation can replicate similar capabilities for a tiny fraction of that investment. DeepSeek reportedly developed its R1 model for approximately $6 million using distillation techniques, while ChatGPT-5’s development exceeded $2 billion, according to industry reports.

Google's Gemini AI Under Siege: Massive Distillation Attacks Expose New Frontier in AI Espionage. Gemini, has become the target of sophisticated "distillation attacks" involving over 100,000 carefully crafted prompts designed to clone its proprietary capabilities.

Who’s Behind the Attacks?

Google attributes the attacks primarily to commercially motivated actors, including private AI companies and research institutions seeking competitive advantages. The campaigns originated from multiple regions worldwide, though Google declined to provide specific details about suspects or locations.

The company’s report specifically targeted algorithms that enable Gemini to “reason” or process complex information—the crown jewels of modern AI systems. Many of the prompts were designed with instructions like requiring “the language used in the thinking content must be strictly consistent with the main language of the user input,” suggesting sophisticated understanding of model behavior.

State-Sponsored Exploitation

Beyond commercial theft, Google’s report revealed alarming misuse by state-sponsored actors. China’s APT31 (also known as Violet Typhoon, Zirconium, and Judgment Panda), a Beijing-backed hacking group sanctioned for targeting America’s critical infrastructure, employed Gemini to automate vulnerability analysis and plan cyberattacks against U.S. organizations.

APT31 used a highly structured approach, prompting Gemini with an “expert cybersecurity persona” to automate analysis of vulnerabilities including remote code execution, web application firewall bypass techniques, and SQL injection attacks. The group leveraged Hexstrike, an open-source red-teaming tool built on the Model Context Protocol, which enables models to execute over 150 security tools for network scanning, reconnaissance, and penetration testing.

Other state-backed actors also exploited Gemini:

North Korea’s UNC2970: Used Gemini to synthesize open-source intelligence and profile high-value targets in the aerospace and defense sectors as part of their “Operation Dream Job” campaigns
China’s APT41: Utilized the model to understand and debug open-source exploit code
Iran’s APT42: Leveraged Gemini for reconnaissance and phishing campaign development

While Google reports no indication that these attacks were successful, the company warns that “APT groups like this continue to experiment with adopting AI to support semi-autonomous offensive operations.”

Novel Malware Integration

Perhaps most concerning is the emergence of HONESTCUE, a new malware family identified in September 2025 that uses Gemini’s API to dynamically generate malicious code. Rather than containing hardcoded payloads, HONESTCUE sends prompts to Gemini’s API to generate custom C# code in memory for second-stage attacks, effectively evading traditional file-based antivirus detection.

Additionally, Google discovered Xanthorox, a dark-web toolkit advertised as an independent offensive AI platform but actually powered by stolen API keys accessing commercial AI products including Gemini.

Industry-Wide Implications

Google’s disclosure comes amid growing concerns about AI model security across the industry. The company emphasized that despite having detection and blocking mechanisms in place, major large language models remain inherently vulnerable because they must be accessible to users on the internet.

The vulnerability extends beyond tech giants. As Hultquist noted, organizations training custom LLMs on proprietary data face similar risks: “Let’s say your LLM has been trained on 100 years of secret thinking of the way you trade. Theoretically, you could distill some of that.”

Financial institutions, healthcare providers, and other enterprises developing specialized AI systems on sensitive data now face the prospect of having their competitive advantages systematically extracted through distillation attacks.

The OpenAI-DeepSeek Dispute

The threat landscape became more contentious when OpenAI, on the same day as Google’s disclosure, sent a memo to the U.S. House Select Committee on China accusing Chinese AI company DeepSeek of using “ongoing efforts to free-ride on the capabilities developed by OpenAI and other U.S. frontier labs.”

OpenAI alleged that accounts associated with DeepSeek employees developed methods to circumvent access restrictions through obfuscated third-party routers and wrote code to access U.S. AI models programmatically for distillation purposes. The company began investigating DeepSeek shortly after its R1 model launched in January 2025.

Representative John Moolenaar, Republican chair of the House Select Committee on China, characterized the allegations as exemplifying “the CCP’s playbook: steal, copy, and kill.” White House AI advisor David Sacks stated there was “substantial evidence” that DeepSeek distilled knowledge from OpenAI’s models.

DeepSeek has not publicly responded to these accusations, and the Chinese embassy in Washington did not immediately comment.

Economic and National Security Stakes

The distillation threat carries both commercial and national security implications. Since DeepSeek and many Chinese AI models operate without subscription fees, widespread distillation could undermine American companies’ ability to monetize billions in AI infrastructure investments.

Beyond business concerns, OpenAI warned that when capabilities are copied through distillation, safety guardrails often fail to transfer, enabling potential misuse in high-risk areas like biology, chemistry, or weapons development. The company also noted that DeepSeek’s chatbot censored results about topics considered controversial by the Chinese government, including Taiwan and Tiananmen Square.

IBM’s 2024 data breach report found that intellectual property theft now costs organizations $173 per record, with IP-focused breaches jumping 27% year-over-year. AI model weights represent the highest-value targets in this underground economy—a single stolen frontier model could theoretically fetch hundreds of millions on the black market.

Defensive Responses

Google reports that it has used data from detected attacks to strengthen Gemini’s classifiers, training the model to recognize when it’s being probed for underlying logic and refuse to assist with prompts that appear part of distillation campaigns. The company has also disabled accounts linked to identified attack campaigns.

However, the open nature of AI services creates a fundamental security dilemma: models must be accessible to provide value to legitimate users, yet this same accessibility enables systematic exploitation. As Google noted in its white paper “Advancing Gemini’s Security Safeguards,” organizations providing AI models as services should monitor API access for extraction or distillation patterns, though no foolproof solution currently exists.

Looking Ahead

The timing of these revelations is significant. As AI becomes more integrated into critical business operations and national security infrastructure, the race between offensive and defensive capabilities intensifies. Google anticipates that “China-based actors in particular will continue to build agentic approaches for cyber offensive scale,” suggesting the threat will evolve beyond simple distillation into more autonomous AI-powered attack systems.

For the broader AI industry, the message is clear: the era of AI-on-AI warfare has arrived. As Hultquist noted, “We are going to have to leverage the advantages of AI, and increasingly remove humans from the loop, so that we can respond at machine speed.”

The question facing policymakers, industry leaders, and security professionals is no longer whether AI systems will be targeted for exploitation, but whether defensive measures can evolve quickly enough to protect the intellectual property and safety guardrails that underpin the AI revolution.

This report is based on information from Google’s Threat Intelligence Group AI Threat Tracker (February 12, 2026), OpenAI’s memo to the U.S. House Select Committee on China (February 12, 2026), and various industry sources.