Google revealed that attackers have prompted its Gemini AI chatbot over 100,000 times in attempts to clone its capabilities. The company calls this practice 'model extraction' and frames it as intellectual property theft, though its own AI was trained on scraped internet data without permission.

These distillation attacks involve feeding carefully chosen prompts to an existing model, collecting all responses, and using those input-output pairs to train a smaller, cheaper copycat model. Google identified one campaign targeting reasoning algorithms that prompted Gemini across multiple non-English languages. The company adjusted its defenses but did not detail the countermeasures.

Google believes the culprits are mostly private companies and researchers seeking competitive advantages, with attacks coming from around the world. The practice has become widespread across the AI industry, with competitors using distillation to clone capabilities since at least the GPT-3 era. OpenAI previously accused Chinese rival DeepSeek of similar tactics, highlighting how the line between standard distillation and theft depends on whose model you're distilling and whether you have permission.