Google says hackers blasted more than 100,000 prompts at its Gemini model in an apparent bid to copy its capabilities, a scale of probing that lays bare how attractive advanced AI systems have become to would-be imitators. The company insists it detected and mitigated the activity, but the episode highlights how quickly attackers are experimenting with ways to siphon off the value of proprietary models. At the center is a new report from Google Threat Intelligence Group that details how adversaries tried to coerce Gemini’s reasoning traces, why that matters for AI innovation, and what remains unknown about who was behind the campaign.
The GTIG Report Unveils AI Adversarial Threats
In a detailed write-up, the Google Threat Intelligence Group, or GTIG, describes how it has been tracking “model extraction” and “distillation attacks” aimed at systems like Gemini. The report presents a case study it calls “Reasoning Trace Coercion,” in which attackers tried to force the model to reveal internal reasoning sequences that could be used to approximate its behavior. GTIG characterizes this activity as part of a broader pattern of adversarial use of AI, where attackers are not only using AI tools but also actively probing them to weaken or replicate them.
According to the Primary GTIG report, the “Reasoning Trace Coercion” case study reached a “Scale: Over 100,000 prompts identified,” a rare hard number in a field that often lacks concrete metrics. GTIG ties these prompts to attempts at “distillation attacks,” where an adversary queries a powerful model extensively, then uses the outputs to train a separate system that mimics the original. By documenting both the techniques and the scale, GTIG is effectively signaling that model extraction is no longer a theoretical risk but an observable part of the threat environment facing Gemini.
How Hackers Targeted Gemini for Extraction
GTIG describes the core tactic as repeated prompting designed to coerce Gemini into exposing detailed reasoning traces rather than just final answers. Through the “Reasoning Trace Coercion” lens, the group explains that attackers hammered the model with carefully shaped queries, apparently seeking the richest possible outputs that could be fed into a separate training pipeline. The logic is straightforward: the more nuanced the trace, the easier it becomes to approximate Gemini’s internal decision patterns without direct access to its architecture or weights.
These attacks unfolded through the Gemini interface and APIs, where high-volume, systematically structured prompts can signal attempts at scraping or reverse engineering. GTIG notes that it identified “over 100,000 prompts” linked to this effort, highlighting just how persistent the probing became before defenses kicked in. By tying that figure directly to a named case study, the GTIG report frames the campaign as a textbook example of model extraction pressure on a flagship system like Gemini rather than a minor anomaly.
Google’s Response and Mitigation Efforts
Google says it did not simply monitor the activity; it moved to shut it down. In a corporate summary of the GTIG work, Official Google states that it “disabled associated accounts” once it confirmed that the traffic mapped to model extraction attempts. That step indicates the company treated the behavior as abusive use of its AI infrastructure, not as normal high-volume experimentation. Disabling accounts also cuts off the immediate channel for further distillation attempts, even if determined attackers might later try to reconstitute access.
Alongside account actions, Google describes “strengthened” protections on Gemini itself. The same Google announcement points to enhanced “real-time detection controls” that are intended to spot and throttle model extraction behavior as it happens, rather than only after forensic review. That aligns with GTIG’s emphasis on “real-time reco” in the primary report, suggesting Google is now wiring threat intelligence directly into Gemini’s operational guardrails so that suspicious prompt patterns can trigger automatic defenses.
Broader Implications for AI Security
The GTIG findings matter because model extraction strikes at the core business value of systems like Gemini. If attackers can use “over 100,000 prompts” to train a parallel model that approximates Gemini’s behavior, they effectively siphon off Google’s research and infrastructure investment without bearing the same costs. The Primary GTIG report treats distillation as a form of intellectual property pressure, where the boundary between legitimate use and illicit copying is tested through large-scale automated querying rather than traditional code theft.
GTIG also situates these attacks within a broader private-sector threat context. In its public summary, Google says its threat intelligence team has “observed and mitigated frequent model-extraction attacks from private-sector entities worldwide,” suggesting that Gemini is only one of several targets. That framing indicates that AI security is no longer just about preventing prompt injection or data leakage, but also about defending the models themselves as strategic assets. The evidence here is strongest where GTIG provides explicit metrics and named case studies, such as the “Reasoning Trace Coercion” example, which gives a rare quantitative window into adversarial interest in a top-tier model.
What We Know About the Attackers
On attribution, the picture is far less clear. In its corporate overview, Google refers to “private-sector entities worldwide” as the source of frequent model extraction attempts, but it stops short of naming specific companies or groups in connection with the Gemini prompts. The GTIG report itself focuses on techniques and scale rather than on detailed profiles of the operators behind “Reasoning Trace Coercion,” which leaves key questions about geography, industry sector, and organizational structure unanswered.
That restraint extends to motives and affiliations. Neither the GTIG case study nor the Official Google summary attributes the 100,000-plus prompts to state actors, criminal syndicates, or competitors, and they offer no technical indicators that would narrow the field. From a defensive standpoint, that means Google is treating model extraction as a generalized risk category rather than a campaign tied to one named adversary. For outside observers, it leaves a gap: the techniques are documented, but the identities and precise intentions of the Gemini attackers remain unverified based on available sources.
Unresolved Questions and Future Outlook
Even with GTIG’s unusually specific case study, major details about the Gemini incident remain opaque. The reports do not specify the exact timeline of the “Reasoning Trace Coercion” campaign, how long the “over 100,000 prompts” accumulated before detection, or whether any partial distillation succeeded before accounts were disabled. Nor do they quantify how many separate accounts were involved or how the attackers adapted when confronted with new “real-time detection controls.” Those gaps matter because they shape how other AI providers might benchmark their own exposure and incident response expectations, yet they are not filled in the Primary GTIG narrative.
Looking ahead, Google signals that it expects adversarial interest in Gemini and similar systems to persist, and it is positioning GTIG as a standing capability rather than a one-off task force. In its public communication, Google links the Gemini incident to a wider pattern of “threat actors misusing AI,” implying that model extraction, abuse of reasoning traces, and other experimentation will continue to evolve alongside defensive tooling. For users and organizations that rely on Gemini, the key takeaway is that AI models have become contested infrastructure: they are powerful tools, attractive targets, and, as the 100,000-prompt campaign shows, subject to intensive probing that requires constant vigilance across both technical controls and contractual protections such as the Gemini API Terms of Service.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
