Google detects more than 100,000 attempts to clone Gemini through reverse engineering
Google has revealed that its Gemini artificial intelligence model has been the subject of multiple cloning attempts during 2025. According to the quarterly report published by the company’s threat intelligence group, they detected a campaign carried out more than 100,000 queries to the model in various languages with the aim of extracting its knowledge and replicating it in its own system.
The technique used is known as “model mining” or “distillation,” and it allows third parties to create inexpensive versions of advanced AI models without investing the billions of dollars required to develop them. Google considers this practice as intellectual property theft and a violation of their terms of service, although the position is somewhat controversial given that Gemini trained with materials taken from the Internet without express permission.
What is model distillation and how does it work?
Model distillation is a machine learning technique that allows you to create a model student from a model teacher already existing. The process is relatively simple: you feed the original model with thousands of carefully selected questions, collect all the answers, and then use those input-output pairs to train a smaller, cheaper model.
The resulting model never sees the source code or training data of the original, but by studying enough answers it can learn to replicate many of its capabilities. To give you an idea, it’s like trying to figure out a recipe by trying the dish over and over again. The cloned model won’t be perfect, but it can be much more efficient than trying to build one from scratch with random data from the Internet.
In the case detected by Google, the attackers specifically focused on extracting the Gemini internal reasoning processesattempting to force the model to reveal how it reached its conclusions in languages other than English. Google identified the pattern in real time and applied defenses that reduced the effectiveness of the attack, protecting the system’s internal reasoning traces.
Cyber espionage groups also use Gemini for operations
In addition to commercial cloning attempts, the report reveals that actors backed by governments in North Korea, Iran, China and Russia have been using Gemini as a tool to speed up their operations. The Iranian group APT42for example, used Gemini to perform detailed reconnaissance on specific targets and create credible profiles for social engineering campaigns.
North Korean actor UNC2970, known for posing as corporate recruiters, employed Gemini to synthesize information from open sources and profile high-value targets at cybersecurity and defense companies. The Chinese group APT31 went further and attempted to create code auditing capabilities integrated with AI, demonstrating interest in developing autonomous vulnerability analysis systems.
Google also documented the case of HONESTCUE, a malware family that directly uses the Gemini API to generate malicious code on the fly. The malware sends a seemingly innocuous query to Gemini requesting C# code, receives the response, and then compiles and executes that code directly in memory without leaving traces on disk. This technique makes detection difficult using traditional static analysis.
The company has disabled the accounts associated with these actors and has updated both the classifiers and the model itself to reject these types of requests in the future. However, the reality is that as long as an AI model is publicly accessible, there is no technical barrier completely foolproof that prevents a given actor from trying to extract its capabilities through distillation, something that Google itself would have practiced according to reports from 2023 when its Bard team would have used ChatGPT data to train its chatbot.
