In a significant escalation of AI-related industrial espionage, the Google Threat Intelligence Group (GTIG) revealed on February 12, 2026, that its flagship AI, Gemini, has been targeted by a massive “distillation attack.” According to the quarterly report, threat actors submitted more than 100,000 structured prompts in a coordinated effort to “clone” the model’s proprietary logic and reasoning capabilities.
Google has characterized these efforts as intellectual property theft, warning that the “canary in the coal mine” has officially been triggered for the broader AI industry.
What is a Distillation Attack?
Also known as a “Model Extraction” attack, this technique involves “teaching” a smaller, cheaper AI (the student) by using the outputs of a larger, more advanced AI (the teacher).
- Systematic Probing: Attackers send thousands of diverse questions—covering coding, law, and complex reasoning—to a model’s API.
- Dataset Harvesting: Every answer provided by the model is saved as a “gold standard” training pair.
- Clone Creation: The stolen data is used to fine-tune an open-source model, allowing the attacker to replicate the original’s behavior at a fraction of the R&D cost.
The 100,000 Prompt Campaign: Key Details
The campaign identified by Google was specifically designed to extract “reasoning traces”—the internal “chain-of-thought” logic that allows Gemini to solve multi-step problems.
| Metric | Detail |
| Volume | Over 100,000 engineered prompts. |
| Suspected Origin | State-aligned groups from China, Russia, and North Korea. |
| Technique | Reasoning Trace Coercion: Forcing the AI to output its full “thinking” process rather than a summary. |
| Target Languages | Non-English reasoning to build competitive models for local markets. |
| Outcome | Google systems detected the spike in real-time and blocked associated accounts. |
Malware Integration: The “HonestCue” Threat
Beyond simple cloning, hackers are now wiring Gemini’s intelligence directly into their malicious code. GTIG identified a new malware family called HONESTCUE that uses Gemini’s API to generate “fileless” C# code on the fly. This allows the malware to bypass traditional antivirus scanners because its malicious functions don’t actually exist on the disk until they are requested from the AI.
State-Backed Misuse Case Studies
- North Korea (UNC2970): Used Gemini to synthesize open-source intelligence and profile high-value targets in the aerospace and defense sectors.
- Iran (APT42): Leveraged the model to craft highly convincing “rapport-building” phishing messages for social engineering.
- China (UNC795): Used Gemini multiple times a week to troubleshoot and refine malicious code snippets.
Google’s Response and Mitigations
Google DeepMind has reportedly used the data from these attacks to strengthen the model’s classifiers. Gemini is now trained to recognize when it is being “probed” for its underlying logic and will refuse to assist with prompts that look like they are part of a distillation campaign.
“We’re going to be the canary in the coal mine for far more incidents… let’s say your LLM has been trained on 100 years of secret thinking. Theoretically, an attacker could distill some of that.” — John Hultquist, Chief Analyst at GTIG.
