NextFin News - The Google Threat Intelligence Group (GTIG) announced on Monday, February 16, 2026, that it has identified and disrupted a sophisticated large-scale attempt to extract the underlying intellectual property of its Gemini artificial intelligence model. The operation, characterized as a "distillation attack," involved a cluster of more than 100,000 structured prompts designed to coerce the model into revealing its internal reasoning behaviors. According to Hultquist, Chief Analyst at GTIG, the attackers aimed to collect high-fidelity outputs to train a "student" model—a smaller, separate AI capable of imitating Gemini’s advanced capabilities at a fraction of the original research and development cost.
The report identifies a broad spectrum of actors involved in these activities, ranging from private-sector companies seeking a competitive edge to state-aligned groups from China, North Korea, Iran, and Russia. Specifically, Google tracked a China-linked cluster known as APT31, which used Gemini to automate vulnerability analysis, and a North Korea-linked group, UNC2970, which utilized the AI to profile high-value targets in the aerospace sector. In response to these threats, Google DeepMind has implemented real-time defenses and hardened model-level controls to degrade the performance of unauthorized student models and protect proprietary training data.
This surge in model extraction attempts represents a fundamental shift in the economics of AI development. Training frontier models like Gemini requires billions of dollars in compute resources and specialized talent. Distillation attacks offer an illegal shortcut, effectively allowing adversaries to "reverse engineer" the logic of a mature model. Melissa Ruzzi, Director of AI at AppOmni, noted that as providers add more robust guardrails to their public-facing products, attackers are increasingly motivated to extract the core model to use its power without such restrictions. This trend suggests that the AI industry is entering a "Wild West" era where the model itself, rather than just the data it processes, is the primary target of industrial espionage.
The technical sophistication of these attacks is also evolving. GTIG highlighted a new malware family dubbed HONESTCUE, which integrates the Gemini API directly into its execution workflow. Unlike traditional malware that carries a static payload, HONESTCUE generates C# source code on the fly during execution. Because this code runs in process memory rather than being stored as a file on a disk, it leaves significantly fewer traces for traditional antivirus software to detect. This "fileless" approach, powered by real-time AI generation, demonstrates how generative tools are being integrated into existing intrusion tactics to raise attacker productivity and stealth.
Looking forward, the battle over AI intellectual property is likely to move from individual company defenses to a broader "ecosystem security" framework. OpenAI recently echoed Google’s concerns in a memo to the U.S. House Select Committee, suggesting that U.S. government intervention may be necessary to close API loopholes and restrict adversary access to domestic cloud infrastructure. As U.S. President Trump continues to emphasize American technological sovereignty, the protection of AI models is being elevated from a corporate security issue to a matter of national economic interest. The industry can expect a move toward more aggressive legal actions and the implementation of "canary" data—hidden markers within model outputs—to track and prove instances of unauthorized distillation in the wild.
Explore more exclusive insights at nextfin.ai.
