%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
On February 12 local time, Google disclosed that its AI chatbot Gemini is facing a large-scale "model distillation attack." Attackers are inducing the model to leak its internal mechanisms by repeatedly asking a massive number of questions. In some attacks, the number of prompts exceeded 100,000, triggering heightened concerns across the industry about the security of large models. It is reported that such attacks involve repeatedly testing Gemini's output patterns and logic to explore its core internal mechanisms, ultimately aiming to clone the model or enhance their own AI systems.
Google stated that the attacks were mainly initiated by actors with commercial motives, often AI private companies or research institutions seeking a competitive advantage. The attack sources are spread across multiple regions globally, although Google did not disclose more information about the suspects. John Hottelquist, chief analyst at Google's threat intelligence team, pointed out that the scale of this attack sends a dangerous signal, indicating that such model distillation attacks may have already begun to spread into the field of custom AI tools for small and medium-sized enterprises.
He compared Google's experience to the "canary in the coal mine," meaning that the security crisis faced by large platforms signals an impending widespread risk for the entire AI industry. Google emphasized that model distillation attacks essentially constitute intellectual property theft. Major tech companies have invested billions of dollars in developing large language models, and the internal mechanisms of these models are core proprietary assets.
Although the industry has deployed mechanisms to identify and block such attacks, the open nature of mainstream large model services makes it fundamentally difficult to avoid such risks. The core objective of this attack was to extract Gemini's "reasoning" algorithm, which is its core decision-making mechanism for processing information.
Hottelquist issued a warning that as more and more companies train customized large models containing internal sensitive data, the potential harm of model distillation attacks will continue to expand, potentially leading to the gradual extraction of business insights and core knowledge accumulated by companies over years through such means.