The Thousand-Tongued Assault: How Attackers Used 100,000 Prompts to Try and Clone Google’s Gemini

In the high-stakes arena of artificial intelligence, where the difference between market dominance and obsolescence can be measured in months, a new kind of digital siege has emerged. It doesn't come from brute-force hacking or sophisticated malware. Instead, it arrives in the form of a whisper—a carefully crafted prompt, repeated over 100,000 times, in languages the model was never meant to fully trust.

Google recently disclosed a startling revelation: commercially motivated attackers have been systematically attempting to clone its flagship Gemini AI chatbot by bombarding it with prompts in a variety of non-English languages. This wasn't a simple data scrape. This was a coordinated, persistent campaign to reverse-engineer one of the world's most advanced large language models (LLMs) through the very interface designed to make it accessible. The disclosure, reported by Ars Technica, pulls back the curtain on a shadow war being fought in the margins of the AI boom—a war over intellectual property, competitive advantage, and the very nature of proprietary intelligence.

The Anatomy of a Prompt Injection Attack

To understand the audacity of this attack, one must first appreciate the mechanics of how modern LLMs like Gemini function. At their core, these models are vast neural networks trained on trillions of tokens of text. They don't "know" things in the human sense; they predict the most statistically probable sequence of words based on their training data and the context provided by the user. This context, or "system prompt," is the invisible hand that guides the model's behavior, defining its personality, its guardrails, and its proprietary knowledge base.

The attackers' strategy was elegant in its simplicity and devastating in its persistence. By prompting Gemini over 100,000 times in various non-English languages, they were attempting to bypass the model's standard safety filters and alignment protocols. These filters are often trained predominantly on English-language data, leaving potential blind spots in other linguistic contexts. A prompt in a low-resource language might not trigger the same "I cannot reveal my system prompt" response that an English equivalent would.

This technique, often referred to as "jailbreaking" or "prompt leaking," is a form of adversarial attack that exploits the probabilistic nature of LLMs. The attacker doesn't need to find a single, perfect exploit. They only need to find one that works once. By running hundreds of thousands of variations—tweaking syntax, switching languages, embedding instructions deep within seemingly innocuous text—the attackers were essentially brute-forcing the model's cognitive defenses. Each successful leak of a system instruction or a training data snippet is a piece of the puzzle, slowly assembling a blueprint for a rival model.

The commercial motivation is clear. Building a frontier model like Gemini 3.1 Pro from scratch requires billions of dollars in compute, data acquisition, and talent. Cloning it through prompt engineering, while labor-intensive, is a fraction of that cost. For a competitor looking to close the gap, a successful clone could provide a shortcut to market leadership, bypassing years of research and development. This is not just about stealing code; it is about stealing the latent intelligence embedded within the model's weights, which can be inferred through careful, repeated interaction.

Gemini 3.1 Pro: The Crown Jewel Under Siege

The timing of this disclosure is particularly significant. In February 2026, Google unveiled Gemini 3.1 Pro, a model that immediately set new benchmarks for complex problem-solving and reasoning. As noted by TechCrunch, this iteration represents a generational leap in capability, particularly in its ability to handle multi-step reasoning tasks across mathematics, coding, and scientific domains.

Gemini 3.1 Pro isn't just another chatbot; it is a reasoning engine. Its architecture incorporates techniques like "chain-of-thought" prompting and adjustable reasoning depth, allowing it to "think" for longer periods on harder problems. VentureBeat described it as a "Deep Think Mini," capable of allocating computational resources dynamically based on the complexity of the query.

This makes it an incredibly valuable asset—and an incredibly tempting target.

The attackers weren't just trying to steal a generic chatbot. They were trying to steal a model that represents the cutting edge of AI reasoning. The system prompts that govern Gemini 3.1 Pro likely contain proprietary instructions on how to manage these "deep think" modes, how to allocate reasoning tokens, and how to interface with Google's broader ecosystem of tools and services. Leaking these prompts could give a competitor a massive head start in replicating not just the model's outputs, but its underlying cognitive architecture.

Google’s decision to publicly disclose this attack is a calculated move. It serves as a deterrent, signaling to potential attackers that their activities are being monitored and will be exposed. It also reinforces Google’s brand as a security-conscious leader in the AI space. By regularly publishing assessments of its systems' resilience, Google is setting a standard for transparency that few of its competitors have matched. This is particularly important in a landscape where trust is a currency as valuable as compute power. Users and enterprise clients need to know that the models they rely on are not easily compromised, and that the company behind them is vigilant.

The Erosion of Proprietary Advantage in the Age of Open Models

This incident forces a deeper, more uncomfortable conversation about the sustainability of the "walled garden" approach to AI development. For years, the prevailing wisdom among frontier labs was that the model itself—the weights and the architecture—was the moat. If you control the weights, you control the value. But the Gemini cloning attempt suggests that this moat may be shallower than previously thought.

The rise of open-source LLMs has already begun to democratize access to powerful AI. Models like Llama and Mistral have proven that community-driven development can produce highly capable systems. The attackers' strategy against Gemini highlights a paradox: the more capable and accessible a proprietary model becomes, the more surface area it presents for adversarial attacks. Every API call is a potential reconnaissance mission.

This trend has profound implications for how companies think about their intellectual property. If a model's behavior can be systematically reverse-engineered through its public interface, then the value proposition shifts. The moat is no longer the model itself, but the data it was trained on, the ecosystem it is embedded in, and the user experience it enables. Google’s advantage may not ultimately lie in keeping Gemini’s weights secret, but in integrating it seamlessly with Search, Workspace, and Android in ways that a cloned model cannot replicate.

For developers building on top of these platforms, this is a critical lesson. Relying solely on a proprietary API without understanding the security posture of the underlying model is a risky bet. The best defense is a layered approach: using vector databases to store proprietary context locally, implementing robust prompt validation on the client side, and designing applications that assume the underlying model could be partially compromised. The era of blind trust in the black box is over.

A Wake-Up Call for Industry Regulation and Collaboration

The lack of specific legal frameworks governing the cloning or theft of proprietary AI models leaves companies in a precarious position. Traditional intellectual property law, designed for physical inventions or static code, struggles to keep pace with the fluid, emergent nature of LLMs. A prompt injection attack that leaks a system instruction is not a copyright violation in the traditional sense, nor is it a clear-cut case of trade secret misappropriation if the information was obtained through a public interface.

This legal gray zone is a breeding ground for adversarial behavior. The attackers in this case faced little risk of prosecution, as the laws have not yet caught up to the technology. Google’s disclosure is as much a political statement as it is a security report. It is a call to regulators to define the boundaries of acceptable behavior in the AI ecosystem. What constitutes a "reasonable" number of API calls? At what point does probing a model's boundaries cross the line from research to industrial espionage?

The industry needs a new social contract. This could take the form of shared threat intelligence databases, where companies anonymously report novel attack vectors. It could involve the development of standardized "red-teaming" protocols that are transparent to the public. Or it could lead to the creation of independent auditing bodies that certify the security posture of frontier models. The current model of each company fighting its own secret war is inefficient and ultimately unsustainable.

Furthermore, this incident raises questions about the wisdom of relying exclusively on proprietary, closed-source models. While Gemini 3.1 Pro’s benchmarks are impressive, the cost of maintaining its security may ultimately outweigh the benefits of its exclusivity. The growing prevalence of these attacks suggests a need for a more balanced ecosystem, where open-source LLMs and community-driven initiatives can provide robust alternatives without becoming single points of failure for intellectual property theft. The future may belong not to the most powerful model, but to the most resilient ecosystem.

The New Frontier of AI Security

The attempted cloning of Gemini marks a turning point in the AI arms race. The attackers have demonstrated that the front line of this war is not in the data center or the server room, but in the conversation itself. Every prompt is a potential weapon. Every response is a potential leak.

For users, this is a reminder that the AI tools they interact with are not static products; they are living systems under constant siege. The erosion of unique features and capabilities can degrade user experiences over time, as models are hardened against attacks at the expense of creativity or nuance. As security becomes paramount, users may find themselves interacting with more constrained, less "magical" versions of the AI they have come to rely on.

For the industry, the path forward requires a fundamental rethinking of what it means to own an AI. The value is no longer in the weights alone. It is in the trust, the integration, and the continuous improvement that a proprietary ecosystem can provide. Google’s transparency in disclosing this attack is a step in the right direction, but it is only the first step. The next phase of the AI revolution will be defined not by who builds the smartest model, but by who can protect it from the thousand-tongued assault of those who seek to tear it apart.

As companies like Google continue to innovate at unprecedented rates, the lessons from this incident will shape the security architectures of tomorrow. The age of the naive, trusting AI is over. The age of the hardened, vigilant AI has just begun.

---

References

[1] Rss — Original article — https://arstechnica.com/ai/2026/02/attackers-prompted-gemini-over-100000-times-while-trying-to-clone-it-google-says/

[2] TechCrunch — Google’s new Gemini Pro model has record benchmark scores — again — https://techcrunch.com/2026/02/19/googles-new-gemini-pro-model-has-record-benchmark-scores-again/

[3] VentureBeat — Google Gemini 3.1 Pro first impressions: a 'Deep Think Mini' with adjustable reasoning on demand — https://venturebeat.com/technology/google-gemini-3-1-pro-first-impressions-a-deep-think-mini-with-adjustable

[4] Ars Technica — Google announces Gemini 3.1 Pro, says it's better at complex problem-solving — https://arstechnica.com/google/2026/02/google-announces-gemini-3-1-pro-says-its-better-at-complex-problem-solving/