Stolen Google Gemini API Key Abuse Triggers $82K in Unauthorized Cloud Charges
A small three-person software team reported that a stolen Google Cloud/Gemini API key was abused to run up $82,314.44 in charges in roughly 48 hours, a ~455x spike from their typical $180/month spend. The attacker(s) allegedly hammered the Gemini 3 Pro Image and Gemini 3 Pro Text endpoints, and the victim stated they deleted the compromised key, disabled Gemini APIs, rotated credentials, enabled 2FA, and tightened IAM controls while opening a support case.
Both reports indicate Google support initially pointed to the cloud Shared Responsibility Model, signaling the customer may remain liable for charges tied to compromised credentials. The incident was framed as a cautionary example of how exposed or poorly-scoped API keys can become high-impact AI credentials; one report cited research indicating thousands of legacy Google API keys have been found exposed on public websites and warned that default or “Unrestricted” API key settings can enable catastrophic cost exposure unless organizations implement guardrails such as billing budgets/caps, API key restrictions (API/IP/referrer scoping), and tighter quota limits.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Victim files FBI cybercrime report
The affected user reported filing a cybercrime complaint with the FBI and planned to provide logs as evidence of credential theft and API abuse. The filing was part of an effort to support the dispute and seek possible goodwill credits from Google.
Developers open Google support case over disputed charges
Following the incident, the team contacted Google Cloud support to dispute the charges and seek relief. According to the reports, initial feedback indicated the charges would likely stand under Google's shared responsibility model.
Victim team revokes key and hardens account security
After discovering the unauthorized usage, the affected developers deleted the compromised key, disabled Gemini APIs, rotated credentials, enabled 2FA, and tightened IAM controls. These actions were taken to stop further abuse and secure the Google Cloud environment.
Attackers abuse stolen Gemini API key over 48 hours
Between 2026-02-11 and 2026-02-12, attackers used a stolen Google Cloud/Gemini API key to make large volumes of Gemini 3 Pro Image and Gemini 3 Pro Text requests. The abuse drove charges to $82,314.44, far above the victim team's usual monthly spend of about $180.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Stolen Gemini API Key Turned $180 Bill to $82000 in Two Days
cybersecuritynews.com
Open sourceGemini API key thief racks up $82,314 in charges in just two days, victim 'facing bankruptcy' - affected devs call for basic guardrails against 'catastrophic usage anomalies' | Tom's Hardware
tomshardware.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Legacy Google Cloud API Keys Gaining Unintended Access to Gemini APIs
Security researchers reported that **previously “non-secret” Google Cloud API keys** (commonly embedded in public client-side code for services like *Google Maps*, YouTube embeds, Firebase, and analytics) can **silently become usable credentials for Gemini (Generative Language API) endpoints** once the Gemini API is enabled in the same Google Cloud project. Truffle Security described this as a **privilege escalation/incorrect privilege assignment** scenario where long-exposed `AIza...` keys—originally treated as project identifiers for billing and API access control—can unexpectedly grant access to **Gemini-related data and capabilities**, including access to private AI resources (e.g., uploaded files/cached context) and **billable inference usage**, without clear developer warning or explicit re-authorization. Truffle Security’s internet-scale scanning (including Common Crawl) identified **~2,800–3,000 exposed keys** across organizations in multiple sectors (and reportedly even from Google), highlighting the practical risk of key harvesting from page source and subsequent abuse. The primary impact described is **data exposure via Gemini API access** and **cost/abuse risk** (attackers potentially generating significant charges by making API calls). Separate from the API-key issue, Google also announced a **Gemini feature update for Google Workspace** that allows Gemini to search Google Chat history (noted as *off by default*), which is a product capability announcement rather than a vulnerability disclosure.
Mar 22, 2026
Deleted Google API Keys Stayed Valid Long Enough for Continued Abuse
Aikido Security reported that standard Google Cloud API keys can continue authenticating for **up to 23 minutes after deletion**, with a median revocation delay of about 16 minutes across 10 tests. The researchers said the gap appears tied to Google’s eventually consistent backend infrastructure, producing inconsistent, region-dependent results in which repeated requests may still reach servers that accept a supposedly deleted key. The behavior was observed not only for **Gemini** access but also for other Google Cloud APIs including **BigQuery** and **Maps**, contradicting Google Cloud interface messaging that deleted keys can no longer be used immediately. Researchers warned that the post-deletion window could let attackers keep using leaked keys to access enabled services, exfiltrate uploaded files or cached Gemini conversation context, and generate substantial cloud charges, especially where automatic billing tier upgrades raise spending caps during spikes. Aikido said newer Gemini-specific API keys revoked in about a minute and service account keys in roughly five seconds, indicating faster revocation is technically feasible, but Google reportedly classified the delayed revocation as intended behavior and closed the disclosure as **"won't fix."** The firm advised defenders to treat API key deletion as a **30-minute incident-response process** and closely monitor usage after revocation.
May 22, 2026
Google Disrupts AI-Built Zero-Day Exploit Targeting 2FA in Web Admin Tool
Google Threat Intelligence Group said it disrupted what it believes is the first observed cybercriminal campaign to use AI to develop a working zero-day exploit, preventing a likely mass-exploitation event against an unnamed open-source web administration tool. The flaw was a semantic logic issue in a Python script that allowed two-factor authentication bypass with valid credentials, and Google said the exploit code showed strong signs of LLM assistance, including heavily annotated Python, educational docstrings, textbook formatting, and even a hallucinated CVSS score. Google notified the vendor before the exploit was deployed at scale, and researchers assessed with high confidence that the code was generated with meaningful help from an AI model other than Gemini. Google said the case reflects a broader shift as threat actors industrialize generative AI across the attack lifecycle, from vulnerability research and exploit validation to malware development, obfuscation, reconnaissance, and social engineering. The company linked this trend to activity from China-, North Korea-, and Russia-aligned operators, and highlighted examples including **PROMPTSPY**, an Android backdoor that used the Gemini API to interpret device interfaces and automate clicks and swipes, as well as supply-chain compromises tied to repositories associated with **Trivy**, **Checkmarx**, **LiteLLM**, and **BerriAI**. Google said it has disabled malicious Gemini-linked assets and urged organizations to harden CI/CD pipelines, protect tokens, and scrutinize AI-related dependencies and abuse infrastructure.
May 13, 2026