Model Theft and Extraction Attacks

Model theft and extraction attacks are becoming a defining security and intellectual property risk for organizations deploying AI via APIs, SaaS products, and internal platforms. In these attacks, adversaries repeatedly query an AI model, often through an API, to infer model parameters, replicate decision boundaries, or extract sensitive training data and prompts. As AI traffic grows, defenders face a core challenge: distinguishing legitimate automation from malicious extraction, particularly when attackers blend in with normal usage patterns and stolen identities.

Recent industry reporting shows scraping, a primary vector for model extraction, reached a median rate close to 20% of global traffic in 2025-2026, roughly doubling from 2022. Volumes increased 47% year-over-year and 138% since 2022. At the same time, benign and malicious automation can differ by as little as 0.5%, complicating detection in high-traffic environments. This article explains how model extraction works, why it is accelerating, and how to protect AI intellectual property and APIs with practical, layered controls.

What Are Model Theft and Extraction Attacks?

Model theft is the unauthorized replication or misuse of a model's capabilities, weights, architecture, or proprietary behavior. Model extraction is a common method of model theft where attackers send carefully crafted queries and use the outputs to approximate the target model. The objective can include:

• Stealing IP by reconstructing a functionally equivalent model or distilling it into a smaller one.

• Competitive advantage by copying a unique feature such as recommendations, pricing, or fraud scoring.

• Training data inference or extracting memorized content, particularly if the model leaks sensitive examples.

• API abuse by reselling access, building a competing service, or using the model to power downstream attacks.

How Extraction Typically Works

Most extraction campaigns follow a repeatable pattern:

1. Reconnaissance: Enumerate endpoints, rate limits, authentication, and response formats. AI-enabled adversaries increasingly automate this stage.

2. Query strategy: Generate diverse or adversarial prompts to map model behavior, including edge cases.

3. Collection and labeling: Store inputs and outputs at scale and label them for imitation learning.

4. Distillation or training: Train a substitute model to mimic outputs or infer decision boundaries.

5. Operationalization: Deploy the stolen capability, sometimes paired with credential theft or token abuse for persistent access.

Why the Threat Is Escalating in 2025-2026

Model theft and extraction attacks are rising because the same conditions that make AI products scalable also make them extractable: high-volume API access, predictable output formats, and automation-friendly interfaces.

Scraping Volumes and Sector Concentration

Scraping now represents a significant portion of internet traffic. In 2025, retail and e-commerce experienced scraping rates approaching 68% and more than 150 billion attempts globally. Tech and SaaS sectors saw median scraping rates above 40%, with volumes reaching billions of attempts. Media and travel also remain high-risk areas, with AI crawler activity concentrated in these sectors. One major retailer reportedly blocked 9.2 billion scraping attempts in December 2025 alone, illustrating how extraction-grade scraping can reach extreme scale.

Identity-Based Extraction and Token Theft

Extraction is increasingly powered by compromised identities rather than obvious botnets. Credential theft and session token abuse enable attackers to appear as valid users, access post-login endpoints, and query higher-value features. Industry reporting points to large-scale credential theft in 2025 and a surge in cookie and token theft that can bypass multi-factor authentication when attackers replay stolen sessions. Post-login compromises reportedly quadrupled to hundreds of thousands of attempts per organization. This trend is especially relevant for AI products that reserve high-fidelity outputs for authenticated tiers.

AI Agents and Attack Lifecycle Automation

Security researchers and industry leaders increasingly describe a shift toward autonomous or agentic attack tooling. The expectation is that AI agents will automate end-to-end workflows including target selection, reconnaissance, infrastructure rotation, phishing, and iterative probing of AI endpoints. This development matters because extraction is fundamentally iterative: more automation means more queries, faster refinement, and broader targeting without requiring large human teams.

AI Supply Chain Risk and Poisoned Tooling

Model theft does not only occur at the API boundary. Attackers also exploit AI supply chains through fraudulent AI tools, poisoned packages, compromised configurations, and malicious model artifacts. These routes can implant backdoors, siphon prompts and outputs, or exfiltrate API keys, enabling extraction from within the environment. High-profile cloud and SaaS incidents have demonstrated how infostealers combined with cloud credential reuse can lead to bulk data exfiltration without traditional endpoint malware.

Common Attack Scenarios Against AI APIs

1) High-Rate API Probing to Clone Model Behavior

Attackers send large query volumes to map the model, then train a substitute. This is particularly damaging for proprietary ranking, pricing, or recommendation models where the value resides in the learned behavior rather than the underlying code.

2) Low-and-Slow Extraction That Mimics Real Users

Instead of triggering rate limits, adversaries spread queries across distributed IPs, compromised accounts, and normal-looking usage windows. The narrow gap between benign and malicious automation makes basic bot detection unreliable in these scenarios.

3) Post-Login Extraction and Feature Abuse

With stolen credentials or session tokens, attackers target authenticated endpoints that return richer outputs, bulk export functions, or administrative analytics. This aligns with broader identity-based compromise trends and can result in both model theft and data theft simultaneously.

4) Training Data Leakage and Memorization Harvesting

If a model can be induced to reveal memorized sensitive content, attackers may extract personal data, proprietary documents, or source code fragments. This risk expands when prompts, conversations, or retrieved documents are logged without strong access controls.

Business Impact: Beyond IP Loss

Model theft and extraction attacks create a multi-dimensional risk profile:

• Revenue erosion: Competitors undercut pricing or replicate premium capabilities using stolen model behavior.

• Security exposure: Stolen outputs can aid phishing, fraud, or reconnaissance campaigns.

• Compliance and privacy risk: Data extraction can trigger regulatory obligations if personal or health data is exposed. Healthcare incidents have highlighted high rates of patient-data targeting and large record exposures.

• Operational strain: High-volume scraping inflates infrastructure costs and degrades API performance for legitimate users.

How to Protect AI Intellectual Property and APIs

Effective defense requires combining identity security, API hardening, model-level controls, and continuous monitoring. No single measure is sufficient, particularly as attackers automate and blend in with legitimate traffic.

API and Application-Layer Defenses

• Strong authentication and authorization: Use short-lived tokens, scoped permissions, and least-privilege access. Treat model endpoints as sensitive resources, not generic APIs.

• Rate limiting with risk scoring: Apply adaptive limits by account, token, and behavioral profile rather than IP address alone. Add burst controls and escalating friction for suspicious patterns.

• Bot management and scraping defense: Use behavioral signals such as navigation patterns, timing analysis, and device fingerprinting to detect automation. Prioritize post-login protections since many extraction attempts occur under valid sessions.

• Abuse-aware API design: Avoid returning overly rich metadata, confidence scores, or detailed intermediate outputs unless operationally required. These signals can accelerate extraction efforts.

Identity and Session Hardening

• Protect against token replay: Bind sessions to device and context where feasible, rotate tokens regularly, and detect anomalous session patterns such as impossible travel.

• Credential theft resistance: Enforce phishing-resistant multi-factor authentication where possible, monitor for credential stuffing activity, and reduce long-lived credentials in CI/CD and developer tooling.

• Centralize identity signals: Consolidate identity telemetry across applications, APIs, and cloud environments to identify cross-channel abuse patterns. Fragmented controls create blind spots that attackers exploit.

Model-Level Protections

• Output controls and privacy filters: Apply data loss prevention checks to responses for sensitive patterns, and restrict retrieval sources. Minimize logging of raw prompts and outputs, or encrypt and tightly control access to logs.

• Watermarking and provenance: Where applicable, embed detectable signals in outputs or use internal watermarking to support theft attribution and downstream enforcement.

• Query anomaly detection: Detect extraction-like patterns such as systematic input coverage, high-entropy prompt generation, repeated boundary testing, or programmatic paraphrase sweeps.

Infrastructure and Supply Chain Security

• Secure model artifacts: Control access to weights, checkpoints, and configuration files using strong secrets management and role-based access control.

• Harden pipelines: Validate dependencies, scan packages, and restrict who can publish or modify model components. Monitor for fraudulent tools and typosquatted libraries.

• Resilience planning: Assume some extraction attempts will succeed. Prepare incident response playbooks for API abuse, key rotation, and customer notification where required.

Operational Playbook: A Practical Baseline

Teams protecting production AI APIs can start with the following baseline checklist:

1. Inventory all AI endpoints, authentication methods, and data sources including retrieval systems.

2. Classify outputs by sensitivity and business value, then apply tiered access controls accordingly.

3. Instrument detailed telemetry at the per-token, per-endpoint, and per-feature level with anomaly detection tuned for extraction behaviors.

4. Enforce adaptive rate limits and bot defenses, with heightened controls after login.

5. Test using red-team style extraction simulations and prompt-based leakage assessments on a regular basis.

Skills and Training to Reduce Risk

Because model theft sits at the intersection of AI engineering and cybersecurity, organizations benefit from teams with cross-functional expertise. For internal upskilling, relevant Blockchain Council programmes include the Certified Artificial Intelligence (AI) Expert, Certified Machine Learning Expert, Certified Ethical Hacker, and Certified Cyber Security Expert certifications. Security-focused AI product teams also benefit from structured API security and cloud security training to address gaps in identity management, logging practices, and incident response readiness.

Conclusion

Model theft and extraction attacks are no longer niche research concerns. They are scaling alongside scraping, identity compromise, and AI-driven automation, with attackers using stolen credentials and tokens to extract high-value outputs while blending into normal traffic. Defending AI intellectual property and APIs requires layered controls: adaptive rate limiting, bot and scraping defense, strong identity and session protections, model-aware output safeguards, and secure supply chains. As adversaries move toward agentic, end-to-end automation, organizations that combine prevention with detection and resilience will be best positioned to protect their models, data, and competitive advantage.