[CRITICAL-BUG] Massive Overbilling by Gemini API ($9,337.48) — Google-Flagged Compromised Project, Claim Denied Despite ACCOUNT_HIJACKED Confirmation

Gemini API
, ,
1

I am posting here because I believe my case is part of the same pattern others have reported in this forum — unauthorized Gemini API charges followed by claim denials despite Google’s own security team confirming the compromise.

Background

I run a small web app (project HERO, id: gen-lang-client-0337748…). My account was compromised by unauthorized third parties who used my Gemini API key without my knowledge or consent.

Timeline

  • April 19, 2026 at 8:42 PM — Google Cloud Trust & Safety emailed me that suspicious activity was detected on project HERO violating ToS/AUP

  • April 19, 2026 at 9:26 PM — I responded within 44 minutes confirming I was rotating the API key and taking corrective action

  • April 26, 2026 — $9,337.48 in Gemini charges appeared on the project

  • April 26, 2026 — Google’s own billing anomaly system flagged the spike (expected cost: $0.02, actual: $9,337.48)

  • April 27, 2026 — I filed billing case 70628587 and unauthorized purchase claim 6024-7422-9997

  • April 27, 2026 — Google Security opened case 70377998 with official determination: ACCOUNT_HIJACKED

The Core Problem

Google’s compliance team denied my claim stating they were “unable to confirm fraudulent activity.” This directly contradicts their own security team who issued an ACCOUNT_HIJACKED determination on the same project.

Furthermore, Google’s Trust & Safety team warned me on April 19th that the project was compromised — 7 days before the charges occurred. Despite this, Google’s billing protection systems allowed a $9,337.48 spike on a project they themselves had already flagged as suspicious. Google had a duty to protect the account after their own warning.

What I provided as evidence:

  • The April 19th Trust & Safety warning email

  • My 44-minute response showing good faith action

  • The ACCOUNT_HIJACKED case 70377998

  • The known billing bug forum thread showing other users with identical Gemini image generation SKU charges

Google’s Response

Despite all this evidence, the claim was marked “Completed” with $0 refunded. I have filed a formal appeal referencing all case numbers and the ACCOUNT_HIJACKED determination.

Questions for the community:

  • Has anyone successfully appealed after an initial denial with ACCOUNT_HIJACKED confirmation?

  • Did anyone escalate beyond the compliance team to get resolution?

  • Is there a Google executive escalation path others have used?

I will attach screenshots of the Trust & Safety email, my response, and the billing anomaly alert.

google email on 04-26-2026
google email on 04-26-2026633×682 30.5 KB

Trust Safety
Trust Safety902×366 28.8 KB

2

Update (New Findings):

I’m now seeing multiple similar cases reported involving Gemini API billing spikes ($5k–$70k+) under suspicious or compromised usage scenarios.

In my case:
– Project was flagged by Trust & Safety BEFORE the charges
– I responded immediately and rotated keys
– Security later confirmed: ACCOUNT_HIJACKED
– Billing still denied fraud

This suggests a potential gap where compromised accounts are detected, but billing protections are not triggered.

Has anyone successfully escalated a case like this to a higher-level review or received credits?

3

Hi @Urielt DM’ed you

4

No waiver or credit has been issued yet.

After escalation, the case is currently under active review by Google Cloud Support and their internal teams. They confirmed the investigation is still ongoing and that multiple teams are involved.

At this stage I’m waiting for the outcome of that review. I’ll update the thread once there is a final resolution.

The key issue in my case is that:

  • the project was flagged by Trust & Safety before the charges occurred

  • Security later confirmed ACCOUNT_HIJACKED

  • while the billing claim was initially denied

So the teams are now reviewing the matter together.