Hi everyone,
I’m looking for guidance on how to handle what appears to be unauthorized Gemini API usage that suddenly generated about 4,500–4,600 USD in Gemini charges in a single day, but resulted in over 10,000 USD in threshold charges to my card across two days. I’ve already opened a Cloud Billing case, but the impact is severe for our small startup and I want to be sure I’m following the right remediation path.
Context
-
Cloud Billing case: 71043607 (opened via Cloud Billing Support)
-
Project: internal automation project (no public or production traffic)
On May 9, 2026 (around 4pm EST) I received emails about large charges to my Google Cloud payments profile. When I checked the Cloud Billing console, I saw a sudden spike of roughly 4,500–4,600 USD in Gemini API usage on May 8, 2026 on a single internal project.
Historically, our daily spend on this billing account is effectively 0 USD, and this project is only used for internal automation experiments (e.g., n8n / Activepieces), not any customer‑facing or high‑traffic application. There is no legitimate traffic pattern on our side that would explain this level of spend.
What I observed
-
Billing → Reports (services view) shows about 4,500–4,600 USD in Gemini API charges on May 8, all tied to one internal project.
-
AI Studio / Gemini spend breakdown for that project shows all significant spend landing on May 8 across several models, with the largest components roughly:
-
Nano Banana Pro: ~2,570 USD
-
Nano Banana 2: ~1,600 USD
-
Gemini 3.1 Pro: ~2,570 USD
-
Plus smaller amounts on Nano Banana, Gemini 3.1 Flash Lite, Gemini 3 Flash, Gemini 2.5 Pro / Flash / Flash Lite, and Computer Use Preview.
-
-
All of this happens within a short window on May 8.
At the same time, my card has now been charged multiple times with threshold charges over two days:
-
Day 1: 500 USD, 1,000 USD, 2,000 USD, 5,000 USD
-
Day 2: additional threshold charges bringing the total threshold payments to over 10,000 USD
This is far above the ~4.5–4.6k Gemini usage currently visible in Billing → Reports. I understand there can be delays between when charges are applied and when they appear in reports, but this growing gap between usage vs total payments is very concerning.cloud.google
Immediate mitigation steps
As soon as I noticed the spike, I:
-
Deleted all Gemini API keys and Generative AI API keys from the Credentials page for that project.
-
Disabled Gemini API for the project in the API & Services page (per Billing Support’s guidance).
-
Disabled billing for the project and then closed the associated Cloud Billing account to avoid any further unexpected charges while this is under investigation.
-
Audited all other projects in my organization and removed any remaining Gemini / Generative AI API keys.
-
Migrated internal workloads to Vertex AI’s native Gemini integration using service accounts, so that going forward we are not using exposed API keys at all.
Contact with support so far
-
I opened Cloud Billing case 71043607 through chat.
-
The representative confirmed the Gemini API spike on May 8, asked me to disable Gemini API on the project, and mentioned that charges can take up to ~32 hours to fully propagate in Billing reports.cloud.google
-
I raised the mismatch between:
-
~4.5–4.6k in Gemini usage showing in the console, and
-
threshold payments now totaling over 10k USD on my card.
-
-
I was told the issue would be escalated to product specialists and that I should expect an update in 2–5 business days.
Why I believe this is unauthorized usage
-
Our normal Gemini / AI spend on this account is negligible; this one‑day spike is several orders of magnitude above our baseline.
-
The project is not public or production‑facing; it’s used only for internal automation workflows.
-
The pattern (large, sudden burst across multiple Gemini models in a short period) does not match any of our workflows and strongly suggests a compromised Gemini/Generative AI credential, not valid application traffic.
-
We have already removed all Gemini keys and moved to service‑account‑based access in Vertex AI to prevent future exposure.
Impact
We are a small startup with historically very low Gemini and Google Cloud usage. A sudden >4.5k Gemini bill and >10k in threshold payments in under 48 hours is a serious financial shock and could materially affect the business.
What I’m asking the community / Google for
-
From the Gemini / AI Studio team:
Are there recommended steps or specific types of evidence (e.g., logs, IP patterns, internal hijacking flags) that I should gather and provide to Cloud Billing to help confirm this as unauthorized usage due to key compromise? -
Are there any Gemini‑specific internal processes for remediating and crediting charges in clear hijacking scenarios, beyond the standard Cloud Billing dispute I’ve already opened?
-
Once the final May charges have fully propagated, what is the best way to ensure that:
-
The final invoice does not exceed the actual Gemini usage, and
-
Any excess threshold payments that remain as a credit on the billing account can be refunded back to my card, especially since the billing account is now closed?
-
I have screenshots of:
-
Billing → Reports showing the Gemini spike.
-
Root Cause Analysis for May 8 (actual vs expected cost).
-
Gemini model‑level spend breakdown for the project.
-
Payment transactions listing the threshold charges on both days.
I can attach redacted versions of these screenshots if helpful (with account IDs and payment details blurred).
Any guidance from the Gemini / AI Studio team or from others who have successfully handled similar incidents would be greatly appreciated. I want to make sure I am providing the right information to Cloud Billing and using the correct process to seek remediation and refund for this clearly anomalous usage.
Thank you,
Thomas