I think I was part of a model distillation attack

marinesebastian1 pts0 comments

I think I was part of a model distillation attack - Sebastian Marines

:first-child{mt:0!}<br>_:where(pre){p:20;_r:8;_overflow:auto}<br>_:where(pre,code:not(.highlight_*)){bg:fade-2;_bg:fade-92!@dark}<br>_:where(strong,b,a,code:not(.highlight_*),mark,del){font:fade-92;_font:fade-12@dark}<br>_:where(table){width:full;_border-spacing:0}<br>_:where(td){v:baseline}<br>_:where(td,th):first-child{pl:0}<br>_:where(td,th):last-child{pr:0}<br>_:where(td,th){bb:1;solid;fade-92/.06;_p:6;_b:fade-4/.04@dark}<br>_:where(th){font:fade-78;_font:14;_text:left;_font:fade-12@dark}<br>_:where(th,p_code,li_code,a,mark){font:semibold;_font:medium@dark}<br>_:where(ul){list-style-type:disc}<br>_:where(ul,ol,blockquote){pl:1.5em}<br>_:where(video,img){max-width:full}<br>_:where(a,mark){text-underline-offset:3}<br>_:where(hr){h:2;_bg:fade-10;_bg:fade-70@dark;_my:3em}<br>">Last night I received an email from OpenAI saying that they detected inconsistent usage on one of my API keys. It was late and I was already preparing to go to sleep, so I didn&rsquo;t pay much attention to it.

But a couple of minutes after that first email, I received a second one saying I had violated the &ldquo;Prohibited Biological Use&rdquo; policy and that&rsquo;s when I really started to worry.

When I opened my OpenAI platform portal, I didn&rsquo;t see anything unusual. In fact, spend was $0, no requests showed up, so I was very confused until I opened the logs tab and saw the 114 interactions with gpt-5.5 all in quick succession, plus two stray requests from two days earlier that just said ping and pong.

I immediately went to disable the compromised API key, and found out that it was a legacy API key I had created in 2023 to use with bettergpt.chat, a UI for ChatGPT that let you bring your own key.

To be honest, I am not completely sure the leak came through that website, since they claim &ldquo;If you use your own API key, it is stored exclusively in your browser and is never shared with any third-party entity. It is used solely for the exclusive purpose of accessing the OpenAI API and not for any other unauthorized use.&rdquo; .

This was a long time ago, and I don&rsquo;t remember using that specific key for something else. So if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.

What my API key was used for

After making sure all my API keys were disabled, I started going through the logs, and there was a bit of everything in there. Someone was writing an audio+visual QA benchmark for an &ldquo;omni&rdquo; video model, running coding agents that build RL and benchmark environments, doing LLM-as-judge scoring, translation and quality review, PDF→Markdown OCR of Chinese textbooks, and the one task that probably set off the Prohibited Biological Use email, exporting the chains of an insulin molecule.

Most of the coding traffic came out of a repo they call ga-synthesis. In each of these conversations an agent gets dropped into a task folder and told to write the scripts that set the task up, solve it, and check the result. Here is a trimmed down one for a PyMOL task, where the agent has to export the chains of an insulin molecule.

As you answer the user's questions, you can use the following context:<br># currentDate<br>Today's date is 2026/07/10.

IMPORTANT: this context may or may not be relevant to your tasks. You should not respond to this context unless it is highly relevant to your task.

Read the environment profile at /cpfs01/data/shared/Group-m6/jiangyizhen.jyz/repos/ga-synthesis/synthesis/profiles/pymol_env_profile.json and the single task spec at /cpfs01/data/shared/Group-m6/jiangyizhen.jyz/repos/ga-synthesis/synthesis/.adv_work/pymol_env/insulin_chain_sequence_export/generator/task_spec.json. A READ-ONLY reference copy of the env's helper library is at /cpfs01/data/shared/Group-m6/jiangyizhen.jyz/repos/ga-synthesis/synthesis/.adv_work/pymol_env/insulin_chain_sequence_export/generator/task_utils.sh — open it ONLY to learn its function names/signatures. In the scripts you write, ALWAYS source it from its real VM location: `source /workspace/scripts/task_utils.sh` (NEVER source the local reference path, /tmp/, or /cpfs01/data/shared/Group-m6/jiangyizhen.jyz/repos/ga-synthesis/synthesis/.adv_work/pymol_env/insulin_chain_sequence_export/generator). Reuse its functions for all DB access (e.g. magento_query for reads AND writes: magento_query "INSERT ... ON DUPLICATE KEY UPDATE ..."). Do NOT parse env.php or build your own 'mysql -h...' command; the app/DB run in containers the host cannot reach. Write THREE files — setup_task.sh, export_result.sh, golden_solve.sh — DIRECTLY into this directory (/cpfs01/data/shared/Group-m6/jiangyizhen.jyz/repos/ga-synthesis/synthesis/.adv_work/pymol_env/insulin_chain_sequence_export/generator). export_result.sh MUST write its result JSON to the EXACT path /tmp/insulin_chain_sequence_export_result.json (the verifier reads exactly that path). Do NOT write task.json (the orchestrator builds it) and do NOT modify...

synthesis fade task dark shared write

Related Articles