From $0 to $35,000 in 6 Hours: How an API Leak and GCP Billing Lag Broke Our Startup

1.5 Million Requests, 1 Leaked Key: How We Burned $35,000 on Gemini in 6 Hours The "experimental phase" of a project is supposed to be the fun part. For us, as a dedicated AWS-native shop , we recently decided to branch out and test the Gemini 3.1 Pro Image model on Google Cloud Platform (GCP). We did what every fast-moving team does: linked a business card, grabbed an API key, and started building. 20 days later, we had a $35,000 bill , a panicked CEO, and a very expensive lesson in how GCP’s default quotas and billing latency work. If you are "just experimenting" with AI APIs, read this before you wake up to a five-figure surprise. The "Perfect Storm" Timeline The attack wasn't sophisticated, but it was relentless. Because we were experimenting, we hadn't yet applied our standard enterprise-grade security protocols to this new environment. 03:00 AM EST: An unrestricted API key is leaked (likely via a compromised development environment). An automated botnet begins hammering our Gemin