The rumors had been circulating for months. Whispers in Slack channels, off-the-record conversations at AI conferences, and a growing sense of unease in Silicon Valley that something wasn’t adding up. How were Chinese AI labs releasing models that seemed to match — or even exceed — the capabilities of American frontier systems, at a fraction of the cost, in a fraction of the time, while operating under strict semiconductor export controls.
On Monday, Anthropic gave the answer. And it wasn’t subtle.
In a detailed blog post and accompanying Twitter announcement that has since racked up over 12.7 million views, the San Francisco-based AI safety company publicly accused three of China’s most prominent AI laboratories — DeepSeek, Moonshot AI, and MiniMax — of orchestrating coordinated, industrial-scale campaigns to illicitly extract capabilities from its Claude models. The method: a technique called distillation, in which a weaker model is systematically trained on the outputs of a more powerful one. The scale: over 16 million exchanges with Claude, generated through approximately 24,000 fraudulent accounts, all in violation of Anthropic’s terms of service and regional access restrictions.
“We’ve identified industrial-scale distillation attacks on our models by DeepSeek, Moonshot AI, and MiniMax,” Anthropic tweeted Monday evening. “These labs created over 24,000 fraudulent accounts and generated over 16 million exchanges with Claude, extracting its capabilities to train and improve their own models.”
The announcement is the most concrete, detailed, and legally bold public accusation of AI model theft to date. And it lands at a moment when the US is actively debating how aggressively to enforce export controls on advanced AI chips — a policy designed to slow China’s AI progress but increasingly criticized as ineffective in the face of techniques like distillation that don’t require chips at all. Just access.
The Anatomy of a Distillation Attack
Distillation, in itself, is not illegal. In fact, it’s a standard practice across the AI industry. Frontier labs like Anthropic, OpenAI, and Google routinely distill their own models to create smaller, cheaper, faster versions for commercial deployment. The technique allows a company to take a massive, expensive-to-run model like Claude 3.5 Opus and create a lightweight version like Claude 3.5 Haiku that can run on less powerful hardware while retaining much of the original’s capability.
The problem arises when competitors use the same technique to shortcut years of research and billions of dollars in investment by training their models on someone else’s outputs. And according to Anthropic, that’s exactly what happened here — systematically, at scale, and with sophisticated operational security designed to avoid detection.
Here’s how it worked.
DeepSeek generated over 150,000 exchanges with Claude, primarily targeting reasoning capabilities across diverse tasks. In one particularly revealing technique, Anthropic said DeepSeek’s prompts “asked Claude to imagine and articulate the internal reasoning behind a completed response and write it out step by step — effectively generating chain-of-thought training data at scale.” The company also observed tasks designed to generate alternatives to politically sensitive queries about dissidents, party leaders, or authoritarianism — likely training DeepSeek’s models to navigate censorship requirements while retaining sophisticated reasoning capabilities.
Moonshot AI, the Beijing-based creator of the Kimi models, conducted over 3.4 million exchanges, targeting agentic reasoning and tool use, coding and data analysis, computer-use agent development, and computer vision. Anthropic noted that Moonshot’s campaign followed the January 2026 release of its new open-source model Kimi K2.5 and a coding agent, suggesting the distillation was directly feeding into active product development.
MiniMax ran the largest operation by volume: over 13 million exchanges focused on agentic coding, advanced reasoning, and multimodal analysis. Anthropic said that when it released a new model during MiniMax’s active campaign, the company pivoted within 24 hours, with nearly half of its traffic redirected to capture capabilities from the latest system. That kind of operational agility indicates a highly organized, well-resourced effort — not a rogue researcher running experiments.
All three campaigns followed a similar playbook: fraudulent accounts, proxy services to mask origin, carefully structured prompts designed to extract specific capabilities, and traffic patterns that looked nothing like normal user behavior. Anthropic detected synchronized traffic across accounts, with identical usage patterns, shared payment methods, and coordinated timing that suggested load-balancing tactics aimed at increasing throughput, improving reliability, and avoiding detection.
The Proxy Problem: How They Got Access
Here’s the part that makes this particularly hard to stop: Anthropic emphasized that it does not provide commercial access to Claude in China, nor to subsidiaries of the companies located outside the country. So how did DeepSeek, Moonshot, and MiniMax generate 16 million exchanges with a model they’re not supposed to have access to?
The answer: commercial proxy services.
These are third-party platforms that resell access to frontier AI models at scale, operating what Anthropic describes as “Hydra cluster architectures” — sprawling networks of fraudulent accounts that distribute traffic across third-party APIs and cloud platforms. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously and mixed distillation traffic with unrelated customer requests to complicate detection.
It’s a cat-and-mouse game. Anthropic blocks accounts. The proxy service spins up new ones. Anthropic detects traffic patterns. The proxy service changes routing. Anthropic implements rate limits. The proxy service spreads requests across more accounts. And all the while, the distillation continues.
The $450 Million Question: How Much Did This Cost?
Anthropic hasn’t disclosed the financial value of the capabilities extracted, but the math is instructive.
Training a frontier AI model from scratch costs somewhere between $100 million and $1 billion, depending on the model’s size, the data used, and the compute infrastructure. Reinforcement learning from human feedback (RLHF) — the process that refines a base model into something useful — can add tens of millions more. And that’s before you factor in the cost of safety testing, red-teaming, and deploying the infrastructure to serve the model at scale.
Distillation collapses that timeline and cost structure. Researchers at UC Berkeley recreated OpenAI’s reasoning model for $450 in 19 hours. Researchers at Stanford and the University of Washington built their own version in 26 minutes for under $50 in compute credits. The startup Hugging Face replicated OpenAI’s Deep Research feature as a 24-hour coding challenge.
If a single researcher can replicate a frontier model for $450, what can a well-funded Chinese AI lab with thousands of accounts and millions of API calls accomplish? The answer, according to Anthropic, is: a lot. Enough to leapfrog years of research and emerge with models that can compete with — or exceed — American systems, without spending anything close to what those American systems cost to develop.
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of CrowdStrike, told TechCrunch he’s not surprised. “Anthropic and other U.S. companies build systems that prevent state and non-state actors from using AI to, for example, develop bioweapons or carry out malicious cyber activities,” he said. Models built through illicit distillation strip out those safeguards entirely.
The Safety Guardrails That Got Stripped Out
This is where the accusation moves from intellectual property theft to national security threat.
Anthropic, OpenAI, Google, and other US-based AI labs invest enormous resources into safety testing. They red-team their models to identify failure modes. They implement constitutional AI frameworks to align model behavior with human values. They refuse to answer certain categories of questions — how to build bioweapons, how to conduct cyberattacks, how to manipulate elections — because those capabilities, in the wrong hands, are catastrophic.
“Anthropic and other U.S. companies build systems that prevent state and non-state actors from using AI to, for example, develop bioweapons or carry out malicious cyber activities,” reads Anthropic’s blog post. “Models built through illicit distillation are unlikely to retain those safeguards, meaning that dangerous capabilities can proliferate with many protections stripped out entirely.”
That’s not hypothetical. Anthropic directly observed DeepSeek generating prompts designed to elicit alternatives to censored queries about political dissidents and authoritarianism. Those outputs weren’t for academic research. They were training data, designed to teach DeepSeek’s models how to navigate politically sensitive topics in ways that satisfy the Chinese government’s censorship requirements while retaining the underlying reasoning capabilities that make the model useful.
Anthropic pointed to authoritarian governments deploying frontier AI for things like “offensive cyber operations, disinformation campaigns, and mass surveillance,” a risk that is multiplied if those models are open sourced.
And that’s exactly what happened. DeepSeek openly released a family of distilled models on Hugging Face — including versions built on top of Qwen and Llama architectures — under the permissive MIT license. The model card explicitly states that the DeepSeek-R1 series supports commercial use and allows for any modifications and derivative works, “including, but not limited to, distillation for training other LLMs.”
Which means that the capabilities Anthropic spent years and hundreds of millions of dollars developing, and carefully safety-tested to prevent misuse, are now available to anyone with an internet connection. No safety guardrails. No usage restrictions. No accountability.
The Export Control Debate Just Got a Lot More Complicated
The timing of Anthropic’s announcement is not accidental. The disclosure lands in the middle of a heated Washington debate over how strictly to enforce export controls on advanced AI chips.
Last month, the Trump administration formally allowed US companies like Nvidia to export advanced AI chips (like the H200) to China, loosening restrictions that had been in place under the Biden administration. The rationale: export controls were hurting American companies without meaningfully slowing Chinese AI progress, since Chinese labs were finding workarounds anyway.
Anthropic’s blog post is a direct rebuke to that logic. “Distillation attacks therefore reinforce the rationale for export controls: restricted chip access limits both direct model training and the scale of illicit distillation,” per Anthropic’s blog.
The argument goes like this: Yes, Chinese labs can use distillation to extract capabilities from American models without needing cutting-edge chips. But scaling that distillation to industrial levels — 16 million exchanges, 24,000 fraudulent accounts, real-time adaptation to new model releases — still requires significant compute infrastructure. Anthropic says that the scale of extraction DeepSeek, MiniMax, and Moonshot performed “requires access to advanced chips.”
Chris Klein, Anthropic’s Head of Policy, told Fox News that while distillation can work without frontier chips, the scale and sophistication observed here suggests access to more compute than export controls should allow. “If you think about how you stay ahead in the AI race, compute is one piece of that,” Klein said. “But increasingly reinforcement learning is critical. Distillation allows you to extract those capabilities.”
The implication is clear: export controls on chips alone are insufficient. If Chinese labs can systematically extract the capabilities developed through RLHF using distillation, then chip access controls need to be paired with tighter API access restrictions, better detection systems, and international coordination to shut down the proxy services that enable this kind of attack.
OpenAI and Google: “Yeah, Us Too”
Anthropic’s disclosure wasn’t the first shot fired in this fight. It was just the loudest.
On February 12, OpenAI sent a memo to the House Select Committee on the Chinese Communist Party alleging that DeepSeek systematically “stole” its intellectual property through large-scale distillation. According to OpenAI, DeepSeek employees used third-party routers and masking techniques to bypass geographic access restrictions and harvest outputs from ChatGPT.
That same day, Google’s Threat Intelligence Group warned of “distillation attacks” targeting its Gemini models, with campaigns using more than 100,000 prompts aimed at replicating Gemini’s reasoning abilities. Google attributed the activity to “private-sector companies” as well as state-aligned actors.
Together with Anthropic’s disclosure, the pattern is unmistakable: American AI labs are being systematically targeted by Chinese competitors using distillation to leapfrog research timelines and replicate capabilities at a fraction of the cost.
The difference is that Anthropic named names, published technical details, and attributed the attacks to specific labs using IP correlations, metadata, infrastructure indicators, and corroboration from industry partners. That level of public attribution is rare in cybersecurity circles and almost unprecedented in the AI industry, where companies are typically reluctant to publicly accuse competitors of theft for fear of escalation or reputational blowback.
Anthropic went public anyway. And the message was clear: this is not a problem any single company can solve alone.
The Coordinated Response That Hasn’t Happened Yet
Anthropic emphasized that “no single company can solve this alone. Distillation attacks on this scale require a coordinated response from the entire AI industry, cloud providers, and policymakers.”
The company has implemented several defensive measures:
- Detection systems: Classifiers and behavioral fingerprinting to identify distillation attack patterns in API traffic
- Intelligence sharing: Exchange of technical indicators with other AI labs, cloud providers, and authorities
- Enhanced access controls: Stronger verification for educational accounts, security research programs, and startup organizations
- Product and API countermeasures: Modifications to reduce the effectiveness of model outputs for illicit distillation
But those defenses are reactive. They make attacks harder, slower, and more expensive. They don’t stop them.
What Anthropic is calling for — and what the industry has so far failed to deliver — is a coordinated, proactive strategy that involves:
- Cloud providers: AWS, Azure, and Google Cloud need to actively monitor for proxy services reselling AI model access at scale and shut them down.
- Payment processors: Visa, Mastercard, and payment platforms need to flag suspicious patterns of API purchases that suggest coordinated account creation.
- AI labs: OpenAI, Anthropic, Google, and others need to share threat intelligence in real-time, not weeks or months after detection.
- Policymakers: The US government needs to treat API access to frontier models as a strategic resource subject to export controls, not just an open commercial service.
- International coordination: The G7, NATO, and other alliances need frameworks for attributing and responding to state-sponsored AI theft.
None of that exists yet. And in the absence of coordination, Chinese labs will keep running distillation campaigns, proxy services will keep spinning up new accounts, and the capabilities American companies spend billions developing will keep leaking across the Pacific.
The DeepSeek Problem That Won’t Go Away
DeepSeek has become the poster child for this debate, and for good reason.
The lab burst into global prominence in January 2025 with the release of its R1 reasoning model, which appeared to match or approach the performance of OpenAI’s o1 and Anthropic’s Claude 3.5 Opus at a dramatically lower training cost. The model’s release triggered a brief market panic — Nvidia’s stock dropped, questions swirled about whether American AI dominance was sustainable, and the term “distillation” entered the mainstream tech vocabulary.
DeepSeek is now expected to release DeepSeek V4, its latest model, which reportedly can outperform Claude and ChatGPT in coding benchmarks. If true, that would represent another leap forward in just over a year — a pace that, absent distillation, would be nearly impossible given the compute and data requirements of frontier model development.
Anthropic’s accusations make the timeline make sense. If DeepSeek has been systematically extracting capabilities from Claude, ChatGPT, and Gemini for months — generating hundreds of thousands of high-quality reasoning traces, coding examples, and agentic AI demonstrations — then its rapid progress isn’t a miracle of Chinese engineering efficiency. It’s the result of systematic intellectual property theft at scale.
Databricks CEO Ali Ghodsi captured the industry’s anxiety back in January 2025, telling CNBC: “This distillation technique is just so extremely powerful and so extremely cheap, and it’s just available to anyone. I think this is going to usher in an era of intense competition.”
He was right. The question is whether that competition will be fair — or whether it will be a race where one side spends billions on R&D and the other side just copies the homework.
What Happens Next
Anthropic has made the accusation. The industry is watching. The US government is paying attention. And the three accused labs — DeepSeek, Moonshot AI, and MiniMax — have yet to respond publicly. TechCrunch, Fox News, and multiple other outlets have reached out for comment and received nothing.
Silence is a strategy. Denial would invite technical scrutiny. Admission would invite sanctions. So the likely play is to say nothing, let the news cycle move on, and keep building.
But the genie is out of the bottle now. Anthropic has published the playbook, named the actors, and called for coordinated action. OpenAI and Google have confirmed similar attacks. And Washington is waking up to the fact that export controls on chips are meaningless if Chinese labs can just extract the capabilities they need through API calls.
The next few months will determine whether this moment becomes a turning point — or just another data point in the long, frustrating history of American technology being systematically reverse-engineered, copied, and deployed by competitors who didn’t pay to develop it.
For Anthropic, the stakes are existential. If frontier AI capabilities can be freely extracted through distillation, then there’s no moat. No competitive advantage. No reason to invest billions in safety research and responsible deployment when competitors can strip out the safety guardrails and deploy the capabilities anyway.
For the industry, the stakes are similar. The entire economic model of frontier AI development depends on being able to monetize the capabilities you develop. If those capabilities leak in real-time through systematic distillation, the business model collapses.
And for the world, the stakes are even higher. If authoritarian governments can deploy frontier AI capabilities without the safety guardrails that prevent bioweapon design, cyberattack planning, and mass surveillance, then the race to AGI becomes a race to weaponization.
Anthropic just sounded the alarm. Whether anyone actually acts on it remains to be seen.
