Source: VentureBeat

Anthropic Accuses Three Chinese AI Labs of Large‑Scale Model Distillation

Anthropic dropped a bombshell on the artificial‑intelligence industry Monday, publicly accusing three prominent Chinese AI laboratories—DeepSeek, Moonshot AI, and MiniMax—of orchestrating coordinated, industrial‑scale campaigns to siphon capabilities from its Claude models using tens of thousands of fraudulent accounts.

The San Francisco‑based company said the three labs collectively generated more than 16 million exchanges with Claude through approximately 24 000 fake accounts, all in violation of Anthropic’s terms of service and regional access restrictions. The campaigns, Anthropic said, are the most concrete and detailed public evidence to date of a practice that has haunted Silicon Valley for months: foreign competitors systematically using a technique called distillation to leapfrog years of research and billions of dollars in investment.

“These campaigns are growing in intensity and sophistication,” Anthropic wrote in a technical blog post published Monday.
“The window to act is narrow, and the threat extends beyond any single company or region. Addressing it will require rapid, coordinated action among industry players, policymakers, and the global AI community.”

The disclosure marks a dramatic escalation in the simmering tensions between American and Chinese AI developers—and it arrives at a moment when Washington is actively debating whether to tighten or loosen export controls on the advanced chips that power AI training. Anthropic, led by CEO Dario Amodei, has been among the most vocal advocates for restricting chip sales to China, and the company explicitly connected Monday’s revelations to that policy fight.

---

How AI Distillation Went from Obscure Research Technique to Geopolitical Flashpoint

What is distillation?

• Teacher model – a larger, more powerful AI.
• Student model – a smaller, more efficient AI that learns from the teacher’s outputs (answers, reasoning patterns, behaviors) rather than raw data.
• When done correctly, the student can achieve performance remarkably close to the teacher while requiring a fraction of the compute to train.

Anthropic itself acknowledges that distillation is “a widely used and legitimate training method.” Frontier AI labs, including Anthropic, routinely distill their own models to create smaller, cheaper versions for customers.

When distillation becomes a weapon

A competitor can:

1. Pose as a legitimate customer.
2. Bombard a frontier model with carefully crafted prompts.
3. Collect the outputs.
4. Use those outputs to train a rival system—capturing capabilities that took years and hundreds of millions of dollars to develop.

The technique’s rise to prominence

• January 2025 – DeepSeek released its R1 reasoning model, which appeared to match or approach the performance of leading American models at dramatically lower cost.
• Databricks CEO Ali Ghodsi (CNBC):

  “This distillation technique is just so extremely powerful and so extremely cheap, and it’s just available to anyone.”
  He predicted an era of intense competition for large language models.

Notable replication efforts

• UC Berkeley – recreated OpenAI’s reasoning model for $450 in 19 hours.
• Stanford & University of Washington – built their own version in 26 minutes for under $50 in compute credits.
• Hugging Face – replicated OpenAI’s Deep Research feature as a 24‑hour coding challenge.
• DeepSeek – openly released a family of distilled models on Hugging Face (including versions built on Qwen and Llama architectures) under the permissive MIT license. The model card states that the DeepSeek‑R1 series supports commercial use and allows “any modifications and derivative works, including, but not limited to, distillation for training other LLMs.”

---

Anthropic’s Detailed Allegations

Scale of the fraud

• 16 million fraudulent exchanges traced to DeepSeek, Moonshot, and MiniMax.
• Attribution “with high confidence” via:
  • IP‑address correlation
  • Request metadata
  • Infrastructure indicators
  • Corroboration from unnamed industry partners observing the same actors on their platforms

Targeted capabilities

Anthropic says the campaigns focused on Claude’s most differentiated strengths:

• Agentic reasoning
• Tool use
• Coding

DeepSeek’s operation (the most technically sophisticated)

• >150 000 exchanges with Claude.
• Prompts targeted:
  • Reasoning capabilities
  • Rubric‑based grading tasks designed to make Claude function as a reward model for reinforcement learning
  • Creation of “censorship‑safe alternatives to policy‑sensitive queries” (a detail likely to draw political attention)

Anthropic alleges that DeepSeek:

• Generated synchronized traffic across accounts with identical patterns, shared payment methods, and coordinated timing—suggesting load‑balancing to maximize throughput while evading detection.
• Employed a technique where prompts asked Claude to imagine and articulate the internal reasoning behind a completed response and write it out step‑by‑step, effectively generating a detailed “thought trace” that could be harvested for training a rival model.

---

Bottom line

Anthropic’s disclosure paints a picture of well‑resourced commercial laboratories operating under the jurisdiction of the Chinese government, conducting deliberate, covert, and large‑scale intellectual‑property extraction from frontier AI systems. The allegations raise urgent questions for:

• Industry – how to detect and block coordinated abuse of API services.
• Policymakers – whether to tighten export controls on AI‑enabling hardware.
• The global AI community – how to safeguard the massive investments that underpin cutting‑edge models while preserving legitimate research and open‑source collaboration.

Distillation Campaigns Targeting Anthropic’s Claude

DeepSeek – the largest campaign by volume

• Generated over 15 million exchanges (≈ 55 % of total traffic).
• Focused on agentic reasoning, tool use, coding, and data analysis.
• Employed “hundreds of fraudulent accounts spanning multiple access pathways,” making detection difficult.
• Anthropic traced the activity to specific researchers at DeepSeek via request metadata.
• Notably, DeepSeek attempted to generate alternatives to politically sensitive queries (e.g., “dissidents, party leaders, or authoritarianism”) to train its own models to steer conversations away from censored topics.

Moonshot AI – second‑largest operation

• Produced over 3.4 million exchanges.
• Targeted agentic reasoning & tool use, coding & data analysis, computer‑use agent development, and computer vision.
• Used a network of “hundreds of fraudulent accounts spanning multiple access pathways,” obscuring coordination.
• Metadata matched the public profiles of senior Moonshot staff, allowing Anthropic to attribute the campaign.
• In a later phase, Moonshot adopted a more targeted approach, “attempting to extract and reconstruct Claude’s reasoning traces.”

MiniMax – least publicly known but most prolific

• Accounted for over 13 million exchanges (≈ ¾ of total traffic).
• Focused on agentic coding, tool use, and orchestration.
• Detected while still active, before MiniMax released the model it was training, giving Anthropic “unprecedented visibility into the life cycle of distillation attacks.”
• When Anthropic launched a new model during MiniMax’s campaign, MiniMax pivoted within 24 hours, redirecting nearly half its traffic to capture capabilities from the latest system.

---

How Proxy Networks and “Hydra Cluster” Architectures Bypassed Anthropic’s China Ban

Anthropic does not offer commercial access to Claude in China for national‑security reasons.
The workaround, according to Anthropic, involved commercial proxy services that resell Claude access at scale.

• These services run what Anthropic calls “hydra cluster” architectures – sprawling networks of fraudulent accounts that distribute traffic across Anthropic’s API and third‑party cloud platforms.
• “The breadth of these networks means that there are no single points of failure.” When one account is banned, another takes its place.
• In one instance, a single proxy network managed more than 20 000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder.

The description points to a mature, well‑resourced infrastructure ecosystem dedicated to circumventing access controls, likely serving many more clients than the three labs named by Anthropic.

---

Why Anthropic Framed Distillation as a National‑Security Crisis, Not Just an IP Dispute

Anthropic presented the issue as more than a terms‑of‑service violation:

“Illicitly distilled models lack necessary safeguards, creating significant national‑security risks.”

Key arguments:

• Illicitly distilled models are unlikely to retain safety guardrails built into American systems (e.g., protections against bioweapon development, cyber‑attacks, mass surveillance).
• Foreign labs could feed unprotected capabilities into military, intelligence, and surveillance systems, enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance.

Connection to Chip Export‑Control Debate

• In a January 2025 essay, Dario Amodei argued that export controls are “the most important determinant of whether we end up in a unipolar or bipolar world.”
• He previously took a neutral stance on reports of distillation from Western models, stating he would “just take DeepSeek at their word.”
• The new disclosure marks a sharp departure: Anthropic now claims distillation attacks undermine export controls by allowing foreign labs (including those under CCP control) to close the competitive advantage that export controls aim to preserve.
• Anthropic asserts that without visibility into these attacks, rapid advancements by Chinese labs are misinterpreted as evidence that export controls are ineffective, when in fact they may be largely the result of stolen American capabilities.

---

The Murky Legal Landscape Around AI Distillation

Anthropic’s decision to frame the issue as a national‑security matter rather than a legal dispute likely reflects the limited recourse offered by intellectual‑property law.

• A March 2025 analysis by Winston & Strawn noted:

  “The legal landscape surrounding AI distillation is unclear and evolving.”

• Proving a copyright claim in this context is challenging because it remains uncertain whether the output of a distilled model constitutes a derivative work of the source model.

Consequently, Anthropic has opted to highlight the national‑security implications, positioning the problem within a broader policy debate rather than relying solely on uncertain IP litigation.

AI‑Generated Outputs and Copyright

• Human authorship requirement – The U.S. Copyright Office affirmed in January 2025 that copyright protection requires human authorship.
• Prompt‑only limitation – “Mere provision of prompts does not render the outputs copyrightable.”

Ownership Complications

• OpenAI’s Terms of Use – Assign ownership of model outputs to the user.
  • Even if a company proves extraction occurred, it may not hold copyrights over the extracted data.
  • Winston & Strawn noted: “Even if OpenAI can present enough evidence to show that DeepSeek extracted data from its models, OpenAI likely does not have copyrights over the data.”
• Anthropic’s outputs – The same logic would almost certainly apply.

Contract Law as a More Viable Path

• Anthropic’s Terms of Service – Prohibit systematic extraction.
• Breach of contract – A clearer legal claim than copyright infringement.
• Enforcement challenges – Entities may operate through proxy services, fraudulent accounts, and foreign jurisdictions.

Why Anthropic Chose a National‑Security Frame

• Positioning distillation attacks as threats to export‑control regimes and democratic security gives policymakers tools (sanctions, entity‑list designations, enhanced export restrictions) that far exceed what civil litigation can achieve.

What Anthropic’s Distillation Crackdown Means for Every Frontier‑AI Company

Defensive Measures

1. Classifiers & behavioral fingerprinting – Detect distillation‑attack patterns in API traffic (e.g., chain‑of‑thought elicitation used to build reasoning training data).
2. Technical‑indicator sharing – Collaborating with other AI labs, cloud providers, and relevant authorities to create a holistic view of the distillation landscape.
3. Stronger verification – For educational accounts, security‑research programs, and startup organizations—the pathways most commonly exploited for fraudulent accounts.
4. Model‑level safeguards – Reduce the usefulness of outputs for illicit distillation without degrading the experience for legitimate customers.

“No company can solve this alone.” – Anthropic calls for coordinated action across industry, cloud providers, and policymakers.

Policy Ripple Effects

• Congress – The bipartisan No DeepSeek on Government Devices Act has been introduced.
• Federal agencies – NASA and others have banned DeepSeek from employee devices.
• Chip export‑control debate – The Trump administration’s ongoing deliberations (amid pressure from Nvidia and national‑security hawks) now have a vivid new data point.

Immediate Implications for Technical Decision‑Makers

• Scale of the threat – If Anthropic’s account is accurate, the proxy infrastructure enabling attacks is vast, sophisticated, and adaptable, targeting any frontier AI lab with an API.
• Shift in mindset – Treating model access as a simple commercial transaction is ending; API security is becoming as strategically important as the model weights themselves.

Looking Ahead

Anthropic has now put names, numbers, and forensic detail behind accusations that were previously whispered about for months. Whether that evidence galvanizes the coordinated response the company seeks—or simply accelerates an arms race between distillers and defenders—may hinge on a single question no classifier can answer:

Will Washington view this as an act of espionage or just the cost of doing business in an era where intelligence itself has become a commodity?