Anthropic accuses three rival AI labs—DeepSeek, Moonshot, and MiniMax—of industrial-scale theft of its Claude model's capabilities, according to Anthropic News. The company alleges these labs generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, violating terms of service and regional access restrictions. This illicit activity employed "distillation," a technique where a less capable model is trained on the outputs of a stronger one.
While model distillation is a legitimate method for creating smaller, more efficient AI versions, its use by competitors to acquire advanced capabilities rapidly and cheaply is deemed illicit. Anthropic reports these campaigns are escalating in sophistication, posing a threat beyond any single company.
National Security Risks and Export Controls
Illicitly distilled models often lack crucial safeguards. Anthropic warns this could enable state and non-state actors to develop bioweapons or conduct malicious cyber activities, as protections built into US models would be stripped away. Foreign labs could then integrate these unprotected capabilities into military, intelligence, and surveillance systems, empowering authoritarian regimes with frontier AI for offensive operations, disinformation, and mass surveillance.
These distillation attacks also undermine US export controls designed to maintain America's AI leadership. Foreign labs, including those tied to the Chinese Communist Party, can circumvent these controls, giving the false impression of rapid independent advancement. Anthropic argues this reinforces the need for chip export controls, as restricted access limits both direct model training and the scale of illicit distillation.
Targeted Campaigns and Methods
Anthropic detailed three distinct campaigns, attributing each with high confidence through IP correlation, metadata, and infrastructure indicators. Each targeted Claude’s most differentiated capabilities: agentic reasoning, tool use, and coding.
- DeepSeek: Over 150,000 exchanges focused on reasoning, rubric-based grading (to function as a reward model), and generating censorship-safe alternatives for politically sensitive queries. Prompts were designed to elicit chain-of-thought data, tracing internal reasoning.
- Moonshot AI: Over 3.4 million exchanges targeted agentic reasoning, tool use, coding, data analysis, and computer vision. The campaign used hundreds of fraudulent accounts across multiple pathways, later attempting to reconstruct Claude’s reasoning traces.
- MiniMax:1 Over 13 million exchanges concentrated on agentic coding and tool use. Detected while active, this campaign pivoted within 24 hours to capture capabilities from Anthropic's latest model release, offering insight into the attack lifecycle.
Labs circumvented Anthropic's China access restrictions using commercial proxy services. These services operate "hydra cluster" architectures—sprawling networks of fraudulent accounts that distribute traffic across Anthropic’s API and third-party cloud platforms, making detection difficult. Prompts were meticulously crafted to extract specific capabilities, often generating high-quality responses for direct training or tasks for reinforcement learning.
Anthropic's Response
Anthropic is investing in defenses, including classifiers and behavioral fingerprinting systems to identify distillation patterns and coordinated account activity. The company is sharing technical indicators with other AI labs, cloud providers, and authorities to build a holistic threat picture. Access controls for educational and research accounts have been strengthened, and product, API, and model-level safeguards are being developed to reduce the efficacy of illicit distillation without impacting legitimate users.
The company stresses that no single entity can solve this alone, calling for rapid, coordinated action among industry, policymakers, and the global AI community.
