When Anthropic released a new Claude model earlier this year, MiniMax redirected nearly half its distillation traffic to the updated system within 24 hours. Not days. Not a week. Hours. The Chinese AI lab had been running 13 million prompts through thousands of fake accounts. When the new model dropped, MiniMax pivoted like a bulk buyer at a warehouse liquidation. Get the fresh stock before someone checks your membership card.
That detail, buried in Anthropic's Monday blog post, tells you something the headline numbers miss. Three Chinese labs. Sixteen million exchanges. Something like 24,000 fraudulent accounts. Those figures read like a security disclosure. They are one.
But Anthropic's decision to name DeepSeek, Moonshot AI, and MiniMax publicly landed on February 23, exactly eleven days after OpenAI sent its own distillation memo to the House Select Committee on the Chinese Communist Party. Google's Threat Intelligence Group dropped a parallel report that same day, documenting over 100,000 prompts targeting Gemini's reasoning capabilities. Three American AI companies disclosed distillation campaigns across eleven days. Anthropic didn't just share technical findings. It published a blog post that reads like a policy brief. Sections on export controls. National security implications. The whole package. If the timing is a coincidence, nobody in Washington will treat it as one.
The attacks are real. So is the choreography.
The Argument
- Anthropic named three Chinese labs running 16 million extraction prompts through 24,000 fake accounts
- The disclosure landed 11 days after OpenAI's memo to Congress, during the H200 export control debate
- Distillation is the same technique every major US lab has used internally or benefited from
- The API business model that generates revenue is the same mechanism that enables extraction
Export controls lock the front door while the API window stays open
Washington has spent years trying to slow China's AI development by restricting access to advanced training chips. First the H100s, then the H200s, each round of Nvidia silicon locked behind export licenses. The logic was direct: starve Chinese labs of top-tier compute and they can't train competitive frontier models.
Then last month, the Trump administration formally approved H200 sales to China, loosening the restrictions that Anthropic now argues matter most. That decision, and the lobbying battle around it, is the context you need to understand why Anthropic chose a public blog post over quiet legal enforcement.
Jacob Klein runs threat intelligence at Anthropic. He made the connection explicit in comments to Fox News Digital. "If you think about how you stay ahead in the AI race, compute is one piece of that," Klein said. "But increasingly reinforcement learning is critical. Distillation allows you to extract those capabilities."
Read that carefully. Klein sounds less like someone briefing reporters on a security incident and more like someone making a policy argument. Export controls locked the front door by restricting chips. But distillation walks through the open window, extracting the reinforcement learning that sharpens frontier models, while those same models sit openly accessible through paid APIs.
"We view this as larger than Anthropic," Klein added. He suggested that publicly naming the labs could prompt "thoughtful government action."
The scale of the three campaigns varied. DeepSeek generated over 150,000 exchanges, focusing on reasoning capabilities and rubric-based grading tasks that effectively turned Claude into a reward model for reinforcement learning. Moonshot accounted for 3.4 million exchanges spread across agentic reasoning, tool use, and coding. MiniMax dwarfed both at 13 million exchanges, concentrated almost entirely on agentic coding and tool orchestration. Anthropic traced accounts to specific researchers at the labs through request metadata matching public profiles of senior staff.
Anthropic raised $30 billion at a $380 billion valuation. It holds a $200 million prototype agreement with the Department of Defense. Claude operates on classified networks through partners like Palantir. War Secretary Pete Hegseth is actively negotiating terms for military use of Claude with CEO Dario Amodei.
The company looks emboldened, leaning into its defense credentials at a moment when it needs Washington to feel anxious about Chinese AI progress. Neither the timing of this disclosure nor its intended audience is accidental.
The technique every major lab has used
Silicon Valley has a credibility problem with this one.
Distillation, training a smaller model on the outputs of a larger one, is among the most common techniques in machine learning. Anthropic uses it internally. OpenAI built GPT-4o Mini by distilling GPT-4o. DeepSeek published six distilled versions of its R1 model in the open. The legal line between "legitimate" and "illicit" distillation rests entirely on terms of service agreements that no court has tested.
The industry's own record does not help. Google's Bard team got caught in 2023 reportedly using ChatGPT outputs scraped from ShareGPT to train its chatbot. Researcher Jacob Devlin warned leadership this violated OpenAI's terms of service, then quit and joined OpenAI. Google denied the claim but reportedly stopped using the data.
Join 10,000+ AI professionals
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
DeepSeek itself has been careful about the practice. In a research paper updated in September, the company said it used only plain webpages and ebooks during late-stage pretraining of its flagship V3 model. But it acknowledged those pages contained "a significant number of OpenAI-model-generated answers." The company said its base model might have acquired knowledge from other powerful models "indirectly" by drawing on such webpages. Draw your own conclusions.
None of this started last week. A Stanford team proved the concept in 2023 with a model called Alpaca. They ran 52,000 GPT-3.5 outputs through Meta's open-source LLaMA and spent $600 total. The knockoff passed for ChatGPT in casual testing. No model's capabilities can be fully protected once accessible through an API. When xAI launched Grok later that year, the chatbot cited "OpenAI's use case policy" when refusing requests. The company blamed accidental web scraping. Few in the AI community bought it.
None of this excuses what Anthropic documented. Running 24,000 fraudulent accounts and generating 16 million exchanges is organized extraction at industrial scale, not a researcher testing boundaries. One detail makes it worse. Anthropic found that DeepSeek used Claude to generate safe alternatives to politically sensitive queries about dissidents, party leaders, and authoritarianism. The goal was likely training DeepSeek's own models to steer conversations away from censored topics. That goes beyond commercial competition into territory that genuinely warrants the national security framing.
But an industry claiming moral authority over a technique it built itself on carries a credibility problem. The policy conversation will eventually have to reckon with that.
The business model is the attack surface
The deeper tension Anthropic can't acknowledge publicly is structural. The same API access that generates revenue is the mechanism that enables extraction. Sell intelligence by the prompt, and a determined buyer will purchase sixteen million of them.
Anthropic describes what it calls "hydra cluster" architectures, proxy networks managing over 20,000 fraudulent accounts simultaneously and mixing distillation traffic with legitimate customer requests. In one case, a single proxy network routed requests across Anthropic's API and third-party cloud platforms with no single point of failure. Kill one account and two more pop up behind it. Anthropic's enforcement team knows this math. The countermeasures Anthropic outlines represent genuine investment. Behavioral fingerprinting. Chain-of-thought detection. Strengthened verification. All of it will make extraction harder and more expensive.
They won't make it impossible. Klein acknowledged as much. "There isn't an immediate silver bullet to stop all of these," he said.
Think about what that means if you work in or invest in this industry. The entire business model for frontier AI depends on selling access at scale. Enterprise customers and startups alike query the same systems through the same interfaces. The practical difference between a legitimate enterprise running three million coding prompts and Moonshot AI running 3.4 million coding prompts comes down to behavioral patterns. Not architecture.
Anthropic's blog promises "model-level safeguards designed to reduce the efficacy of model outputs for illicit distillation, without degrading the experience for legitimate customers." That's an engineering aspiration. Every countermeasure that poisons outputs for suspected distillers risks degrading quality for power users running similar workloads at similar volumes. The window that lets in paying customers also lets in everyone else.
The scoreboard after the disclosure
Anthropic's policy team wins immediately. The disclosure lands during the export control debate, and Klein's language about "thoughtful government action" signals this was part of the calculation from the start.
CrowdStrike co-founder Dmitri Alperovitch captured the hawkish response in comments to TechCrunch. "This should give us even more compelling reasons to refuse to sell any AI chips to any of these companies," Alperovitch said. From distillation disclosure to chip embargo in one sentence. That's the policy leap the report was built to enable.
The named labs absorb immediate reputational damage. Moonshot is seeking a $10 billion valuation. MiniMax went public in Hong Kong in January. Being tagged in a national security disclosure by a $380 billion company with Pentagon contracts changes the calculus for international investors and partners. Those companies now look exposed in a way that no press statement can reverse.
But Anthropic included a detail that barely registered in the coverage. It found no evidence the Chinese government directly coordinated the campaigns. The labs appear to have acted as commercial competitors, not state agents. Proxy services that resell access to American AI models operate openly in China, mixing distillation traffic from Chinese labs with unrelated customer requests from around the world. That distinction matters legally. It will barely register in the political conversation now gaining momentum.
If Washington begins treating distillation as a national security vector alongside chip access, the policy response could reach into mandatory usage monitoring, API restrictions for designated regions, and model-level access limitations. Each carries costs for the companies pushing the agenda. Anthropic needs the window open for paying customers. It just wants the government to help decide who gets to climb through.
Twenty-four hours
MiniMax spotted a new Claude model launch and redirected its extraction operation overnight. That speed works as a threat metric for Anthropic's security team. It also functions as market feedback. The gap between American frontier models and their Chinese competitors has narrowed to the point where a single model release is worth pivoting half your infrastructure to capture.
Anthropic published its report as a warning to Washington. The three named labs, if they are paying attention, should read it differently.
It's confirmation.
Frequently Asked Questions
What is AI model distillation?
Training a smaller model on outputs from a larger one. The student model learns to replicate the teacher's behavior without access to the original training data or architecture. Cost and compute requirements drop dramatically.
Is distillation illegal?
No court has tested it. Current enforcement relies on terms of service agreements, not legislation. Anthropic's case rests on fraudulent account creation and ToS violations, not a specific anti-distillation law.
How did Anthropic identify the Chinese labs?
Request metadata from the fake accounts matched public profiles of senior researchers at DeepSeek, Moonshot AI, and MiniMax. Anthropic also traced hydra cluster proxy networks managing thousands of accounts simultaneously.
Why did DeepSeek use Claude for censorship training?
Anthropic found DeepSeek generated safe responses to politically sensitive queries about dissidents and party leaders. The likely goal was training its own models to steer conversations away from censored topics in China.
Could Anthropic just block Chinese IP addresses?
Proxy services openly resell API access from China, mixing distillation traffic with legitimate international requests. Geographic blocking would miss the proxy networks and hurt legitimate overseas customers.
