IMPLICATOR
OpenAI, Anthropic, and Google have started passing each other data on adversarial distillation, working through the Frontier Model Forum, Bloomberg reported Monday. The three built that nonprofit with Microsoft in 2023. Chinese AI labs have fired millions of fraudulent queries at US frontier models. They take what comes back and train rival systems on it. Cheaper to operate by orders of magnitude. The practice bleeds Silicon Valley of billions a year, US officials have estimated.
Key Takeaways
- OpenAI, Anthropic, and Google are sharing attack data through the Frontier Model Forum to detect adversarial distillation from Chinese AI labs
- Anthropic documented 16 million fraudulent exchanges from DeepSeek, Moonshot AI, and MiniMax through 24,000 fake accounts
- Chinese AI models now cost 14 times less than US counterparts and surpassed US models in global API call volume for the first time in February
- The cooperation faces antitrust uncertainty while Chinese developers recently gained access to Anthropic's leaked Claude Code source
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Three rivals, one threat
OpenAI, Anthropic, and Google slug it out on pricing, talent, and government contracts. The three barely talk. Distillation forced them into the same room.
Anthropic documented the scale in February. Three Chinese labs, DeepSeek, Moonshot AI, and MiniMax, generated over 16 million exchanges with Claude through roughly 24,000 fraudulent accounts. MiniMax alone ran 13 million of those queries using what Anthropic called "hydra cluster" networks of more than 20,000 concurrent accounts. When Anthropic released a new model, MiniMax redirected nearly half its traffic to the updated system within 24 hours. Automated surveillance, not casual scraping.
Google's Threat Intelligence Group reported a parallel surge. One campaign targeting Gemini's reasoning engine produced over 100,000 prompts designed to coerce the model into revealing its full chain-of-thought traces. Google said it detected the attempt in real time and deployed countermeasures to protect its reasoning traces.
OpenAI told the House Select Committee on China in February that DeepSeek employees had written code to access US AI models programmatically, using obfuscated third-party routers to mask their origin. A year ago, the main tactic was prompting models to spit out their reasoning traces. The pipelines have grown since. Now they combine synthetic data generation with reinforcement optimization, running at a scale that barely needs human oversight.
Borrowing the cybersecurity playbook
The setup borrows from cybersecurity, where companies have swapped attack data through Information Sharing and Analysis Centers for decades. Block one firm's API, and the attacker walks to the next provider.
OpenAI made the case in its congressional memo. "It is not enough for any one lab to harden its protection because adversaries will simply default to the least protected provider," the company wrote. The Trump administration appears receptive. Its AI Action Plan called for an information-sharing center modeled on the ISAC framework, partly to address distillation.
But the program sits in legal limbo. The companies aren't sure what antitrust law actually lets them exchange, and nobody in Washington has clarified. The attacks scale at machine speed. The rulebook barely moves.
Get Implicator.ai in your inbox
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
The price gap behind the theft
The economics explain why distillation persists. Chinese open-weight models already cost a fraction of their American counterparts. MiniMax M2.5 charges $1.10 per million tokens. Anthropic's Claude Sonnet charges $15 for the same volume. A 14-to-1 gap.
That pricing difference has reshaped global adoption. OpenRouter data from February showed Chinese AI models surpassing US models in global API call volume for the first time. By late February, Chinese models reached 5.16 trillion tokens compared with 2.7 trillion for American providers. Four of the top five models by call volume were Chinese. And nearly half of OpenRouter's users sit in the United States, meaning American developers themselves are choosing the cheaper option.
If you build the most capable model but price it at 14 times the competition, distillation stops being espionage and starts being economics.
An accidental gift
The timing carries its own edge. Days before Bloomberg's report, Anthropic accidentally shipped the source code of Claude Code, over 512,000 lines, inside a routine software package. A security researcher spotted it. Within 48 hours the post on X had 33 million views. Chinese developers scrambled to download and analyze the files despite Anthropic's ban on serving mainland China.
The leak did not include model weights or training data. But it handed Chinese engineers a detailed look at the architecture, memory systems, and anti-distillation mechanisms Anthropic was building to keep them out. The company that labeled China an "adversarial nation" found itself exposed, having provided a technical blueprint. For free.
What comes next
The Frontier Model Forum collaboration is a starting point, not a fix. All three labs have published evidence of distillation campaigns, but none has demonstrated how much of China's AI progress actually depends on stolen capabilities. That may not matter. Chinese models were closing the performance gap before the allegations surfaced. Open-weight releases from Alibaba and ByteDance continue at speed.
The real test arrives when DeepSeek releases its expected next model. If it matches US frontier performance, the conversation shifts from whether distillation happened to whether stopping it matters. Three companies sharing threat data won't answer that question.
Frequently Asked Questions
What is adversarial distillation in AI?
Adversarial distillation is when a third party uses fraudulent accounts to query a proprietary AI model at scale, then uses the outputs to train a competing model. It differs from legitimate distillation, where companies create smaller versions of their own models. US labs allege Chinese firms like DeepSeek, Moonshot AI, and MiniMax have used this technique without authorization.
What is the Frontier Model Forum?
The Frontier Model Forum is an industry nonprofit co-founded by OpenAI, Anthropic, Google, and Microsoft in 2023 to address AI safety and responsibility. It now also serves as a channel for the three US labs to share intelligence on distillation attacks targeting their models.
How much does adversarial distillation cost US AI companies?
US officials estimate unauthorized distillation costs Silicon Valley labs billions of dollars in annual profit. Chinese models trained through distillation operate at a fraction of the cost, with MiniMax charging $1.10 per million tokens versus Anthropic's $15 for the same volume.
Which Chinese labs are accused of adversarial distillation?
Anthropic identified DeepSeek, Moonshot AI, and MiniMax. Together they generated over 16 million exchanges with Claude through roughly 24,000 fraudulent accounts. MiniMax ran the largest campaign with 13 million exchanges using hydra cluster networks of 20,000 concurrent accounts.
Why is anti-distillation cooperation between US labs limited?
The companies say they are uncertain what antitrust law lets them share. Without clearer government rules, the scope of information-sharing through the Frontier Model Forum remains narrow despite the scale of the threat from Chinese AI labs.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Harkaram Grewal
Freelance correspondent reporting on the India-U.S.-Europe AI corridor and how AI models, capital, and policy decisions move across borders. Covers enterprise adoption, supply chains, and AI infrastructure deployment. Based in New Delhi.
