Anthropic on Monday accused three Chinese AI laboratories of running coordinated campaigns to extract capabilities from its Claude models, generating more than 16 million exchanges through roughly 24,000 fraudulent accounts. The three labs named in Anthropic's blog post are DeepSeek, Moonshot AI, and MiniMax.
The technique at issue is called distillation: feeding carefully crafted prompts to a stronger model, collecting its outputs, and using those outputs to train a weaker one. Frontier labs do this to their own models all the time. What makes these campaigns different, according to Anthropic, is that competitors used it to replicate capabilities they didn't build, at a fraction of the cost, while circumventing regional access restrictions that bar commercial Claude use in China.
MiniMax did the heavy lifting
The three campaigns varied wildly in scale. DeepSeek accounted for just over 150,000 exchanges, a relatively modest number focused on reasoning tasks and chain-of-thought elicitation. Moonshot AI (the company behind the Kimi models) ran about 3.4 million exchanges targeting agentic reasoning, coding, and computer vision. But MiniMax dwarfed both with more than 13 million exchanges aimed at agentic coding and tool use.
That lopsided distribution is worth noting. DeepSeek gets most of the headlines in Washington, but if Anthropic's numbers are accurate, MiniMax was running a data extraction operation roughly 85 times larger. Anthropic says it caught MiniMax mid-campaign, before the model it was training had shipped, giving the company what it called "rare real-time visibility into the life cycle of distillation attacks." When Anthropic released a new Claude model during the active campaign, MiniMax pivoted within 24 hours, redirecting nearly half its traffic to the fresh system.
Some of the DeepSeek tactics were particularly notable. Anthropic observed prompts that asked Claude to reverse-engineer its own reasoning process, essentially generating synthetic chain-of-thought training data on demand. Other prompts had Claude produce censorship-friendly alternatives to politically sensitive queries about dissidents, party leaders, and authoritarianism. The implication: DeepSeek was using an American model to help its own system dodge the topics Beijing prefers to suppress. Anthropic says it traced the accounts to specific researchers at the lab through request metadata.
The plumbing behind it
All three labs accessed Claude through what Anthropic calls "hydra cluster" architectures: networks of proxy services that resell API access to frontier models and distribute traffic across thousands of fraudulent accounts. One proxy network managed more than 20,000 accounts simultaneously, mixing distillation requests with unrelated customer traffic to obscure the pattern. When accounts get banned, replacements appear almost immediately.
A single distillation prompt looks benign on its own. Anthropic shared an approximate example: a request for an expert data analyst to deliver insights "grounded in real data and supported by complete and transparent reasoning." Send that once and nobody blinks. Send variations of it tens of thousands of times across hundreds of coordinated accounts, all targeting the same narrow capability, and you have what Anthropic considers a clear extraction campaign.
Attribution came from IP address correlation, request metadata, infrastructure indicators, and (in Anthropic's telling) corroboration from industry partners who observed the same actors on their own platforms. Moonshot was attributed partly through metadata matching the public profiles of senior staff. MiniMax's timing was confirmed against its public product roadmap.
Why Anthropic is framing this as national security
Anthropic could have made a straightforward intellectual property argument. It didn't. The company's position on export controls has been consistently hawkish, and this disclosure slots neatly into that stance.
The core argument: distilled models don't carry the safety guardrails that American labs build into their systems. Strip those guardrails, and you get frontier capabilities available for offensive cyber operations, disinformation, or surveillance without the constraints US labs have spent years developing. If those distilled models get open-sourced, the risk compounds.
There's a policy angle here that Anthropic is pushing aggressively. The company argues that rapid progress by Chinese labs is sometimes cited as proof that export controls don't work, but that argument collapses if the progress partly depends on capabilities extracted from American models. "Distillation attacks therefore reinforce the rationale for export controls," the blog post states, because running extraction at scale still requires serious compute, and restricting chip access limits both direct training and the scale of distillation.
Dmitri Alperovitch, CrowdStrike co-founder and chairman of the Silverado Policy Accelerator, told TechCrunch the disclosure should strengthen the case against chip exports. The timing is pointed: the Trump administration recently allowed Nvidia to sell H200 processors to China, a move that critics in the national security establishment have been pushing back on.
Not just Anthropic's problem
OpenAI sent a memo to House lawmakers on February 12 making similar allegations about DeepSeek, claiming it used third-party routers and masking techniques to harvest ChatGPT outputs. Google's Threat Intelligence Group published its own AI Threat Tracker the same day, describing distillation campaigns against Gemini involving more than 100,000 prompts. Google attributed the activity to "private-sector companies" and state-aligned actors but declined to name names.
So all three major US frontier labs are now publicly flagging the same problem within a two-week window. That's either a coordinated disclosure strategy or three companies independently concluding the situation has gotten bad enough to talk about openly. Either way, the message to Washington is clear.
What Anthropic can't say
What's conspicuously absent from the blog post is any quantification of how much the distilled models actually improved. Fox News, which obtained the report ahead of publication, quoted an Anthropic representative saying the capability gains were "meaningful" and "substantial," but acknowledging the company can't precisely measure them. That's an important gap. Sixteen million exchanges sounds alarming, but without knowing what fraction produced useful training signal versus noise, the severity is hard to assess from the outside.
The legal path forward is also murky. As VentureBeat noted, copyright law may not cover model outputs, and enforcing terms-of-service violations against entities operating through proxy networks in foreign jurisdictions is a different kind of challenge entirely. That probably explains why Anthropic chose the national security frame over a purely legal one: policymakers have tools (sanctions, entity lists) that contract law doesn't offer.
Anthropic says it has deployed behavioral detection classifiers, strengthened account verification, started sharing intelligence with industry peers and authorities, and is developing model-level countermeasures to degrade output quality for distillation without affecting legitimate users. None of the three named labs have publicly responded to the allegations.
