US-based AI firm Anthropic has blasted three prominent Chinese laboratories for conducting what it described as “industrial-scale campaigns” to extract the capabilities of its Claude model illicitly.

In a detailed public statement, Anthropic said it had “identified industrial-scale campaigns by three AI laboratories, including DeepSeek, Moonshot, and MiniMax, to extract Claude’s capabilities to improve their own models illicitly”.

According to the company, the three labs generated “over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, in violation of our terms of service and regional access restrictions”.

Distillation: standard practice or exploitation?

At the centre of the allegations is a technique known as distillation, in which a smaller or less capable model is trained on the outputs of a more advanced one. Anthropic acknowledged that distillation is a common and legitimate practice, commenting in the statement, “Frontier AI labs routinely distil their own models to create smaller, cheaper versions for their customers.”

However, the company warned that distillation can also be misused. “Competitors can use it to acquire powerful capabilities from other labs in a fraction of the time, and at a fraction of the cost that it would take to develop them independently,” Anthropic said.

The company framed the issue as urgent and global in scale. “These campaigns are growing in intensity and sophistication. The window to act is narrow, and the threat extends beyond any single company or region. Addressing it will require rapid, coordinated action among industry players, policymakers, and the global AI community.”

The claims follow similar allegations from US rival OpenAI, which earlier this month told the US House Select Committee on China that DeepSeek and other Chinese AI firms may have illegally distilled ChatGPT models over the past year. DeepSeek has not publicly responded.

DeepSeek released a competing model last year, which OpenAI claims has copied its models using “distillation” techniques. The stronger security includes “information tenting” rules that limit who can see sensitive algorithms and new products.

The report added that OpenAI now keeps important technology on offline computers, uses fingerprint scans to control office access, and has a “deny-by-default” internet policy that requires permission for outside connections. It also said the company has increased security at data centres and hired more cybersecurity staff.

How the campaigns were conducted

Anthropic said it had attributed each campaign to a specific company with “high confidence” using IP address correlation, request metadata, infrastructure indicators, and verification from industry partners.

The company added that each campaign focused on Claude’s “most differentiated capabilities: agentic reasoning, tool use, and coding,” and that the patterns of use clearly indicated deliberate capability extraction rather than ordinary interactions.

The DeepSeek campaign reportedly included over 150,000 interactions. According to Anthropic, the lab targeted reasoning across a variety of tasks, reinforcement learning via rubric-based grading, and generating “censorship-safe alternatives” to sensitive queries.

One technique, the company said, involved prompting Claude to “imagine and articulate the internal reasoning behind a completed response and write it out step by step- effectively generating chain-of-thought training data at scale.”

Traffic patterns, shared payment methods, and coordinated timing suggested “load balancing” to maximise throughput while evading detection. The company also observed prompts designed to produce alternatives for politically sensitive topics, “likely to train DeepSeek’s own models to steer conversations away from censored topics.”

Moonshot, including its Kimi models, allegedly conducted over 3.4 million exchanges, focusing on agentic reasoning, tool use, coding, data analysis, computer-use agent development, and computer vision. Anthropic said the lab employed hundreds of accounts across multiple access pathways, complicating detection as a coordinated effort.

In later phases, Moonshot attempted to extract and reconstruct Claude’s reasoning traces, according to the company.

The largest campaign was linked to MiniMax, with more than 13 million exchanges. It concentrated on agentic coding and tool orchestration. Anthropic said it detected the activity before MiniMax launched the model it was training, providing “unprecedented visibility into the life cycle of distillation attacks, from data generation through to model launch.”

When Anthropic released a new model during MiniMax’s campaign, it said MiniMax redirected nearly half of its traffic within 24 hours to capture capabilities from the updated system.

Proxy networks and ‘hydra clusters’

Claude is not commercially available in China, and Anthropic said it “does not currently offer commercial access to Claude in China, or to subsidiaries of their companies located outside of the country.”

The company alleged that labs circumvented restrictions using commercial proxy services, operating what it called “hydra cluster” networks of fraudulent accounts that distribute traffic across APIs and third-party cloud platforms.

“In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder,” Anthropic said. When an account is banned, another immediately replaces it.

Anthropic said the distinguishing factor of a distillation attack is not a single prompt, but “massive volume concentrated in a few areas, highly repetitive structures, and content that maps directly onto what is most valuable for training an AI model.”

National security concerns

The company stressed that models built through illicit distillation “lack necessary safeguards, creating significant national security risks.” While US companies design systems to prevent misuse for bioweapons development or cybercrime, illegally distilled models are unlikely to retain these protections.

Anthropic warned that foreign labs could integrate such capabilities into “military, intelligence, and surveillance systems, which could enable authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance.”

Anthropic reiterated its support for US export controls on advanced semiconductors, arguing that distillation attacks circumvent the competitive advantage those controls are meant to preserve.

“In reality, these advancements depend in significant part on capabilities extracted from American models, and executing this extraction at scale requires access to advanced chips,” the company said. It added that such attacks “reinforce the rationale for export controls.”

Industry-wide countermeasures

Anthropic said it has invested heavily in technical safeguards, including classifiers and behavioural fingerprinting to detect distillation patterns, enhanced account verification, and model-level protections to reduce the utility of outputs for illicit training. It is also sharing intelligence with other AI firms, cloud providers, and regulators.

The company concluded: “Distillation attacks at this scale require a coordinated response across the AI industry, cloud providers, and policymakers. No company can solve this alone.”

Related stories

AI now lies, denies, and plots: OpenAI’s o1 model caught attempting self-replication

OpenAI tightens security after DeepSeek copy claims

OpenAI rocked by talent exodus amid claims research is being sacrificed for AI advocacy