Anthropic and Google have previously said that Chinese labs were distilling their models to create their own, but now Anthropic has named specific labs which it alleges were involved in the practice.
In a detailed public disclosure, Anthropic revealed it has identified what it describes as “industrial-scale” distillation attacks carried out by three Chinese AI laboratories: DeepSeek, Moonshot AI, the company behind the successful Kimi series of models, and MiniMax. According to Anthropic, the three labs collectively created over 24,000 fraudulent accounts and generated more than 16 million exchanges with Claude, its flagship AI model, in violation of the company’s terms of service and regional access restrictions. The three companies are the top-performing Chinese companies on most AI benchmarks.
Distillation is a widely used and legitimate technique in AI development, where a less capable model is trained on the outputs of a stronger one — frontier labs routinely use it to create smaller, cheaper versions of their own models. But Anthropic argues the practice becomes deeply problematic when competitors use it to extract capabilities from a rival’s model without authorization, acquiring those capabilities in a fraction of the time and at a fraction of the cost it would take to develop them independently.
Each of the three labs reportedly followed a similar playbook, using proxy services and fraudulent accounts to access Claude at scale while evading detection. Anthropic says it attributed each campaign with high confidence using IP address correlation, request metadata, infrastructure indicators, and corroboration from industry partners who observed the same actors on their own platforms.
The Modus Operandi
The scale varied considerably across the three operations. Anthropic alleges that DeepSeek’s campaign involved over 150,000 exchanges and focused on reasoning capabilities, rubric-based grading tasks to help train reward models for reinforcement learning, and generating censorship-safe alternatives to politically sensitive queries. In one notable technique, DeepSeek’s prompts asked Claude to articulate the internal reasoning behind its responses step by step, effectively harvesting chain-of-thought training data at scale.
Moonshot AI, the company behind the Kimi models, ran a significantly larger operation involving over 3.4 million exchanges. Its campaign targeted agentic reasoning, tool use, coding, data analysis, and computer vision, with later phases specifically attempting to extract and reconstruct Claude’s reasoning traces. Anthropic says it traced the accounts to senior Moonshot staff through request metadata matching public profiles.
The largest operation by far was MiniMax’s, which generated over 13 million exchanges and focused on agentic coding and tool use. Anthropic says it detected the campaign while it was still active, giving it unusual visibility into the full lifecycle of a distillation attack. In a telling detail, when Anthropic released a new model during MiniMax’s active campaign, the lab pivoted within 24 hours, redirecting nearly half its traffic to capture capabilities from the newer system.
To get around Anthropic’s restrictions on commercial access in China, the labs reportedly used commercial proxy services running what Anthropic calls “hydra cluster” architectures — sprawling networks of fraudulent accounts spread across the API and third-party cloud platforms. One such proxy network reportedly managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with legitimate customer requests to avoid detection.
Anthropic argues the national security implications extend well beyond competitive business concerns. The company contends that illicitly distilled models are unlikely to retain the safeguards that American AI labs build in to prevent misuse — such as restrictions on helping develop bioweapons or enabling malicious cyber operations. Foreign labs could then feed these unprotected capabilities into military, intelligence, and surveillance systems.
The company also frames the issue as a direct challenge to US export controls on advanced chips. It argues that distillation attacks allow foreign labs to close the AI capability gap that export controls are designed to preserve, and that without visibility into these attacks, rapid advances by Chinese labs are mistakenly taken as evidence that export controls aren’t working. In Anthropic’s view, the opposite is true: executing distillation at scale itself requires access to advanced chips, reinforcing the rationale for chip restrictions. Anthropic CEO Dario Amodei has long been arguing for a ban on the export of AI chips to China.
In response, Anthropic says it has built classifiers and behavioral fingerprinting systems to detect distillation attack patterns, strengthened verification for educational and research accounts, and begun sharing technical indicators with other AI labs, cloud providers, and authorities. The company is also developing model-level countermeasures designed to reduce the usefulness of Claude’s outputs for distillation without degrading the experience for legitimate users. Anthropic was clear, however, that no single company can address the problem alone, and called for coordinated action across the AI industry, cloud providers, and policymakers.
Distilling: A Persistent Concern
Allegations of Chinese labs distilling the output of US models have been around the since first viral DeepSeek R1 release. More recently, Google and OpenAI have again called out the practice. Google had said earlier this month that commercially motivated actors had been trying to steal its models, while OpenAI too had said the same thing in a memo to the US government. But Anthropic’s latest allegations are the most serious — not only do they directly name Chinese labs, but they also detail the fraudulent means and the extent to which the illegal operations took place. It remains to be seen how US labs — and possibly the US government — respond, but it appears that much of the recent success of Chinese models might’ve come from riding on the coat-tails of their US counterparts.