Chinese models are breathing down the necks of their US counterparts, but they may be getting assistance in their creation from the very US models they’re competing with.
In a stark warning to Congress, OpenAI has disclosed that DeepSeek and other Chinese AI labs are conducting sophisticated campaigns to copy American frontier models through adversarial distillation—a practice that involves extracting capabilities from US systems to build competing products without investing in the underlying research and development.
According to a February 12, 2026 memo sent to the US House Select Committee on Strategic Competition with China, OpenAI detailed evidence of evolving distillation tactics designed to circumvent protections and replicate American AI capabilities. The company stated that “the majority of adversarial distillation activity we’ve observed on our platform appears to originate from China, and occasionally from Russia.”
Obfuscation and Third-Party Routing
OpenAI’s investigation revealed that DeepSeek employees have developed methods to mask their identities when accessing US models. The memo states: “We have observed accounts associated with DeepSeek employees developing methods to circumvent OpenAI’s access restrictions and access models through obfuscated third-party routers and other ways that mask their source.”
Beyond DeepSeek, OpenAI noted a broader ecosystem shift. Chinese actors have moved from simple Chain-of-Thought extraction to “more sophisticated, multi-stage pipelines that blend synthetic-data generation, large-scale data cleaning, and reinforcement-style preference optimization.” The company also observed Chinese firms using “networks of unauthorized resellers of OpenAI’s services to evade our platform’s controls.”
The Safety Risk
While distillation itself has legitimate uses—training smaller models from larger ones—OpenAI emphasized that adversarial distillation strips away safety features. “When capabilities are copied through adversarial distillation without the corresponding safety governance and mitigations, the result is cheaper-to-scale systems, where subtle deficiencies may only become obvious after deployment, when failures are hardest to contain,” the company warned.
OpenAI specifically flagged that DeepSeek models “lack meaningful guardrails against dangerous outputs in high-risk domains like chemistry and biology, or offer limited protections for copyrighted material.” Despite signing China’s voluntary AI safety commitments, DeepSeek has not published a clear safety framework or evidence of robust red-teaming.
CCP Censorship Embedded in Models
The memo detailed how Chinese state censorship is baked into DeepSeek’s systems at multiple levels. On politically sensitive topics like Tiananmen Square, Taiwan independence, or human rights in Xinjiang, DeepSeek frequently refuses to respond. OpenAI found that “DeepSeek’s pro-CCP bias appears to be more severe in recent model releases.” In another instance, OpenAI noted that any mentions of the dissident Chinese group Falun Gong were immediately deleted by Chinese models after generating them.
Beyond refusals, the models show systematic framing bias—offering confident, detailed responses for narratives aligned with Chinese government positions while deflecting or hedging when prompts invite criticism of the CCP. In some cases, DeepSeek’s chat interface generates substantive responses to sensitive questions, then freezes mid-response, deletes the output, and issues a refusal. This suggests a “secondary monitoring or classification system” reviewing content in real time and suppressing responses that conflict with CCP political requirements.
The Infrastructure Gap Widens
Perhaps most alarming for US competitiveness is China’s accelerating lead in power generation—the foundation of AI compute capacity. OpenAI highlighted that “in 2025, China added 543 GW of new power capacity – 10X the amount of electricity added by the US, and over 100 GW more than it added in 2024.” In 2024, China added 429 GW—more than one-third of the entire US grid.
OpenAI’s assessment is blunt: “Infrastructure is destiny: chip development, power generation, transmission, and data center capacity will determine which countries can train and deploy frontier systems.”
The company noted that China’s Fourth Plenum in October 2025 elevated AI as central to national modernization, backed by large subsidies and coordinated support for domestic champions. New amendments to China’s Cybersecurity Law, effective January 1, 2026, formalize state support for foundational AI research and expanded computing infrastructure.
Export Controls and the Chip Race
OpenAI’s disclosure comes against the backdrop of ongoing US efforts to restrict Chinese access to advanced semiconductors. NVIDIA’s AI chips have been subject to export controls designed to prevent China from acquiring the computing power needed to train frontier models.
Yet the distillation tactics described by OpenAI suggest that export controls alone cannot close the capability gap if Chinese labs can simply copy the results of American compute investments. By accessing outputs from US models through API calls, resellers, and obfuscated routing, Chinese firms effectively bypass the need for cutting-edge hardware—at least for model capabilities if not training efficiency.
OpenAI praised the Trump Administration’s “updated approach to the export of chips to China” and its “domestic-first logic,” while committing to deploy its own custom silicon only in the US and high-trust allied environments.
OpenAI’s Countermeasures
In response to the distillation threat, OpenAI has implemented layered defenses including heuristics, machine learning classifiers, and manual review to detect suspicious usage patterns. The company now trains models not to reveal reasoning traces—a response to Chain-of-Thought extraction—and deploys real-time monitoring for ranking behaviors indicative of reinforcement learning data collection.
When violations are detected, OpenAI bans accounts. But the company acknowledged that individual lab protections are insufficient. It advocates for an “ecosystem security” approach, arguing that “it is not enough for any one lab to harden its protection because adversaries will simply default to the least protected provider.”
The memo calls for government assistance in establishing industry-wide norms, sharing intelligence on adversarial actors, addressing API router loopholes, and restricting adversary access to US compute, cloud, payment, and web infrastructure.
US-China AI Race
The AI race had been set off by the US with the release of ChatGPT, but China has been quick to respond. In late 2024, China had launched Deepseek, which had immediately elicited interest from developers for its capabilities. The interest had turned to worry with the release of DeepSeek R1, which was rumoured to have been trained at a fraction of the budget of US models, and was also much cheaper than them. Since then, a host of Chinese companies have been producing very capable open models, and these models are more more popular than their US counterparts. In recent weeks, Chinese open models have performed better than some top models from US frontier labs — Z.ai’s GLM-5 scores higher than Google’s Gemini 3 Pro on the Artificial Analysis Intelligence Index, and Minimax’s M2.5 does better than both Gemini 3 Pro and GPT 5.2 on SWE-Bench. Amid all this progress, OpenAI is saying that Chinese companies are unfairly benefiting from US AI progress by training their models on the outputs generated by US models. This was something that was alluded to by Google DeepMind CEO Demis Hassabis, who’d said late last year that he’d seen no truly novel innovations come out of Chinese AI labs. It remains to be seen if US labs will be able to prevent Chinese models from using their outputs, but if their allegations are correct, it appears that at least a part of China’s AI progress could be from riding on the coattails of their US counterparts.