Anthropic Accuses Chinese AI Labs of Industrial Scale Distillation Attacks Using Fraudulent Accounts

DeepSeek and Moonshot Named in Extraction Scheme

Anthropic has publicly called out three major Chinese AI laboratories for orchestrating massive campaigns to siphon intelligence from its Claude models. The San Francisco based company identified DeepSeek, Moonshot, and MiniMax as the entities behind more than 16 million exchanges aimed at capturing Claude's advanced capabilities. These operations utilized approximately 24,000 fraudulent accounts to bypass regional restrictions and terms of service. The labs employed a technique known as distillation, which typically involves training smaller models on the outputs of a stronger system. While distillation is a standard industry practice for efficiency, Anthropic argues that these specific campaigns represent illicit attempts to acquire frontier reasoning and coding logic. By generating high quality synthetic data, these competitors can potentially close the performance gap in a fraction of the time required for independent development.

Scale of the Attack Infrastructure

To evade detection, the accused labs utilized what Anthropic describes as a hydra cluster architecture. This involved using commercial proxy services to distribute traffic across a sprawling network of accounts, making it difficult to block the activity without disrupting legitimate users. MiniMax alone was responsible for 13 million exchanges, even pivoting its attack patterns within 24 hours of a new Claude model release to capture the latest improvements. The investigations revealed that the prompts were specifically engineered to extract chain of thought reasoning. This specialized data allows student models to mimic the internal logic and step by step processing of Claude, rather than just copying its final answers. According to the official announcement, these targeted efforts focused on agentic reasoning, complex tool use, and computer vision.

Response and National Security Concerns

Anthropic emphasizes that these illicitly trained models pose significant security risks because they often lack the robust safety filters found in the original systems. There is a growing concern that such capabilities could be fed into military or surveillance systems by foreign governments. By bypassing safeguards, these labs may inadvertently or intentionally create models that are easier to weaponize for cyber operations or disinformation. While the company has not yet initiated formal legal action, it has moved to a policy of public attribution to alert the global AI community. Anthropic is currently sharing technical indicators with other labs and cloud providers to build a more holistic defense against such extraction attempts. The company maintains that restricted chip access remains the most effective way to limit both direct training and the scale of these sophisticated distillation attacks.