What happens when competitors don’t want to build their own AI capabilities from scratch? They steal them. Anthropic recently published a bombshell disclosure revealing that three AI laboratories—DeepSeek, Moonshot, and MiniMax—have been running industrial-scale campaigns to extract Claude’s capabilities through a technique called distillation. We’re talking about over 16 million exchanges through approximately 24,000 fraudulent accounts. This isn’t hobbyist scraping; this is systematic intellectual property theft with serious national security implications.

In this post, we’ll break down what distillation attacks actually are, how these campaigns operated, why this matters beyond corporate competition, and what Anthropic (and the broader industry) is doing about it.

What Is Distillation and Why Does It Matter?

Distillation is a legitimate machine learning technique where you train a smaller, less capable model on the outputs of a larger, more powerful one. Frontier AI labs do this all the time—it’s how they create lightweight versions of their flagship models that run faster and cheaper. Think of it as teaching a student by having them study the work of a master.

The problem arises when competitors use distillation to steal capabilities they didn’t develop. Instead of investing the time, compute, and research to build their own frontier models, they can effectively copy someone else’s work by generating massive amounts of high-quality training data from another company’s API. You get the capabilities without the R&D costs.

This matters for several critical reasons. First, it’s a direct violation of terms of service and, depending on jurisdiction, potentially intellectual property law. Second, and more concerning from a security perspective, distilled models typically don’t retain the safety guardrails built into the source model. Anthropic and other responsible AI labs invest heavily in preventing their models from helping with bioweapons development, malicious cyber operations, and other harmful use cases. Strip those protections out, and you’ve got a powerful AI system with none of the safety work.

The Three Campaigns: DeepSeek, Moonshot, and MiniMax

Anthropic’s investigation revealed three distinct but similarly structured campaigns, each targeting Claude’s most differentiated capabilities: agentic reasoning, tool use, and coding.

DeepSeek: 150,000+ Exchanges

DeepSeek’s operation was perhaps the most sophisticated in its approach. They targeted reasoning capabilities across diverse tasks, used Claude as a reward model for reinforcement learning through rubric-based grading tasks, and—this is particularly notable—generated censorship-safe alternatives to politically sensitive queries.

That last point deserves emphasis. DeepSeek was using Claude to help train their own models to steer conversations away from topics the Chinese Communist Party considers sensitive: questions about dissidents, party leaders, authoritarianism. They’re not just stealing capabilities; they’re weaponizing them for censorship infrastructure.

One particularly clever technique involved prompting Claude to articulate the internal reasoning behind completed responses step by step. Essentially, they were generating chain-of-thought training data at scale—extracting not just what Claude says, but how it thinks.

Moonshot AI: 3.4 Million Exchanges

Moonshot’s campaign was broader in scope, employing hundreds of fraudulent accounts across multiple access pathways. They targeted agentic reasoning and tool use, coding and data analysis, computer-use agent development, and computer vision.

The varied account types made detection harder since it didn’t look like a coordinated operation at first glance. Anthropic attributed the campaign through request metadata matching public profiles of senior Moonshot staff. In later phases, Moonshot shifted to more targeted extraction attempts, specifically trying to reconstruct Claude’s reasoning traces.

MiniMax: 13 Million Exchanges

MiniMax ran the largest campaign by volume, focusing on agentic coding and tool orchestration. What makes this case particularly interesting is that Anthropic detected it while it was still active—before MiniMax released the model they were training. This gave unprecedented visibility into the full lifecycle of a distillation attack, from data generation through to model launch.

The responsiveness was striking: when Anthropic released a new model during MiniMax’s active campaign, they pivoted within 24 hours, redirecting nearly half their traffic to capture capabilities from the latest system. This isn’t passive scraping; it’s active, adaptive intelligence gathering.

The Infrastructure: Hydra Clusters and Proxy Services

How do labs in China access Claude at scale when Anthropic explicitly doesn’t offer commercial access there? Through commercial proxy services that resell access to frontier AI models.

These services run what Anthropic calls “hydra cluster” architectures—sprawling networks of fraudulent accounts that distribute traffic across APIs and third-party cloud platforms. The architecture is designed for resilience: when one account gets banned, another takes its place. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with legitimate customer requests to make detection harder.

The name is apt. Cut off one head, two more appear. This is infrastructure built specifically for adversarial operations.

Why This Is a National Security Issue

This goes beyond corporate competition. When foreign labs distill American models, they can feed those capabilities—with safety guardrails stripped—into military, intelligence, and surveillance systems. We’re talking about authoritarian governments potentially deploying frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance.

If these distilled models get open-sourced, the risk multiplies exponentially. Dangerous capabilities spread freely beyond any single government’s control.

There’s also the export control angle. The U.S. has implemented export controls to maintain America’s AI advantage, restricting access to advanced chips needed to train frontier models. Distillation attacks undermine those controls by providing an alternative path to capability acquisition. The apparently rapid advancements by these labs are being incorrectly cited as evidence that export controls don’t work. In reality, those advancements depend significantly on capabilities extracted from American models.

The irony is that executing distillation at this scale still requires substantial compute—which means export controls on chips actually do limit both direct training and the scale of illicit distillation. The controls are working; they’re just being circumvented through theft rather than innovation.

Anthropic’s Response and Industry-Wide Implications

Anthropic is responding on multiple fronts:

Detection systems including classifiers and behavioral fingerprinting designed to identify distillation patterns in API traffic. This includes detecting chain-of-thought elicitation used to construct reasoning training data and identifying coordinated activity across large numbers of accounts.

Intelligence sharing with other AI labs, cloud providers, and relevant authorities. A single company can’t see the full picture; sharing technical indicators provides a more comprehensive view of the distillation landscape.

Strengthened access controls particularly for educational accounts, security research programs, and startup organizations—the pathways most commonly exploited for fraudulent accounts.

Countermeasures at the product, API, and model level designed to reduce the efficacy of outputs for illicit distillation without degrading experience for legitimate users.

But Anthropic is clear that no single company can solve this alone. This requires coordinated action across the AI industry, cloud providers, and policymakers. The window to act is narrow.

What This Means Going Forward

The distillation attack disclosure highlights several uncomfortable truths about the current AI landscape.

First, the gap between frontier and follower labs may be narrower than it appears—but for the wrong reasons. Some of the “rapid progress” we’ve seen is actually capability theft masquerading as innovation.

Second, safety work is at risk of being systematically stripped out. The labs doing the distillation aren’t inheriting the safety guardrails; they’re just taking the capabilities. This creates a proliferation risk for dangerous AI applications.

Third, the AI industry needs to mature its security posture quickly. The techniques used here—coordinated fraudulent accounts, proxy services, behavioral obfuscation—are sophisticated adversarial operations. Defending against them requires treating API security as a serious adversarial problem, not just a terms-of-service enforcement issue.

Fourth, export controls and security measures are complementary, not alternatives. The fact that distillation attacks exist doesn’t mean chip export controls are ineffective; it means we need both hardware restrictions and software security measures working together.

Conclusion

Anthropic’s disclosure pulls back the curtain on what has likely been happening across the industry for some time. Over 16 million exchanges, 24,000 fraudulent accounts, three major AI labs—this is industrial-scale capability theft with genuine national security implications.

The AI community faces a choice: coordinate rapidly on detection, intelligence sharing, and countermeasures, or watch as safety-stripped models proliferate to actors who have no interest in responsible deployment. Anthropic has made their evidence public. Now the question is whether the rest of the industry and policymakers will respond with the urgency the situation demands.

For those of us working in security, this is a reminder that the threat landscape for AI systems is evolving rapidly. API security, fraud detection, and behavioral analysis aren’t just business concerns—they’re becoming national security imperatives. The window to act is narrow, and the stakes are high.