In recent days Anthropic made public one of the most serious accusations ever leveled in the artificial intelligence industry: three major Chinese labs allegedly ran coordinated illicit distillation campaigns against models in the Claude family, totaling over 13 million interactions.

According to Anthropic, the goal was to rapidly transfer advanced capabilities, especially in reasoning, agentic coding, and tool use, bypassing both the training costs and the safety measures built into frontier US models.


What distillation is (and why it's a problem here)

Distillation is a legitimate, widely used technique: a "student" model learns from the outputs of a larger "teacher" model to produce cheaper, faster versions.

The problem arises when it's:

  • applied to a competitor's models without authorization;
  • carried out at industrial scale;
  • targeting not just final outputs, but also reasoning processes (chain-of-thought).

In this scenario, distillation enables an accelerated transfer of capability at a fraction of the cost and time it would take to develop it from scratch.

Anthropic also highlights a key risk: distilled models don't inherit the same safety safeguards, exposing those capabilities to malicious use, from cyberwarfare to mass surveillance, to sensitive domains like bioengineering.


The three actors involved

Anthropic says it attributed the campaigns with high confidence, based on IP correlations, request metadata, infrastructure fingerprints, and confirmations from industry partners.

DeepSeek

  • Scale: over 150,000 interactions
  • Targets:
    • advanced reasoning
    • rubric-based grading (to train reward models)
    • "safe" responses on politically sensitive topics
  • Techniques: synchronized traffic, shared payment methods, prompts designed to extract step-by-step reasoning
  • Entity: DeepSeek

Moonshot AI (Kimi models)

  • Scale: over 3.4 million interactions
  • Targets:
    • agentic reasoning
    • tool use
    • coding and data analysis
    • computer vision and computer-use agents
  • Techniques: hundreds of fraudulent accounts, multiple operational phases; in the latest ones, an explicit focus on reconstructing reasoning traces
  • Entity: Moonshot AI

MiniMax

  • Scale: over 13 million interactions (the largest campaign)
  • Targets: agentic coding and tool orchestration
  • Techniques: operation still active at the time of detection; extremely fast reaction to new Claude releases (pivot in under 24 hours)
  • Entity: MiniMax

In at least one case, request metadata reportedly matched the public profiles of senior researchers at the labs involved.


How the restrictions were circumvented

Anthropic does not offer commercial access to Claude in China. The companies allegedly used:

  • third-party proxy services that resell API access;
  • networks of fraudulent accounts that mix legitimate traffic with distillation traffic.

This approach makes detection much harder, because the malicious activity "hides" among normal requests.


The announced countermeasures

Anthropic says it's investing in:

  • classifiers to detect chain-of-thought extraction;
  • behavioral fingerprinting to identify coordinated activity;
  • stronger vetting of educational and research accounts, often exploited in these schemes.

At the same time, the company is sharing technical indicators with other AI labs, cloud providers, and authorities, stressing that no single actor can solve this problem alone.


Geopolitical and industrial implications

Anthropic reaffirmed its support for US export controls on advanced chips, arguing that distillation attacks reinforce the rationale: limiting access to hardware reduces both direct training and the ability to mass-extract data.

The disclosure comes just weeks after a similar warning from OpenAI to the US Congress: in that case too, DeepSeek was allegedly involved in distillation campaigns against GPT models, via tens of thousands of fake accounts and proxy networks described as "hydra clusters".


Why this matters for cybersecurity too

From a cybersecurity standpoint, the case highlights that:

  • AI APIs are a new attack perimeter;
  • the abuse doesn't happen through traditional exploits, but through formally valid, massive use of the systems;
  • protection requires behavioral analysis, correlation, and cross-company cooperation, not just access controls.

Illicit distillation isn't just a contract violation: it's a systemic security problem, with impacts on defense, intelligence, and global technological stability.


The Anthropic case sets an important precedent: for the first time, a major AI lab has publicly described industrial-scale capability extraction operations, precisely attributed to specific actors.

For the industry, the message is clear:

AI model security isn't just about what they produce, but also about how they're observed, queried, and copied.

And this opens a new phase of competition, and conflict, in the global artificial intelligence ecosystem.