Anthropic has accused three Chinese artificial intelligence companies — DeepSeek, Moonshot AI, and MiniMax — of running coordinated distillation campaigns to extract capabilities from its Claude AI models.
In a blog post published Monday, the San Francisco–based company said the three firms created more than 24,000 fraudulent accounts and generated over 16 million exchanges with Claude. According to Anthropic, the activity breached its terms of service and circumvented regional restrictions that prohibit commercial Claude access in China.
The method in question is distillation, a machine learning process in which a smaller model is trained on the outputs of a more advanced system. AI developers commonly use it to produce compact, lower-cost versions of their own models. Anthropic said the same approach can be used “to acquire powerful capabilities from other labs in a fraction of the time, and at a fraction of the cost that it would take to develop them independently.” It stated that the campaigns focused on Claude’s “most differentiated capabilities: agentic reasoning, tool use, and coding.”
Among the three companies, MiniMax generated the highest volume, with more than 13 million exchanges directed at agentic coding and tool orchestration. Agentic reasoning refers to a model’s ability to independently plan and execute multi-step tasks. Anthropic said it detected MiniMax’s activity before the company released the model it was developing, giving it visibility into the campaign while it was ongoing. During that period, Anthropic launched a new Claude model, and within 24 hours, MiniMax redirected nearly half of its traffic to the updated system.
Moonshot AI accounted for over 3.4 million exchanges conducted through hundreds of fraudulent accounts. Anthropic said Moonshot used multiple access routes to conceal coordination and that the request metadata matched the public profiles of senior Moonshot staff. The exchanges targeted agentic reasoning and tool use, coding and data analysis, computer-use agent development, and computer vision. In a later phase, Moonshot attempted to extract and reconstruct Claude’s reasoning traces. The company released its open-source Kimi K2.5 model and a coding agent last month.
DeepSeek was linked to more than 150,000 exchanges. Anthropic said its prompts aimed to strengthen foundational logic and alignment, including generating “censorship-safe alternatives to politically sensitive questions about dissidents, party leaders, or authoritarianism.” Some prompts asked Claude to reproduce the internal reasoning behind completed responses to create chain-of-thought training data. Anthropic said that the request metadata enabled it to trace the accounts to specific researchers at the lab.
The company described the technical setup behind the campaigns as “hydra cluster” architectures — distributed networks of fraudulent accounts operating across its API and third-party cloud platforms. One such network managed more than 20,000 fraudulent accounts simultaneously and combined distillation traffic with ordinary requests to evade detection. Because there was no single point of failure, removing one account caused another to take its place.
The allegations follow a memo sent earlier this month by OpenAI to the U.S. House Select Committee on China. OpenAI described “sophisticated, multi-stage pipelines” used by Chinese actors to mine frontier models and networks of unauthorized service resellers used to bypass access controls. In that memo, OpenAI accused DeepSeek of “ongoing efforts to free-ride on the capabilities developed by OpenAI and other U.S. frontier labs.” It also warned that DeepSeek’s models lack protections against dangerous outputs in areas such as chemistry and biology. DeepSeek has not publicly commented on the allegations.
The dispute unfolds during a debate over U.S. export controls on advanced AI semiconductors. Last month, the Trump administration formally permitted U.S. companies, including Nvidia, to export advanced AI chips such as the H200 to China. Critics argued that loosening export controls increases China’s AI computing capacity during a global race for AI dominance.
Anthropic said the scale of extraction carried out by the three firms “requires access to advanced chips.” In its blog post, it wrote: “Distillation attacks therefore reinforce the rationale for export controls: restricted chip access limits both direct model training and the scale of illicit distillation.” It added that China’s AI progress depends “in significant part on capabilities extracted from American models, and executing this extraction at scale requires access to advanced chips.”
DeepSeek first drew industry attention a year ago when it released its open-source R1 reasoning model, which nearly matched American frontier labs in performance at a fraction of the cost and with fewer computing resources. The company is expected to release DeepSeek V4, which reportedly can outperform Anthropic’s Claude and OpenAI’s ChatGPT in coding.
Anthropic said models created through illicit distillation are “unlikely” to retain built-in safeguards. “Anthropic and other U.S. companies build systems that prevent state and non-state actors from using AI to, for example, develop bioweapons or carry out malicious cyber activities,” the blog post stated. “Models built through illicit distillation are unlikely to retain those safeguards, meaning that dangerous capabilities can proliferate with many protections stripped out entirely.” It added that foreign labs could integrate such capabilities into military, intelligence, and surveillance systems, enabling authoritarian governments to deploy frontier AI for “offensive cyber operations, disinformation campaigns, and mass surveillance.” The company wrote: “The window to act is narrow.”
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think tank and co-founder and former CTO of CrowdStrike, told TechCrunch he was not surprised. “It’s been clear for a while now that part of the reason for the rapid progress of Chinese AI models has been theft via distillation of U.S. frontier models. Now we know this for a fact,” Alperovitch said. “This should give us even more compelling reasons to refuse to sell any AI chips to any of these [companies], which would only advantage them further.”
Anthropic faces lawsuits alleging copyright infringement and unauthorized web scraping tied to model training, including Concord Music Group v. Anthropic and Reddit v. Anthropic. OpenAI is the defendant in about a dozen class action copyright lawsuits. None of those cases have been resolved in court.
Anthropic said it has implemented behavioral fingerprinting systems and classifiers to detect distillation patterns in API traffic, tightened verification requirements for account types most often exploited for fraud, and begun sharing technical indicators with other AI labs, cloud providers, and authorities. It is also developing model-level safeguards intended to reduce the usefulness of Claude’s outputs for unauthorized training without degrading performance for legitimate users.
A Forecasting Research Institute report released the same day as Anthropic’s blog post projects that the performance gap between U.S. and Chinese AI models will narrow by 2031, with experts anticipating parity by 2041.
