Anthropic has uncovered large-scale campaigns by three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — to illegally extract Claude's capabilities for training their own models. The method used is distillation: a less capable model is trained on the output data of a stronger one. The method itself is legitimate, but in this case, it was used to steal intellectual property.
Scale: more than 16 million requests through approximately 24,000 fake accounts.
What was extracted and who is behind the attacks
DeepSeek (~150,000 requests): They targeted reasoning and chains of thought, using Claude as an evaluator model for reinforcement learning. Separately, they generated "censorship-safe" responses to politically sensitive topics (dissidents, party leadership, authoritarianism) to train their models to avoid taboo topics. The accounts were linked to specific researchers at the lab.
Moonshot AI / Kimi (~3.4 million queries): Focus on agent thinking, working with tools, writing code, computer vision. Hundreds of fake accounts of different types for camouflage. In the later stages, attempts were made to directly reproduce Claude's internal reasoning. Attribution was based on metadata that matched the public profiles of senior Moonshot employees.
MiniMax (~13 million queries): The largest campaign. Targeted agent coding and tool orchestration. Discovered before the training model was released, providing a complete picture of the attack lifecycle. When Anthropic released the new model, MiniMax redirected half of its traffic to it within 24 hours.
How they gained access
Anthropic does not provide commercial access to Claude in China. The labs circumvented this through proxy services that resell access to the API. These services use "hydra architecture" — networks of thousands of fake accounts that distribute traffic across different platforms. One such proxy managed more than 20,000 accounts simultaneously, mixing distilled traffic with normal requests.
Why this is dangerous
Distilled models lack protective mechanisms — safeguards against the generation of instructions for biological weapons, cyberattacks, and disinformation. These capabilities could fall into the hands of the military, intelligence, and police systems of authoritarian states. When the source code is opened, the risk increases many times over.
In addition, such attacks undermine the logic of export controls: the rapid progress of Chinese laboratories is mistakenly perceived as proof of the ineffectiveness of sanctions, when in fact it is largely based on stolen American developments.
Anthropic's countermeasures
- Detection — classifiers and behavioral analysis systems to identify distillation patterns in API traffic.
- Intelligence sharing — technical indicators are shared with other AI labs, cloud providers, and authorities.
- Verification enhancement — stricter verification of educational, research, and startup accounts.
- Model-level countermeasures — reducing the suitability of output data for distillation without harming regular users.
Anthropic emphasizes that no company can do this alone — coordination between the industry, cloud providers, and regulators is needed.