In a detailed report released on February 23, 2026, the artificial intelligence safety lab Anthropic formally accused three of China’s most prominent AI entities—DeepSeek, Moonshot AI, and MiniMax—of executing “industrial-scale distillation attacks.” The campaign allegedly involved the creation of roughly 24,000 fraudulent accounts to generate over 16 million exchanges with Claude. Anthropic argues this was not a casual violation of terms, but a coordinated attempt to bypass U.S. export controls and clone American-made frontier AI capabilities. By systematically prompting Claude and saving its answers, these labs have been able to harvest the model’s intelligence to refine their own systems at a fraction of the original research cost.
Also read: Claude Code Security explained: How it caused a cyber stock crash
The primary weapon in this campaign is a technique known as “distillation,” where a smaller or “student” model is trained on the high-quality outputs of a larger “teacher” model. While distillation is a standard industry practice for making models more efficient, Anthropic identifies a “distillation attack” as the illicit use of a competitor’s proprietary outputs to bridge the gap in reasoning and coding expertise. DeepSeek specifically targeted Claude’s internal thought processes, forcing the model to articulate step-by-step “chain-of-thought” reasoning to create a synthetic training dataset. Meanwhile, MiniMax and Moonshot focused on Claude’s world-class coding and tool-use abilities. In one instance, Anthropic observed MiniMax redirect half of its massive traffic to a brand-new Claude model version within just 24 hours of its release, showcasing a predatory speed in capturing the latest technological updates.
Also read: Vachana text-to-speech model explained, as part of India AI Impact Summit 2026
To execute these extractions without triggering standard security alarms, the labs utilized sophisticated “hydra clusters” – sprawling networks of thousands of accounts distributed across various APIs and third-party cloud platforms. However, Anthropic was able to uncover the operation through “behavioral fingerprinting,” a method of spotting unnatural patterns that no human user would exhibit. While a single prompt might appear benign, Anthropic’s classifiers identified tens of thousands of requests sharing identical rubric-based grading structures and highly repetitive formatting. These “fingerprints” included metadata that linked accounts back to shared payment methods, IP clusters, and even the public profiles of senior staff at the offending labs. By correlating these request patterns, Anthropic gained a “God’s eye view” of the campaign, allowing them to track the data harvest in real-time as it moved from Claude’s servers into the training pipelines of the Chinese models.
Beyond the commercial theft of intellectual property, Anthropic’s report highlights a chilling national security risk: the “stripping” of safety safeguards. Distilled models often gain the raw intelligence of the original model without inheriting the thousands of hours of safety fine-tuning designed to prevent the generation of harmful content. Anthropic fears these “unprotected” clones could be used for offensive cyber operations or to assist in the development of biological weapons. Furthermore, the investigation found evidence of DeepSeek using Claude to generate “censorship-safe” versions of politically sensitive queries regarding authoritarianism and dissidents. This suggests the labs are training their models to navigate and enforce state-mandated restrictions while utilizing Western AI as the foundational engine for their propaganda and surveillance tools.
Also read: Optoma WHD211 and WHD221: Wireless HDMI dongles for the masses
