Anthropic has uncovered one of the most sophisticated AI theft operations to date — and the evidence points directly at three Chinese labs.
In a disclosure published February 23, 2025, Anthropic revealed it had identified coordinated, industrial-scale "distillation attacks" against its Claude models, carried out by DeepSeek, Moonshot AI (makers of the Kimi models), and MiniMax.
The three labs collectively created over 24,000 fraudulent accounts and ran more than 16 million engineered conversations with Claude — not to use the AI, but to systematically drain it of its capabilities.
What Is Distillation, and Why Does It Matter Here?
Distillation (training a weaker model on the outputs of a stronger one) is a standard and legitimate technique in AI development. Major labs do it routinely to build smaller, faster models for consumers. What makes this different is both the method and the motive.
These weren't curious developers or researchers. The prompts were crafted with surgical precision — repeated tens of thousands of times across hundreds of coordinated accounts — all targeting the same narrow skill sets: agentic reasoning, tool use, coding, and computer vision.
The operations used "hydra cluster" architectures: sprawling proxy networks where banning one account simply triggers another to take its place. One such network managed more than 20,000 fraudulent accounts at once.
DeepSeek (150,000+ exchanges) used synchronised accounts to extract chain-of-thought reasoning data and — notably — to generate censorship-safe rewrites of politically sensitive queries, likely to train its own models to avoid topics like dissidents or party leadership.
Moonshot AI ran a far larger operation (3.4 million+ exchanges), targeting agentic and computer-use capabilities. MiniMax executed the largest campaign by far — over 13 million exchanges — focused on agentic coding and tool orchestration. Anthropic caught MiniMax mid-campaign, before the resulting model launched, giving rare visibility into the full distillation lifecycle.
The deeper concern isn't competitive theft — it's what happens to the safety guardrails. Anthropic and other US labs build in controls to prevent Claude from helping create bioweapons, run cyberattacks, or enable surveillance. Models trained through illicit distillation are unlikely to inherit those protections. If those stripped-down models are then fed into military or intelligence systems — or open-sourced — the risk compounds fast.
Anthropic also connects this directly to export controls: if foreign labs can clone US model capabilities without needing the restricted chips that trained them, it undermines the entire logic of technology restrictions.
What Anthropic Is Doing About It
The company says it has deployed behavioural fingerprinting and classifier systems to detect distillation patterns, tightened verification for academic and startup API access (the most exploited pathways), and is sharing technical indicators with other AI labs, cloud providers, and government authorities.
For regular users, the immediate impact is minimal — but the disclosure signals something bigger: the AI race now includes an active, adversarial front that no single company can defend against alone.