Anthropic alleges that three Chinese artificial intelligence labs orchestrated a sweeping capability extraction campaign against its flagship model Claude, using more than 24,000 fake user accounts to generate roughly 16 million interactions for training their own systems. The company says the activity, centered on a practice known as distillation, targeted Claude’s strengths in reasoning, tool use, and coding.
The claims arrive as Washington wrangles over how tightly to police exports of advanced AI chips to China. The policy debate is no longer abstract: Anthropic argues the sheer scale of the extraction implies access to high-end accelerators, putting chip controls and AI model security on the same policy fault line.
How the Alleged Capability Mining Against Claude Worked
Distillation is a standard technique for compressing a powerful model’s behavior into a smaller one. Used responsibly within a lab’s own stack, it cuts costs and latency. Used against a competitor via large volumes of scripted prompts and harvested outputs, it becomes a shortcut to replicate valuable capabilities without paying for the original R&D.
Anthropic says the operation zeroed in on tasks where Claude differentiates: multi-step reasoning, structured tool invocation, and software development workflows. According to the company, the accounts were coordinated to bypass rate limits and content policies, with prompt patterns optimized to elicit high-signal answers suitable for training.
The firm names DeepSeek, Moonshot AI, and MiniMax as the operators. By Anthropic’s count, DeepSeek triggered more than 150,000 exchanges aimed at core logic and policy evasion studies; Moonshot AI generated about 3.4 million interactions focused on agentic reasoning, coding, data analysis, and computer-use agents; and MiniMax produced roughly 13 million exchanges tied to agentic coding, tool orchestration, and capabilities “siphoning” at the launch of the newest Claude version. All three companies have recently touted rapid progress, with DeepSeek preparing a new model widely rumored to excel at coding tasks.
Chips and the Policy Crossfire Over AI Exports to China
The Bureau of Industry and Security has tightened and then recalibrated AI chip export rules in successive rounds, while also granting pathways for some U.S. vendors to ship advanced accelerators into China. Supporters say carefully bounded sales preserve commercial interests and visibility into end markets; critics argue that any loosening expands compute capacity that can be redirected into offensive AI development.
Anthropic’s position is unambiguous: the company asserts the observed extraction volume would be prohibitively slow without access to high-performance chips. In its view, distillation at scale is another reason to treat compute as a strategic chokepoint, because it constrains both direct pretraining and large-batch harvesting of proprietary model behavior.
Security voices have echoed that stance. Dmitri Alperovitch, a longtime cybersecurity executive and policy advocate, has argued that evidence of cross-border distillation strengthens the case for tighter controls on AI hardware sales to entities implicated in capability theft. The crux of the argument is leverage: if compute fuels both original training and illicit replication, restricting it changes the economics of copying.
Safety And IP Stakes For Frontier Models
Beyond intellectual property, Anthropic warns of safety externalities. Guardrails that prevent misuse—such as blocks on assisting with bioweapon design or cyber intrusions—may not survive distillation intact, especially when the collector’s intent is to strip away refusals and policy constraints. That risks proliferating capable models with degraded safety profiles.
OpenAI recently briefed lawmakers that DeepSeek sought to imitate its products via distillation, underscoring that leading U.S. labs see a common threat. Policy researchers at U.S. think tanks have likewise cautioned that once a high-capability model is cloned or approximated, downstream open-sourcing or lax distribution can supercharge disinformation, surveillance, and offensive cyber operations by state and non-state actors.
What Industry And Policymakers Could Do Next
Anthropic says it is hardening defenses to make large-scale scraping and distillation harder and more detectable—think tighter rate limiting, velocity and behavior analytics, stricter account verification, and adaptive content watermarking. Cloud providers can add friction by flagging suspicious automated traffic, enforcing know-your-customer standards, and coordinating on cross-platform abuse signals.
At the policy layer, regulators could require provenance attestations for model training datasets, mandate audit logs for bulk inference activity, and condition access to high-end compute on adherence to security baselines. Standards bodies and major labs are also exploring output watermarking and inference-time signatures to identify when one model is overfitting on another’s responses.
The near-term watchlist is straightforward: whether U.S. chip export rules tighten or loosen, how platforms shore up abuse prevention without hobbling legitimate research, and if the accused labs adjust their public disclosures as scrutiny rises. Whatever the policy outcome, Anthropic’s accusation spotlights a new front in AI competition—where compute policy, model security, and global market dynamics intersect.
