Anthropic Accuses Chinese AI Labs DeepSeek, Moonshot, and MiniMax of Stealing Claude Capabilities
US-based AI developer Anthropic has accused three Chinese labs of stealing capabilities from its AI model Claude on an industrial scale. DeepSeek, Moonshot, and MiniMax allegedly conducted over 16 million queries through approximately 24,000 fraudulent accounts to improve their own models. This occurred in violation of terms of service and regional access restrictions.
The campaigns used a technique called “distillation,” in which a weaker model is trained based on the outputs of a stronger one. While this method is legitimate in itself and used by many AI laboratories to create, for example, smaller, more cost-effective versions of their own models, it can also be misused. Competitors can thereby acquire powerful capabilities in a fraction of the time and at a fraction of the cost that independent development would require.
DeepSeek, Moonshot AI (with the Kimi models), and MiniMax (publicly listed) are among China’s leading AI laboratories alongside Zhipu AI. Their LLMs frequently appear on foundation model leaderboards and are sometimes even leading in the open-source space.
How Distillation Works
In a distillation attack, large quantities of carefully crafted prompts are generated to extract specific capabilities from a model. The goal is either to collect high-quality responses for direct model training or to generate tens of thousands of unique tasks needed for reinforcement learning.
A single prompt may seem harmless, but when variations of the same prompt arrive tens of thousands of times across hundreds of coordinated accounts and all target the same narrow capability, the pattern becomes clear. Anthropic observed, for example, how DeepSeek prompted Claude to imagine the internal reasoning behind a completed answer and write it out step by step. This effectively generated chain-of-thought training data at scale.
The Three Attack Campaigns Compared
| Company | Number of Queries | Primary Extraction Targets | Distinctive Features |
|---|---|---|---|
| DeepSeek | Over 150,000 | Reasoning capabilities, reward models, censorship-resistant alternatives | Synchronized traffic, chain-of-thought extraction, censorship training |
| Moonshot AI | Over 3.4 million | Agentic reasoning, tool use, coding, computer vision | Hundreds of fraudulent accounts, multiple access paths, targeted reasoning reconstruction |
| MiniMax | Over 13 million | Agentic coding, tool use and orchestration | Largest campaign, pivot within 24 hours of new Claude version |
National Security Risks
Anthropic warns of significant security risks posed by illegally distilled models. These models lack the necessary safeguards designed to prevent state and non-state actors from using AI, for example, to develop bioweapons or conduct malicious cyber activities.
Foreign laboratories that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems. This enables authoritarian regimes to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance.
According to Anthropic, particularly problematic is that these attacks undermine export controls. The seemingly rapid progress of Chinese laboratories is mistakenly cited as evidence that export controls are ineffective. In reality, however, this progress depends significantly on capabilities extracted from American models.
How Attackers Gain Access
Because Anthropic currently does not offer commercial access to Claude in China for security reasons, the laboratories use commercial proxy services. These resell access to Claude and other frontier AI models at scale. The services operate so-called “Hydra cluster architectures”: sprawling networks of fraudulent accounts that distribute traffic across third-party APIs and cloud platforms.
In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously and mixed distillation traffic with unrelated customer requests to complicate detection.
Anthropic’s Countermeasures
Anthropic has implemented several defensive measures to make such attacks more difficult:
- Detection: Classifiers and behavioral fingerprinting systems to identify distillation attack patterns in API traffic
- Intelligence Sharing: Exchange of technical indicators with other AI laboratories, cloud providers, and authorities
- Access Control: Enhanced verification for educational accounts, security research programs, and startup organizations
- Countermeasures: Development of product, API, and model protections to reduce the effectiveness of model outputs for illegal distillation
However, the company emphasizes that no single company can solve this alone. Distillation attacks on this scale require a coordinated response from the entire AI industry, cloud providers, and policymakers. Anthropic is publishing these findings to make the evidence accessible to all stakeholders.
