In late February, Anthropic dropped a bombshell: three Chinese AI labs had allegedly conducted “industrial-scale” campaigns to steal Claude’s capabilities. The accusation involves 24,000 fraudulent accounts, over 16 million API exchanges, and what Anthropic calls a coordinated effort to train competing models on stolen knowledge.
But the story is more complicated than a simple tale of theft. It raises uncomfortable questions about who gets to claim moral authority in an industry built on aggressive data collection, and whether the defenses against this new form of AI piracy can actually work.
The Alleged Heist
According to Anthropic’s detailed disclosure, three Chinese AI companies ran coordinated “distillation” campaigns against Claude throughout 2025 and into early 2026.
MiniMax conducted the largest operation: over 13 million API exchanges. Anthropic says they caught MiniMax while the campaign was still active, giving them “unprecedented visibility into the life cycle of distillation attacks.”
Moonshot AI, the Beijing-based company behind the Kimi models, allegedly ran the second-largest campaign with 3.4 million exchanges. Anthropic claims Moonshot specifically targeted agentic reasoning, tool use, coding, and computer vision capabilities.
DeepSeek - the company that shocked the AI world with its cost-efficient models in January - allegedly ran the smallest but most technically sophisticated operation at 150,000 exchanges. Anthropic says DeepSeek focused on extracting chain-of-thought reasoning data and even asked Claude to generate alternatives to politically sensitive queries about “dissidents, party leaders, or authoritarianism.”
The attackers allegedly used “hydra cluster” architectures - sprawling networks of fake accounts distributing traffic across Anthropic’s APIs. One proxy network reportedly managed 20,000+ accounts simultaneously, mixing distillation queries with normal traffic to evade detection.
What Is Model Distillation?
Distillation is a legitimate machine learning technique where you train a smaller, cheaper model on the outputs of a larger, more capable one. Every major AI lab does it internally. OpenAI distills GPT-4 into GPT-4o mini. Anthropic distills Opus into Haiku.
The technique works because a larger model’s outputs contain more information than raw training data. When Claude explains its reasoning step-by-step, that explanation itself becomes training data for understanding how to reason.
What Anthropic alleges is that Chinese labs turned this internal technique into an external attack vector. Instead of distilling their own models, they allegedly distilled Claude at scale through its API - essentially running a massive knowledge transfer operation without permission.
The targeted capabilities are telling: agentic tool use, coding, chain-of-thought reasoning. These are precisely the capabilities that differentiate frontier models from open-weight alternatives. If you can extract these through 16 million carefully crafted queries, you’ve captured years of research and billions in training costs.
The Uncomfortable Irony
Online reaction to Anthropic’s accusations has been notably skeptical. Critics were quick to point out what Futurism called “pretty ironic when you consider how it built Claude in the first place.”
In September 2025, Anthropic agreed to pay $1.5 billion to settle a massive copyright lawsuit. Authors alleged the company had downloaded hundreds of thousands of books from pirate libraries - Library Genesis and Pirate Library Mirror - to train Claude. The settlement covers approximately 500,000 titles and requires Anthropic to destroy the pirated datasets.
The settlement, according to the Authors Guild, amounts to roughly $3,000 per infringed work. Final approval is pending, with Judge Alsup postponing the hearing to April 2026.
Reddit users captured the cognitive dissonance: “They robbed the robbers.” Another compared it to “when the zoo accuses you of ‘stealing’ the animals that they rightfully kidnapped from the jungle.”
Anthropic might argue there’s a difference between training on internet text (which all AI labs do) and systematically attacking another company’s model. But the distinction feels thin when the company recently acknowledged downloading pirated copies of copyrighted books specifically to train Claude.
Can You Actually Defend Against This?
Anthropic says it’s deploying technical countermeasures: behavioral fingerprinting, anomaly detection, rate limiting, and watermarking. But experts are skeptical these defenses can hold against determined attackers.
The fundamental problem is that useful AI services require providing outputs to users. Every output is potential training data. Rate limits can be circumvented with thousands of accounts. Anomaly detection can be evaded by mixing attack traffic with normal usage patterns.
Watermarking - embedding invisible signatures in model outputs that survive into any model trained on them - sounds promising in theory. But research suggests that distillation itself tends to strip watermarks because they’re “redundant and independent to the main learning task.”
Google’s Threat Intelligence Group has confirmed that Gemini faced similar attacks, with attackers prompting the model over 100,000 times in documented campaigns. This isn’t a problem unique to Anthropic - it’s a structural vulnerability in how AI services operate.
The National Security Angle
Anthropic frames this as more than corporate espionage. The company argues that illicitly distilled models may lack safety guardrails and could enable “authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance.”
This framing supports calls to strengthen export controls on AI services - not just chips - to China. If Chinese labs can extract frontier capabilities through APIs, hardware restrictions become less effective at maintaining technological advantage.
But it also creates a self-serving narrative where reporting on attacks by foreign competitors happens to align with lobbying for policies that restrict competition.
DeepSeek, Moonshot AI, and MiniMax have not publicly responded to the allegations. Given the companies are based in China and face no U.S. legal jurisdiction, responses may never come.
What This Means
The distillation attack revelations expose a fundamental tension in the AI industry. Companies have built incredibly valuable models by aggressively collecting data - sometimes legally, sometimes questionably, sometimes through pirated libraries. Now they’re discovering that their own products can be harvested in similar ways.
The defenses being proposed - watermarking, behavioral detection, rate limiting - are incremental improvements at best. A sufficiently motivated actor with resources to create thousands of fake accounts can likely evade them.
More fundamentally, the AI industry needs to reckon with the uncomfortable reality that the techniques it used to build frontier models can be turned around on those same models. Anthropic’s $1.5 billion copyright settlement and its accusations against Chinese labs are two sides of the same coin: an industry that moves fast and takes what it needs, then complains when others do the same.
The 16 million API exchanges may represent a new form of corporate espionage. But they’re also a logical extension of how the AI industry has always operated - taking knowledge wherever it can be found and using it to train the next generation of models.
The Bottom Line
Anthropic’s distillation attack disclosure reveals a real security vulnerability in frontier AI, but the company’s own copyright history undermines its moral authority. The defenses being proposed may slow attackers but likely can’t stop determined state-backed actors.