Anthropic has released a sharply worded report accusing three major Chinese AI firms - DeepSeek, Moonshot, and MiniMax - of orchestrating what it calls an industrial-scale effort to extract and replicate the intelligence behind its Claude models. The company describes the activity as “industrial-scale distillation attacks” designed to copy proprietary model capabilities rather than simply use them.
What Anthropic says happened
According to Anthropic, the scope of the alleged campaign was enormous. The company says it detected “over 24,000 fraudulent accounts” generating “over 16 million exchanges with Claude,” with the goal of “extracting its capabilities to train and improve their own models.”
This was not casual use. Anthropic describes highly automated, structured prompting patterns aimed at extracting high-value training signals. Investigators reportedly observed:
- repetitive prompts targeting reasoning and coding
- attempts to extract step-by-step logic and tool-use traces
- rotating proxy infrastructure and identity cycling
- traffic surges aligned with training schedules, not human usage
In its analysis, the attackers were not just harvesting answers. They were targeting the underlying cognition - the reasoning scaffolding behind Claude’s outputs - because those traces are particularly valuable for training rival models quickly and cheaply.
Anthropic argues that such campaigns are accelerating. “These attacks are growing in intensity and sophistication,” the company warns, calling for coordinated industry and policy responses.
Why Anthropic calls this a security issue
Anthropic frames the issue as more than intellectual property theft. It argues that unauthorized distillation strips away alignment and safety layers embedded in frontier models.
The company states plainly: “Illicitly distilled models lack necessary safeguards, creating significant national security risks.”
It continues that foreign labs could integrate these extracted capabilities into state systems:
“Foreign labs that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems.”
If such distilled models are open-sourced or widely deployed, Anthropic warns, those risks multiply as powerful capabilities spread without the original guardrails.
The company also argues distillation undermines export controls and geopolitical tech advantages. It claims these attacks “undermine” export controls by allowing competitors to replicate frontier capabilities through extraction rather than direct compute investment.
The strategic pivot and adaptive scraping
Anthropic describes adversaries that adapt quickly to model updates. Investigators saw traffic patterns shift rapidly after new releases, with automated systems attempting to capture fresh capabilities as soon as they appeared.
This suggests ongoing monitoring and real-time distillation pipelines designed to keep competing models aligned with Claude’s evolving reasoning and tool-use capabilities.
The hypocrisy question…
The report has also ignited a broader industry debate. Frontier AI companies including Anthropic, OpenAI, and Meta built their early models by training on vast quantities of publicly available internet data, often without explicit permission from creators.
Now, as model outputs themselves become valuable training data, the dynamic has inverted. What was once framed as large-scale data utilization is increasingly framed as theft when applied to proprietary model behavior.
This tension sits at the center of the current controversy: whether large-scale model distillation is fundamentally different from large-scale web scraping, or simply the next iteration of the same competitive logic.
Why important?
The immediate consequence is likely to be tighter control over high-value reasoning data. If chain-of-thought and internal reasoning traces are seen as prime distillation targets, providers will move aggressively to conceal or obfuscate them.
That sets up what could become a safety-sovereignty standoff across the AI industry:
- labs locking down internal reasoning to prevent extraction
- heavier verification and access controls
- increased geopolitical framing of model capabilities
Ironically, greater defensive secrecy may reduce transparency for everyday users. As model providers restrict visibility into reasoning to prevent copying, systems may become less interpretable even as they grow more powerful.
In short, frontier AI models are no longer just built from scraped data. They have become the data worth stealing and protecting.
Source: