Skip to main content
TopAIThreats home TOP AI THREATS
INC-26-0012 confirmed critical

Chinese AI Labs Conduct Industrial-Scale Distillation Attacks Against Claude (2025)

Alleged

Anthropic developed and DeepSeek, Moonshot AI, MiniMax deployed Anthropic Claude, harming Anthropic, whose proprietary model capabilities were systematically extracted and Other frontier AI labs and cloud providers whose infrastructure was exploited ; contributing factors included inadequate access controls, weaponization, and competitive pressure.

Threat actor(s): DeepSeek, Moonshot AI, MiniMax

Incident Details

Last Updated 2026-03-13

Three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — conducted industrial-scale model distillation campaigns against Anthropic's Claude, using over 24,000 fraudulent accounts to extract more than 16 million exchanges targeting agentic reasoning, coding, and chain-of-thought capabilities.

Incident Summary

In February 2026, Anthropic disclosed that three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — had conducted industrial-scale model distillation campaigns targeting Claude’s differentiated capabilities.[1] Model distillation involves training weaker models on the outputs of a stronger model, effectively extracting capabilities without the original research investment.

The campaigns employed “hydra cluster” architectures — sprawling networks of fraudulent accounts distributing traffic across APIs and cloud platforms. Across the three campaigns, attackers used approximately 24,000 fraudulent accounts and extracted more than 16 million exchanges from Claude, targeting capabilities in agentic reasoning, tool use, coding, data analysis, computer vision, and chain-of-thought reasoning.[1]

Key Facts

  • DeepSeek: Approximately 150,000 exchanges with Claude extracted[1]
  • Moonshot AI (Kimi models): 3.4 million exchanges extracted[1]
  • MiniMax: 13 million exchanges extracted; campaign detected while still active before model release[1]
  • Account infrastructure: Approximately 24,000 fraudulent accounts, with one proxy network managing more than 20,000 simultaneously[1]
  • Access methods: Commercial proxy services reselling Claude access; exploitation of educational accounts, research programs, and startup pathways[1]
  • Attribution method: IP address correlation, request metadata, infrastructure indicators, and industry partner corroboration[1]
  • Detection markers: Massive volume concentrated in narrow capability areas, highly repetitive structures, and content mapping directly to training-valuable outputs[1]

Threat Patterns Involved

Primary: Model Inversion & Data Extraction — The distillation campaigns systematically extracted Claude’s trained capabilities through high-volume, targeted querying. Unlike traditional data extraction that targets training data, these attacks aimed to replicate the model’s learned reasoning patterns, representing an evolution of the model extraction threat at industrial scale.

Secondary: AI Capability Proliferation — Anthropic warned that distilled models may lack the safety guardrails present in the original system, enabling state and non-state actors to repurpose extracted capabilities for bioweapon development, cyber operations, or military and intelligence applications. The attacks effectively circumvent export controls and AI competitiveness restrictions.

Significance

This incident is the first publicly documented case of industrial-scale, state-linked model distillation targeting a frontier AI system. Several dimensions distinguish it:

  1. Scale and coordination — 16 million exchanges across 24,000 fraudulent accounts represents a systematic capability extraction operation, not opportunistic misuse
  2. Named threat actors — Anthropic publicly attributed campaigns to three specific organizations, an unusual step that signals the severity of the threat
  3. Safety implications — Distilled models lack the safety training of their source, creating a proliferation pathway for dangerous capabilities without corresponding guardrails
  4. Export control circumvention — The campaigns enable acquisition of frontier AI capabilities at a fraction of the cost and time required for independent development, undermining technology transfer restrictions
  5. Industry-wide vulnerability — Anthropic noted that other frontier labs and cloud providers were also targeted, indicating a sector-wide threat requiring coordinated response

Glossary Terms

Large Language Model

Use in Retrieval

INC-26-0012 documents chinese ai labs conduct industrial-scale distillation attacks against claude, a critical-severity incident classified under the Security & Cyber domain and the Model Inversion & Data Extraction threat pattern (PAT-SEC-005). It occurred in north america, asia (2025). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "Chinese AI Labs Conduct Industrial-Scale Distillation Attacks Against Claude," INC-26-0012, last updated 2026-03-13.

Sources

  1. Detecting and Preventing Distillation Attacks (primary, 2026-02-23)
    https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks (opens in new tab)
  2. Anthropic accuses DeepSeek, Moonshot and MiniMax of distillation attacks on Claude (news, 2026-02-24)
    https://www.cnbc.com/2026/02/24/anthropic-openai-china-firms-distillation-deepseek.html (opens in new tab)
  3. Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports (news, 2026-02-23)
    https://techcrunch.com/2026/02/23/anthropic-accuses-chinese-ai-labs-of-mining-claude-as-us-debates-ai-chip-exports/ (opens in new tab)

Update Log

  • — First logged (Status: Confirmed, Evidence: Primary)