24.02.2026
2 min
284
Anthropic has revealed large-scale illicit “distillation” campaigns targeting its Claude model, allegedly conducted by Chinese AI companies DeepSeek, Moonshot AI, and MiniMax. According to the company, more than 16 million prompts were generated through approximately 24,000 fraudulent accounts to extract key model capabilities.
Anthropic stated it uncovered “industrial-scale campaigns” aimed at illegally extracting Claude’s capabilities to improve competing models. All three companies are based in China, where access to Anthropic’s services is restricted due to “legal, regulatory, and security risks.”
Model distillation is a legitimate technique when used internally to create smaller versions of a company’s own models. However, using outputs from a competitor’s model without authorization violates service terms and intellectual property rights.
Anthropic warned:
“Illicitly distilled models lack necessary safeguards, creating significant national security risks.”
The company emphasized that unlawfully distilled models may strip away critical safety protections, potentially enabling their deployment in military, intelligence, and mass surveillance systems.
DeepSeek – over 150,000 exchanges targeting reasoning, rubric-based grading, and censorship-safe responses to politically sensitive topics.
Moonshot AI – over 3.4 million exchanges focusing on agentic reasoning, tool use, coding, and computer vision.
MiniMax – over 13 million exchanges targeting agentic coding and tool-use capabilities.
Anthropic noted that the volume and structure of prompts clearly reflected deliberate capability extraction rather than normal usage.
The attacks relied on commercial proxy services reselling access to Claude and other frontier models. “Hydra cluster” architectures supported tens of thousands of fraudulent accounts simultaneously.
“When one account is banned, a new one takes its place.”
In one case, a single proxy network managed over 20,000 fraudulent accounts at once, blending distillation traffic with unrelated customer activity.
The company implemented:
behavioral fingerprinting systems,
classifiers to detect distillation patterns,
strengthened verification for educational and startup accounts,
safeguards to reduce the effectiveness of illicit output harvesting.
Earlier this month, Google reported similar extraction attempts against Gemini involving more than 100,000 prompts. The rise of AI model extraction signals a shift from traditional cybercrime toward strategic AI capability theft. As frontier models become more powerful, they increasingly represent geopolitical and economic assets.
The 16-million-query incident highlights a new phase of AI espionage. The primary risk is not to end users but to model developers themselves, who are becoming targets of large-scale extraction operations. AI competition is evolving into a cybersecurity and national security battleground.
