The Accusation That Shook the AI Industry
On February 23, 2026, Anthropic published a detailed disclosure that sent shockwaves through the artificial intelligence community. The company publicly accused three Chinese AI laboratories — DeepSeek, MiniMax, and Moonshot AI — of orchestrating industrial-scale distillation campaigns targeting its Claude model. The numbers were staggering: approximately 24,000 fraudulent accounts and more than 16 million exchanges designed to systematically extract the reasoning capabilities that Anthropic had spent years and billions of dollars developing.
This was not a case of a few researchers casually testing a competitor’s model. According to Anthropic’s investigation, the operations used what the company described as “hydra cluster architectures” — sprawling fraudulent account networks that mixed distillation traffic with legitimate requests to avoid detection. One proxy network managed over 20,000 accounts simultaneously. The accounts were created using methods that violated both Anthropic’s terms of service and regional access restrictions, since Claude is not commercially available in China.
The breakdown by company revealed the scale of each operation. MiniMax was the most prolific, generating over 13 million exchanges focused on agentic coding and tool use capabilities. Moonshot AI accounted for more than 3.4 million exchanges targeting agentic reasoning, tool use, coding and data analysis, computer-use agent development, and computer vision. DeepSeek’s operation was smaller in volume — over 150,000 exchanges — but notable for its strategic focus on reasoning capabilities, rubric-based grading for reinforcement learning reward models, and a particularly revealing detail: the lab sought Claude’s help in generating censorship-safe alternatives to politically sensitive queries about dissidents, party leaders, and authoritarianism.
The disclosure forced the entire AI industry to confront an uncomfortable truth: the models that companies spend hundreds of millions of dollars training can be systematically reverse-engineered by anyone with enough API credits and patience. Model distillation — the process of training a smaller model to replicate the outputs of a larger one — had evolved from a legitimate research technique into an industrial-scale intellectual property extraction tool.
How Model Distillation Actually Works
To understand the severity of the accusations, it helps to understand the mechanics of model distillation. At its core, distillation is deceptively simple. A “student” model is trained not on raw data, but on the outputs of a “teacher” model. By feeding millions of carefully crafted prompts to the teacher and recording its responses, the student learns to approximate the teacher’s behavior — often at a fraction of the computational cost.
The technique was originally developed by Geoffrey Hinton, Oriol Vinyals, and Jeff Dean in a 2015 paper titled “Distilling the Knowledge in a Neural Network.” The concept was practical and entirely above board: a massive model that required a data center could be “distilled” into a compact version that ran on a smartphone, retaining most of the original’s capabilities. It was elegant, useful for deployment on resource-constrained devices.
What changed was the scale and intent. When applied to frontier models like Claude, GPT-4, or Gemini, distillation becomes a mechanism for transferring capabilities that cost billions to develop. The key insight is that a model’s outputs — its reasoning chains, its stylistic choices, its error patterns — contain implicit knowledge about its training data, architecture decisions, and fine-tuning strategies. A sufficiently large distillation dataset can capture much of this implicit knowledge.
The Chinese operations allegedly took this to an extreme. A notable technique identified by Anthropic involved prompting Claude to “articulate the internal reasoning behind a completed response…step by step,” effectively generating chain-of-thought training data at scale. Rather than sending random queries, the accounts used systematically designed prompt sequences that mapped the boundaries of Claude’s abilities. Chains of increasingly complex queries would establish the exact point where reasoning breaks down. Multi-turn conversations would extract the model’s approach to balancing competing principles. Code generation requests across dozens of programming languages would reveal the breadth and depth of the model’s technical training.
Detection and Attribution: How Anthropic Caught Them
Anthropic’s ability to detect and attribute the distillation campaigns relied on a multi-layered approach. The company described using behavioral fingerprinting and classifiers to spot distillation-style prompt distributions, coordinated multi-account activity, and requests designed to elicit chain-of-thought reasoning.
The approach works on the principle that organic human users interact with AI models in recognizably human ways. They make typos, change topics abruptly, ask follow-up questions based on the model’s responses, and generally exhibit the kind of messy, non-linear curiosity that characterizes genuine intellectual exploration. Automated distillation queries, by contrast, follow systematic patterns. They cover topics in methodical sequences, use consistently formatted prompts, and rarely exhibit conversational pivots.
Beyond behavioral analysis, Anthropic attributed each campaign to a specific lab with what it described as “high confidence” through IP address correlation, request metadata, infrastructure indicators, and in some cases corroboration from industry partners. The hydra cluster architectures — networks of thousands of accounts managed through shared infrastructure — left forensic traces that connected seemingly independent accounts back to coordinated operations.
Anthropic outlined a three-layer defense strategy going forward. First, behavioral fingerprinting and classifiers to detect distillation patterns in real time. Second, strengthened access controls with tighter checks on commonly abused pathways such as education, research, and startup programs, plus stricter identity verification. Third, response shaping — product and model-level changes designed to reduce the extractive value of outputs for would-be student models while preserving utility for legitimate users.
Advertisement
The Broader Industry Response
Anthropic was not alone in discovering distillation attacks. OpenAI had already sounded the alarm eleven days earlier. On February 12, 2026, OpenAI sent a memo to the U.S. House Select Committee on China claiming to have observed “activity indicative of ongoing attempts by DeepSeek to distill frontier models of OpenAI and other US frontier labs, including through new, obfuscated methods.” OpenAI alleged that DeepSeek employees developed methods to circumvent access restrictions and obtain model outputs through obfuscated third-party routers.
Google’s Threat Intelligence Group (GTIG) confirmed that Gemini had been subjected to significant distillation attempts. In one documented campaign, attackers prompted Gemini more than 100,000 times before Google identified the pattern. The prompts attempted to coerce Gemini into outputting full reasoning processes, with the breadth of questions suggesting an attempt to replicate Gemini’s reasoning ability in non-English target languages. Google reported that it used data from detected attacks to strengthen Gemini’s classifiers, training the model to recognize when it is being probed for underlying logic.
The industry response has included expanded output watermarking systems that embed statistical signatures in model responses, invisible to human users but detectable in derivative models’ training data. Rate limiting has become more sophisticated, moving beyond simple API call caps to analyzing the information-theoretic content of query sequences — an account that sends queries with unusually high mutual information triggers review even if it stays within rate limits. Some researchers have explored “output poisoning” as a deterrent, though this approach remains controversial as it risks degrading the experience for legitimate users.
IP Protection in the Age of Open Weights
The distillation crisis has exposed a fundamental tension in the AI industry’s approach to intellectual property. Traditional software IP protection relies on keeping source code proprietary. But AI models leak their intellectual property every time they generate a response. Every output is, in effect, a tiny window into the model’s training and capabilities.
This creates what legal scholars are calling the “API paradox”: making a model available via API is simultaneously necessary for commercial viability and sufficient for intellectual property extraction. Unlike traditional software, where functionality can be observed without revealing implementation, AI models expose their implementation through their functionality.
The legal landscape is murky. Existing intellectual property frameworks were not designed for this scenario. Copyright law protects specific expressions but not ideas or methods — and it is unclear whether a model’s “style” of reasoning constitutes protectable expression. Trade secret law requires that the holder take reasonable steps to protect the secret, but how do you protect something that must be shared to generate revenue? Patent law moves too slowly to keep pace with AI development cycles.
The US-China AI Rivalry Dimension
The distillation controversy cannot be separated from the broader geopolitical context of US-China technological competition. The United States has implemented increasingly aggressive export controls targeting China’s AI sector, restricting access to advanced chips, manufacturing equipment, and cloud computing services. In January 2026, the Bureau of Industry and Security revised its export licensing policy for AI chips, moving to case-by-case review rather than presumption of denial for China-bound exports — but extending requirements to cover remote access infrastructure-as-a-service.
These controls have made it significantly harder for Chinese AI labs to train frontier models from scratch — but they have done nothing to prevent distillation from models that are freely available via API. This asymmetry has created a perverse incentive structure. The harder the US makes it for Chinese labs to develop their own foundation models, the greater the incentive to extract capabilities from American ones. Distillation becomes not just an economically rational shortcut but a strategic necessity in an environment where independent training is constrained by chip embargoes.
As of late February 2026, DeepSeek, MiniMax, and Moonshot AI had not publicly responded to Anthropic’s allegations. Requests for comment from multiple news outlets went unanswered. The incident has accelerated calls in Washington for extending export controls to cover model access itself — potentially requiring Chinese entities to obtain licenses before accessing American AI models via API. Such controls would represent a significant escalation and could fragment the global AI ecosystem into competing blocs with limited interoperability.
For the AI industry, the distillation wars represent a moment of reckoning. The assumption that model providers can simultaneously offer broad API access and protect their core intellectual property is being challenged. The solutions — whether technical, legal, or geopolitical — will shape the structure of the AI industry for years to come. What is clear is that the era of naive openness is ending, and the age of strategic AI access control has begun.
Advertisement
🧭 Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | Medium — Algeria’s nascent AI ecosystem is not directly involved, but Algerian developers and researchers using Claude, GPT, or Gemini APIs may face tighter access controls and identity verification as providers lock down against distillation |
| Infrastructure Ready? | No — Algeria lacks domestic frontier AI models; any API access restrictions disproportionately affect countries without indigenous alternatives |
| Skills Available? | Partial — Algerian ML researchers understand distillation techniques, but few organizations have the scale or compute to execute or defend against industrial distillation campaigns |
| Action Timeline | 6-12 months — Tighter API access controls and regional restrictions will likely roll out industry-wide in 2026, potentially affecting Algerian users |
| Key Stakeholders | AI researchers, university ML labs, startups building on top of Claude/GPT/Gemini APIs, Ministry of Post and Telecommunications |
| Decision Type | Educational — Understanding the shifting landscape of AI access and its implications for technology sovereignty |
Quick Take: Algerian AI builders should monitor how tighter distillation defenses affect API access from the MENA region. The trend toward stricter identity verification and regional controls could make it harder for Algerian developers to access frontier models — strengthening the case for investing in domestic AI capabilities and open-source alternatives.
Sources & Further Reading
- Detecting and Preventing Distillation Attacks — Anthropic
- Anthropic Accuses DeepSeek, Moonshot and MiniMax of Distillation Attacks on Claude — CNBC
- Anthropic Accuses Chinese AI Labs of Mining Claude as US Debates AI Chip Exports — TechCrunch
- Distilling the Knowledge in a Neural Network — Hinton, Vinyals, Dean (arXiv 2015)
- GTIG AI Threat Tracker: Distillation, Experimentation, and Integration of AI for Adversarial Use — Google Cloud Blog
- Anthropic Claims Chinese Companies Ripped It Off Using Its AI Tools — Fortune
- OpenAI Accuses DeepSeek of Distilling US AI Models — Rest of World
🔗 Related Intelligence
The China-US AI Race: How DeepSeek and Open-Source Models Are Reshaping the Industry
The Acquihire Arms Race: Big Tech’s Billion-Dollar Talent Raids on AI Startups
Disposable Software: Why AI Is Making Throwaway Code the New Normal
Agentic AI’s Production Gap: Why Only 11% of Enterprises Have Agents Running
Advertisement