On February 23, 2026, Anthropic published a rare public accusation against three prominent Chinese AI laboratories—DeepSeek, Moonshot AI, and MiniMax—claiming they executed industrial-scale distillation attacks on Claude.

Anthropic alleges these companies created over 24,000 fraudulent accounts and generated more than 16 million exchanges with Claude to illicitly extract capabilities.

The core allegations were published by Anthropic in a thread on X:

The mechanism of distillation attacks

Distillation involves training a less capable AI model on the outputs of a stronger, frontier model. While legitimate when used internally to create smaller, cheaper models, doing so cross-company without permission is highly controversial. It allows competitors to acquire powerful capabilities in a fraction of the time and cost required for independent development.

Anthropic reports that these laboratories utilised “hydra cluster” architectures. These are sprawling networks of proxy services that resell access to Claude and other frontier models, effectively bypassing regional restrictions intended to prevent access from China.

In one instance, Anthropic observed a single proxy network managing more than 20,000 fraudulent accounts simultaneously. The attackers generated massive, concentrated volumes of highly repetitive prompts designed specifically to extract training data.

Scale and focus of the alleged operations

Anthropic attributed the campaigns through IP address correlation, request metadata, infrastructure indicators, and intelligence from industry partners.

• MiniMax (over 13 million exchanges): The largest offender, targeting agentic coding and tool orchestration. Anthropic detected this campaign before MiniMax launched its model. When Anthropic released an updated version of Claude, MiniMax pivoted within 24 hours, redirecting nearly half its traffic to capture capabilities from the new system.
• Moonshot AI (over 3.4 million exchanges): Using hundreds of fraudulent accounts, Moonshot concentrated on extracting agentic reasoning, computer vision, and computer-use agent development. In its latter phases, the operation attempted to reconstruct Claude’s specific reasoning traces.
• DeepSeek (over 150,000 exchanges): Despite lower volumes, DeepSeek generated synchronised traffic to bypass detection. DeepSeek actively prompted Claude to generate internal reasoning steps for completed responses—creating chain-of-thought training data at scale. Notably, the lab also used Claude to generate censorship-safe alternatives to politically sensitive queries (such as those concerning dissidents or authoritarianism) to train their own models.

National security and export control implications

Anthropic argues that illicit distillation creates significant national security risks. The company builds safeguards into Claude to prevent state and non-state actors from generating bioweapons or conducting malicious cyber operations. When foreign laboratories distil a model, these safety alignments are generally discarded.

Foreign laboratories could feed these unprotected capabilities into military, intelligence, and surveillance systems. Furthermore, Anthropic asserts that these actions directly undermine U.S. export controls, such as the Diffusion Rule. The rapid advancement of adversarial AI models, they argue, is heavily dependent on capabilities extracted from American models, a process that still requires massive cloud access to advanced chips.

Strategic countermeasures

In response, Anthropic is actively developing countermeasures without degrading legitimate customer experience.

• Detection: New classifiers and behavioural fingerprinting systems to identify chain-of-thought elicitation and coordinated proxy activity.
• Intelligence Sharing: Distributing technical indicators with other AI labs and cloud providers.
• Access Controls: Strengthening verification pathways frequently exploited by proxy networks, specifically educational accounts and start-up programmes.

Anthropic has called for coordinated action among industry players and policymakers, indicating that the threat of systemic distillation extends far beyond any single platform.

---

References:

• Anthropic Blog: Detecting and preventing distillation attacks (Feb 23, 2026)
• X Thread by @AnthropicAI (Feb 23, 2026)