DeepSeek, Moonshot and MiniMax accused of extracting Claude’s capabilities to improve their own models
Yesterday, Anthropic officially announced that it has identified industrial-scale distillation attacks on its models by three AI laboratories- DeepSeek, Moonshot and MiniMax. The accused labs are said to have created over 24,000 fraudulent accounts and to have generated over 16 million exchanges with Claude, leveraging its capabilities to train and improve their own models.
These attacks are growing in intensity and sophistication. Addressing them will require rapid, coordinated action among industry players, policymakers, and the broader AI community.
Read more: https://t.co/4SVm8K3qou
— Anthropic (@AnthropicAI) February 23, 2026
Wondering what distillation is? Distillation involves training a less capable model on the outputs of a stronger one. It is a widely used and legitimate training method. But this method could also be used for illicit purposes; competitors can use it to acquire powerful capabilities from other labs. Though those illicitly distilled models lack necessary safeguards, they create significant national security risks.
What was found in the distillation campaigns?
The three distillation campaigns used fraudulent accounts and proxy services to access Claude at scale while evading detection.
DeepSeek
Scale: Over 150,000 exchanges
Operation targeted:
- Reasoning capabilities across diverse tasks
- Rubric-based grading tasks that made Claude function as a reward model for reinforcement learning
- Creating censorship-safe alternatives to policy-sensitive queries
Moonshot AI
Scale: Over 3.4 million exchanges
Operation targeted:
- Agentic reasoning and tool use
- Coding and data analysis
- Computer-use agent development
- Computer vision
MinMax
Scale: Over 13 million exchanges
Operation targeted:
- Agentic coding
- Tool use and orchestration
It is revealed that for national security reasons, Anthropic does not currently offer commercial access to Claude in China, or to subsidiaries of their companies located outside of the country. According to Anthropic, these labs used commercial proxy services that resell access to Claude and other frontier AI models at scale.
And when one account is banned, a new one takes its place. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder. Once access is secured, the labs generate large volumes of carefully crafted prompts designed to extract specific capabilities from the model.
But when variations of that prompt arrive tens of thousands of times across hundreds of coordinated accounts, all targeting the same narrow capability, the pattern becomes clear.
How is Anthropic working to stop such distillation attacks?
- Detections: Several classifiers and behavioural fingerprinting systems are designed to identify distillation attack patterns in API traffic. Detection tools are also built for identifying coordinated activity across large numbers of accounts.
- Intelligence sharing: Anthropic is sharing technical indicators with other AI labs, cloud providers, and relevant authorities.
- Access controls: The company has strengthened verification for educational accounts, security research programs and startup organisations- most commonly exploited pathways for setting up fraudulent accounts.
- Counter measures: The company is developing Product, API and model-level safeguards designed to reduce the efficacy of model outputs for illicit distillation, without degrading the experience for legitimate customers.
These distillation campaigns are growing in intensity and sophistication, and apart from the above measures, the company has mentioned that distillation attacks at this scale require a coordinated response across the AI industry, cloud providers, and policymakers.
