Pomegra
---
24,000 Fake Accounts and 16 Million Stolen Exchanges
Anthropic's findings, published Monday on its official blog, detail how DeepSeek, Moonshot AI, and MiniMax β three of China's leading frontier AI developers β systematically exploited Claude's API through large-scale networks of fraudulent accounts. In total, the three companies generated more than 16 million exchanges with Claude, deliberately engineering interactions designed to feed Claude's outputs back into their own model training pipelines.
The method used is known as "distillation" β a legitimate machine learning technique in which a smaller or less capable model is trained on the outputs of a more powerful one. While routinely used internally by AI labs to produce leaner, faster models for commercial deployment, the technique becomes a form of intellectual property theft when deployed covertly against a competitor's system, in direct violation of both end-user license agreements and U.S. export control regulations.
Anthropic identified a hallmark operational pattern across all three actors: the use of "hydra cluster" networks β large pools of interconnected fraudulent accounts that spread extraction traffic across Anthropic's API and third-party cloud resellers. In one documented case, a single proxy network simultaneously controlled more than 20,000 fraudulent accounts, cloaking extraction traffic by mixing it with ordinary user activity. The behavioral signatures, however, were unmistakable β extremely high query volumes, narrow capability targeting, and highly repetitive prompt patterns entirely inconsistent with normal end-user behavior.
---
How Each Company Targeted Claude's Core Capabilities
The scale and focus of each attack varied significantly, revealing deliberate and distinct strategic objectives.
DeepSeek generated over 150,000 exchanges, concentrating efforts on Claude's foundational reasoning capabilities, rubric-based grading systems suitable for building reinforcement learning reward models, and censorship-safe rewrites of politically sensitive queries β a category suggesting an intent to strip Western AI safety guardrails from extracted content. DeepSeek's prompts were specifically engineered to surface Claude's internal chain-of-thought reasoning traces, providing raw training data for replicating advanced agentic logic. Moonshot AI, the developer behind the Kimi model family, accounted for more than 3.4 million exchanges. Its extraction campaign was tightly focused on agentic reasoning, tool use, multi-step coding and data analysis, computer-use agent development, and computer vision β precisely the capabilities that differentiate frontier AI models in enterprise and autonomous applications. Moonshot subsequently released its Kimi K2.5 open-source model and a coding agent in January 2026, a timeline Anthropic views as directly correlated with the extraction activities. MiniMax executed the largest operation by far, generating over 13 million exchanges targeting agentic coding, tool orchestration, and complex workflow automation. Anthropic's security teams detected the MiniMax campaign while it was still actively running, providing an unprecedented live view into the full lifecycle of a distillation attack. Critically, within just 24 hours of Anthropic launching its latest Claude model, MiniMax redirected nearly half its total extraction traffic to immediately begin siphoning capabilities from the newest version.---
National Security Dimensions Extend Beyond IP Theft
Anthropic framed the accusations as extending well beyond competitive intellectual property concerns, raising direct national security alarms. The company warned that AI models trained through illicit distillation are unlikely to inherit the safety guardrails built into American frontier systems β guardrails specifically designed to prevent AI from being weaponized for bioweapon development, offensive cyber operations, mass surveillance, and disinformation campaigns.
"Foreign labs that illicitly distill American models can remove safeguards, feeding model capabilities into their own military, intelligence, and surveillance systems," Anthropic stated in its official release.
The company also identified a separate, related threat vector: a group assessed as a Chinese state-sponsored actor that manipulated Claude to target approximately 30 high-profile organizations, underscoring that the distillation attacks do not exist in isolation but form part of a broader pattern of AI-enabled state activity.
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think-tank and co-founder of CrowdStrike, characterized the revelations as confirmation of a widely suspected dynamic. "It's been clear for a while now that part of the reason for the rapid progress of Chinese AI models has been theft via distillation of U.S. frontier models. Now we know this for a fact," Alperovitch stated, adding that the findings provide "even more compelling reasons" to block advanced chip sales to the accused firms.---
Chip Export Controls Back in the Spotlight
The timing of Anthropic's disclosure is politically charged. The accusations arrive as the Trump administration faces sustained criticism for loosening semiconductor export restrictions β formally allowing U.S. companies, including Nvidia, to resume exports of advanced AI chips such as the H200 to China last December. Critics of that decision have argued it directly bolsters Chinese AI computing capacity at a pivotal moment in the global AI race.
Anthropic sharpened that argument directly: "The scale of extraction DeepSeek, MiniMax, and Moonshot performed requires access to advanced chips. Distillation attacks therefore reinforce the rationale for export controls: restricted chip access limits both direct model training and the scale of illicit distillation."
The accusation adds significant weight to ongoing congressional debates over how aggressively to enforce semiconductor restrictions and whether to reimpose stricter limitations on AI hardware exports to Chinese entities.
---
Anthropic's Industry-Wide Defense Push
In response to the identified attacks, Anthropic announced a suite of defensive measures already deployed and under active development. The company has implemented AI behavioral fingerprinting classifiers capable of detecting extraction patterns within API traffic, including chain-of-thought elicitation techniques and coordinated multi-account activity signatures. Anthropic is actively sharing technical indicators of large-scale distillation operations with peer AI labs, cloud infrastructure providers, and government authorities.
The company is simultaneously tightening verification standards for educational, research, and startup accounts β categories historically exploited to generate fraudulent API access β and developing product-, API-, and model-level safeguards that reduce the utility of Claude's outputs for illicit training without degrading the experience of legitimate users.
Anthropic acknowledged that no single company can neutralize threats at this scale alone, calling for "a coordinated response across the AI industry, cloud providers, and policymakers." DeepSeek, Moonshot AI, and MiniMax had not issued public responses at the time of publication.
---
The allegations mark the most detailed and substantiated public accusation leveled by a major American AI company against named Chinese competitors, raising the stakes considerably in both the technology race and the regulatory battles that will define it. With DeepSeek's next flagship model β reportedly capable of outperforming both Claude and ChatGPT in coding benchmarks β expected imminently, the question of how extracted capabilities accelerated that development is now squarely before policymakers in Washington.
---
Mentioned Tickers: `NVDA`, `AMZN`, `MSFT`, `GOOGL`, `META`
