Anthropic Accuses Chinese AI Labs of ‘Distillation Attacks’ – Musk Mockingly Highlights Double Standards

On February 24 2026, Anthropic announced via a blog post and official tweet that three Chinese AI labs—DeepSeek, Moonshadow, and MiniMax—had carried out an "industrial‑scale distillation attack" against its flagship model Claude. The company claimed the labs created roughly 24,000 counterfeit accounts to bypass API rate limits and performed more than 16 million structured queries to extract Claude’s capabilities in complex reasoning, multimodal tool use, and advanced programming, thereby building a proprietary training dataset for their own large language models.

Anthropic framed this behavior as premeditated knowledge theft that exceeds normal product testing or commercial usage, labeling it an "unfair‑competition benchmark" in the AI sector. The accusation quickly attracted worldwide attention, with Elon Musk sarcastically pointing out Anthropic’s own reliance on large‑scale scraping of open‑source code and copyrighted content, suggesting a double standard in the company’s stance.

The technical core of the dispute is the distinction between traditional model distillation and the alleged "attack‑style" distillation. Traditional distillation, pioneered by Geoffrey Hinton in 2015, transfers knowledge from a large teacher model to a smaller student model within the same organization, using soft‑label outputs and requiring direct access to the teacher’s internals. In contrast, the alleged attack involves a competing entity that does not own the teacher model, instead harvesting input‑output pairs via public API calls, constructing a pseudo‑training set, and tuning distillation hyper‑parameters (temperature, loss functions) to replicate core capabilities covertly.

The process described in Google’s 2025 "AI Model Distillation Attack Whitepaper" aligns with Anthropic’s evidence and consists of four steps:

Step 1: Register a large number of fake accounts to evade per‑account API limits and gain access to the target model’s API.

Step 2: Generate massive structured queries covering key capability domains (reasoning, coding, translation, etc.) and collect full response data, including answers, confidence scores, chain‑of‑thought traces, and latency.

Step 3: Clean, deduplicate, and annotate the collected responses to form a synthetic training set.

Step 4: Train a student model on this set, iteratively adjusting distillation parameters to reproduce the teacher’s performance.

According to the Stanford AI Index 2026 Q1 report, Claude’s global market share fell from 18.7 % at the end of 2025 to 16.2 %, while the combined share of the three Chinese labs rose from 3.2 % to 5.7 %, suggesting a competitive motive behind Anthropic’s public charge.

Legal scholars note that the dispute hinges on three ambiguous layers: (1) the intellectual‑property status of AI models themselves, which currently lacks clear statutory protection; (2) the boundaries of paid‑API usage rights, where most providers forbid using outputs to train competing models, but enforcement depends on contract interpretation; and (3) the distinction between publicly available model outputs and proprietary data obtained via large‑scale, undisclosed API scraping, which may conflict with Anthropic’s privacy policy.

Industry experts also emphasize that if the Chinese labs accessed Claude through legitimate paid API calls, their actions would constitute a breach of service terms rather than outright infringement, a nuance that could affect potential litigation outcomes.

Beyond the legal debate, the episode reflects a deeper strategic clash: Anthropic appears to use the accusation as a defensive move to curb the rapid overseas expansion of Chinese AI firms and to shape forthcoming AI‑IP regulations in its favor. Simultaneously, Chinese companies argue that their models incorporate original innovations—such as DeepSeek’s advances in Chinese mathematical reasoning and Moonshadow’s breakthroughs in long‑text coherence—despite external perceptions of “copy‑cat” behavior.

To mitigate future attacks, the article recommends two technical defenses drawn from Google’s research: (1) output perturbation and differential‑privacy techniques that degrade the consistency of responses for large‑scale scraping, and (2) anti‑distillation sampling that introduces stochasticity into API outputs without harming legitimate user experience.

On the policy side, the authors propose three concrete steps: (1) explicitly define AI model IP scope to cover algorithms, parameters, and core knowledge; (2) clarify the permissible scope of paid‑API usage, distinguishing contractual breach from IP infringement; and (3) foster international cooperation to develop harmonized AI‑IP rules, given the cross‑border nature of model training.

For Chinese AI firms, the path forward involves boosting foundational research (algorithm optimization, data governance, multimodal fusion), ensuring data provenance and compliance, and focusing on differentiated, domain‑specific applications to move from “follow‑and‑replicate” to genuine innovation.

Overall, the Anthropic accusation serves as a catalyst exposing the current gray zones of AI knowledge‑property law, the tension between open‑source collaboration and proprietary protection, and the inevitable push toward clearer industry standards as the generative‑AI market matures.