Anthropic Accuses Chinese AI Labs of Large-Scale Distillation Attack; Community Notes and Musk React

What actually happened?

On February 23 Anthropic published a report titled Detecting and Preventing Distillation Attacks and posted three tweets announcing that three Chinese AI labs had launched an "industrial‑scale distillation attack" against Claude, extracting roughly 16 million dialogue turns using 24,000 fabricated accounts.

What is “distillation” in this context?

Knowledge distillation is a standard technique where a large “teacher” model’s outputs are used to train a smaller “student” model. Anthropic and OpenAI both employ it internally (e.g., Opus → Haiku, GPT‑4 → GPT‑4o‑mini). The controversy arises when a competitor harvests another company’s API output at massive scale to build its own model, which Anthropic argues crosses a legal and ethical line.

Key details from the Anthropic report

DeepSeek – ~150,000 interactions. The lab forced Claude to reveal its internal reasoning (Chain‑of‑Thought) and used the generated safety‑evasion prompts to train its own model.

MiniMax – over 13 million interactions focused on code generation and tool orchestration. Anthropic observed the full lifecycle of the attack and noted that MiniMax redirected traffic to its own service within 24 hours of Claude’s new model release.

Moonshot AI – more than 3.4 million interactions covering proxy reasoning, tool use, and computer‑vision tasks. Metadata allowed Anthropic to trace the activity back to senior staff.

All three entities accessed Claude through commercial proxy services that manage a “hydra cluster” of >20,000 fake accounts, interleaving malicious traffic with legitimate requests to evade detection.

The backlash on X

Anthropic itself used stolen data to train Claude. In September 2025 it settled a $1.5 billion lawsuit over pirated books, and in January 2026 it faces a $3 billion copyright suit for illegally downloading over 20,000 songs.

Community Notes highlighted these settlements, and Elon Musk added, “Anthropic’s large‑scale data theft is a fact; they’ve already paid tens of billions in settlements.” A developer commented on the cost disparity, noting that Anthropic spent $8 billion on data while DeepSeek allegedly spent nothing.

Anthropic’s underlying intent

The report repeatedly mentions “national security,” “military,” “intelligence,” and “surveillance,” suggesting a strategic message to U.S. policymakers. Its three main arguments are:

Distilled models may lack safety guards and could be weaponized for bio‑weapons, cyber attacks, or disinformation.

The attacks bypass U.S. chip‑export controls.

China’s rapid AI progress stems from stealing U.S. models, not from ineffective export controls.

Anthropic frames the issue as a security threat rather than a commercial dispute.

How hard is it to defend against distillation?

Technical countermeasures mentioned include API‑call fingerprinting, intelligence sharing with other AI firms, stricter account verification, and model‑level anti‑distillation techniques. However, the report concedes that any model exposed via an API can be recorded, making perfect protection impossible—analogous to DRM for music.

Legal and ethical gray zones

Anthropic outlines three data‑use categories:

Public‑web scraping – generally legal but often contested by original authors.

Training on pirated books – resulted in a $1.5 billion settlement.

Training on competitors’ API outputs – violates service terms but lacks clear legal precedent.

The distinction is less technical than political; whoever defines the rules first gains advantage.

What lies ahead for the three Chinese companies?

In the short term their API access is likely to be tightened and they may face sanctions as Anthropic shares threat intelligence with other AI providers and cloud platforms. In the long term the episode serves as a warning that relying on stolen model outputs is unsustainable; tighter defenses will make the “steal‑to‑catch‑up” strategy increasingly risky.

Overall, no party is spotless: Anthropic itself settled for using pirated data, the Chinese labs allegedly breached service terms, and even Elon Musk’s xAI faces scrutiny over its own data sources.

References

Anthropic official report: https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks

Anthropic X thread: https://x.com/AnthropicAI/status/2025997928242811253