Generative AI firm Anthropic said three Chinese AI companies have generated millions of queries with the Claude large language model (LLM) in order to copy the model – a technique called ‘model distillation attack.’

In a new blog published on February 23, Anthropic said three GenAI labs based in China, DeepSeek, Moonshot and MiniMax, have generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, in violation of Anthropic’s terms of service and regional access restrictions.

Model distillation is a legitimate AI training method that involves training a less capable model on the outputs of a stronger one.

It can also be used maliciously to rapidly and inexpensively gain advanced capabilities from other labs, bypassing the significant time and resources required for independent development.

Beyond concerns about trade secrets and competitive advantage, Anthropic warned that illicitly distilled models can be used for malicious and harmful purposes that the original owner of the stolen model has built guardrails against, such as developing bioweapons or carrying out malicious cyber activities, and thus create security risks.

“Foreign labs that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems, enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns and mass surveillance,” the Anthropic blog noted.

Anthropic does not currently offer commercial access to Claude in China or to subsidiaries of Chinese companies located outside of the country for security reasons.

How Anthropic Fights Against Distillation Attacks

While the three distillation campaigns pursued different goals (e.g. improving agentic reasoning or coding capabilities), they all followed a similar playbook, using fraudulent accounts and proxy services to access Claude at scale while evading detection.

The volume, structure and focus of the prompts used by DeepSeek, Moonshot and MiniMax were distinct from normal usage patterns, reflecting deliberate capability extraction rather than legitimate use, Anthropic said.

The US-based GenAI company attributed the campaigns based on IP address correlation, request metadata, infrastructure indicators and reports of similar behaviors from industry partners.

To prevent and mitigate illicit distillation attacks targeting Claude, Anthropic implemented the following security controls:

• Detection systems to identify attack patterns in API traffic
• Tools to detect chain-of-thought elicitation and coordinated account activity
• Stronger verification for high-risk accounts (educational, research, startups)
• Product, API and model-level safeguards to reduce misuse