Anthropic says three labs ran industrial-scale distillation attacks on Claude

anthropic has identified what it describes as industrial-scale campaigns by three rival AI laboratories that illicitly extracted the capabilities of its Claude model. The company says the activity matters because the extracted capabilities can be retained in less-protected models and deployed in military, intelligence, or surveillance systems.

Anthropic attribution and evidence

Anthropic attributes the campaigns to DeepSeek, Moonshot and MiniMax and says it reached those conclusions with high confidence through IP address correlation, request metadata and infrastructure indicators. In some cases Anthropic also cited corroboration from industry partners who observed the same ac (unclear in the provided context).

DeepSeek, Moonshot and MiniMax playbook

The company describes a similar playbook across the three campaigns: the use of fraudulent accounts and proxy services to access Claude at scale while evading detection. Anthropic says the volume, structure and focus of the prompts differed from normal usage patterns and reflected deliberate capability extraction rather than legitimate use.

Scale: 16 million exchanges and 24, 000 fraudulent accounts

Anthropic reports the three labs generated more than 16 million exchanges with Claude using approximately 24, 000 fraudulent accounts, conduct that it says violated terms of service and regional access restrictions. That level of access, the company argues, allowed competitors to train smaller models on Claude’s outputs—an approach known as distillation—and to do so at a fraction of the time and cost of independent development.

Distillation explained and legitimate uses

The company spelled out that distillation is a technique in which a less capable model is trained on outputs from a stronger one. It also noted that distillation is frequently used legitimately: frontier AI labs routinely distill their own models to create smaller, cheaper versions for their customers. The problem, Anthropic says, is when distillation is applied without authorization for competitive advantage.

National security, export controls and downstream risks

Anthropic warns that illicitly distilled models lack necessary safeguards and create significant national security risks. It says systems built by US companies include protections intended to prevent state and non-state actors from using AI to develop bioweapons or carry out malicious cyber activities; models built through illicit distillation are unlikely to retain those safeguards, allowing dangerous capabilities to proliferate with protections stripped out.

Anthropic further warns that foreign labs that distill American models can feed those unprotected capabilities into military, intelligence and surveillance systems, enabling offensive cyber operations, disinformation campaigns and mass surveillance. If distilled models are open-sourced, Anthropic says, the risk multiplies as capabilities spread beyond any single government’s control.

The company has consistently supported export controls to help maintain America’s lead in AI, and it frames distillation attacks as undermining those controls by allowing foreign labs—including those subject to the control of the Chinese Communist Party—to narrow the competitive advantage export controls are meant to preserve. Anthropic argues that apparent rapid advancements at those labs depend in significant part on capabilities extracted from American models and that executing this extraction at scale requires access to advanced chips. The company says this dynamic reinforces the rationale for restricting chip access because it limits both direct model training and the scale of illicit distillation.

Detection challenges and call for coordinated action

Anthropic describes the campaigns as growing in intensity and sophistication and says the window to act is narrow. The company calls for rapid, coordinated action among industry players, policymakers and the global AI community to detect and prevent similar campaigns. What makes this notable is the combination of scale—millions of exchanges and tens of thousands of fraudulent accounts—and the claimed ability of distilled models to migrate powerful capabilities into unprotected systems.

anthropic’s account presents a chain of cause and effect: large-scale, fraudulent access to Claude enabled distillation (cause), which produces less-protected models that can be repurposed for harmful military and intelligence uses (effect), and those outcomes, in turn, challenge existing export-control regimes. The company’s detailed facts, the named labs and the numbers it provides form the basis for its appeal for broader industry and policy responses.