Anthropic Accuses Chinese AI Firms DeepSeek, Moonshot AI, and MiniMax of Extensive AI Model Distillation via 24,000 Fake Accounts

Anthropic, a leading American artificial intelligence development company, has publicly accused three prominent Chinese AI firms—DeepSeek, Moonshot AI, and MiniMax—of orchestrating a massive "distillation attack" against its advanced Claude AI model. The U.S.-based developer alleges that these companies systematically created over 24,000 fake accounts to illicitly extract and improve their own proprietary AI models, collectively generating more than 16 million exchanges with Claude. This extensive operation, Anthropic claims, specifically targeted Claude’s most sophisticated and differentiated capabilities, including advanced agentic reasoning, complex tool use, and high-level coding functionalities.

These serious accusations from Anthropic emerge amid a heightened global debate regarding the stringency and enforcement of export controls on advanced AI chips. Such policies are a cornerstone of the U.S. strategy aimed at curbing China’s rapid AI development. The incident thus underscores the intricate connections between technological innovation, corporate rivalry, and critical national security implications within the swiftly evolving artificial intelligence landscape.

Distillation is a recognized and widely used training methodology within the AI industry, serving a legitimate purpose. In its ethical application, AI laboratories utilize distillation to develop smaller, more efficient, and often more cost-effective versions of their own larger, more powerful "teacher" models, without significantly compromising performance. This process involves a smaller "student" model learning to replicate the output and behavior of a more complex "teacher" model. However, the technique can also be exploited by competitors to illicitly "copy the homework" of other labs, thereby gaining access to proprietary model capabilities and training data without investing the equivalent substantial resources, time, or intellectual property in independent development. The alleged actions by the Chinese firms fall squarely into this illicit category, circumventing ethical guidelines and potentially violating terms of service. This is not an isolated claim; OpenAI, another major American AI company, previously informed House lawmakers earlier this month of similar accusations against DeepSeek, alleging that the firm used distillation to mimic its products.

DeepSeek initially drew significant attention approximately a year ago with the launch of its open-source R1 reasoning model. This model made considerable impact within the AI community by demonstrating performance metrics that closely rivaled those of American frontier AI laboratories, but at a remarkably lower computational cost. The company is reportedly on the verge of releasing DeepSeek V4, its next flagship model. Industry reports suggest that DeepSeek V4 has the potential to outperform existing leading models like Anthropic’s Claude and OpenAI’s ChatGPT, particularly in specialized coding abilities—a specific capability that Anthropic explicitly states was a primary target in the alleged distillation attacks.

The scope and specific focus of the alleged distillation attacks varied among the three accused Chinese companies. Anthropic’s internal monitoring systems identified over 150,000 distinct exchanges originating from DeepSeek. These interactions appeared to be meticulously designed to enhance foundational logic and alignment within DeepSeek’s models. A significant aspect of this focus was the development of censorship-safe alternatives for policy-sensitive queries, indicating an effort to tailor models for specific regulatory or ideological environments.

Moonshot AI was implicated in a considerably more extensive operation, involving more than 3.4 million exchanges that targeted a broader spectrum of Claude’s advanced functionalities. These included agentic reasoning and tool use, which refers to an AI model’s capacity to plan, execute multi-step tasks, and interact effectively with external software or systems; sophisticated coding and data analysis capabilities; the development of computer-use agents; and even aspects of computer vision. Just last month, Moonshot AI launched a new open-source model called Kimi K2.5 and an accompanying coding agent, potentially leveraging the insights and capabilities gained through these alleged illicit interactions with Claude.

MiniMax, according to Anthropic’s findings, was responsible for the largest volume of illicit interactions, totaling an astounding 13 million exchanges. Their efforts were primarily concentrated on agentic coding, advanced tool use, and orchestration—the critical ability of an AI system to seamlessly coordinate multiple tasks and tools to achieve complex, overarching goals. Anthropic stated that it was able to directly observe MiniMax’s operational tactics in real-time, noting that the firm strategically redirected nearly half of its active traffic to siphon capabilities from the very latest Claude model immediately following its public launch. This observation suggests a highly opportunistic, aggressive, and systematic strategy to exploit new advancements as soon as they became available.

In response to these sophisticated and large-scale attacks, Anthropic has publicly committed to investing further in advanced defensive mechanisms. These enhanced defenses aim to make distillation attacks significantly more difficult to execute and considerably easier to identify and mitigate. However, the company emphasized that such critical efforts cannot be borne by individual firms in isolation. Anthropic has issued a strong call for a "coordinated response across the AI industry, cloud providers, and policymakers" to develop comprehensive strategies and robust safeguards against such pervasive illicit activities.

The timing of these distillation attacks further complicates the ongoing, contentious debate within the United States regarding the export of American-made chips to China. Just last month, the Trump administration enacted a significant policy decision, formally authorizing U.S. companies, including NVIDIA, to export certain advanced AI chips, such as the H200, to China. This decision drew considerable criticism from various sectors, with opponents arguing that loosening export controls risks significantly bolstering China’s AI computing capacity at a critical juncture in the global competition for AI dominance.

Anthropic explicitly connected the alleged distillation activities to the broader chip export debate, asserting that the sheer scale of extraction performed by DeepSeek, MiniMax, and Moonshot "requires access to advanced chips." The company’s official blog post on the matter underscored this crucial point: "Distillation attacks therefore reinforce the rationale for export controls: restricted chip access limits both direct model training and the scale of illicit distillation." This statement positions the alleged intellectual property theft as direct evidence supporting stricter controls, arguing that even the indirect acquisition of capabilities through distillation still fundamentally relies on robust underlying hardware infrastructure.

Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think-tank and co-founder of the cybersecurity firm CrowdStrike, provided an expert perspective to TechCrunch, stating he was "not surprised" by these allegations. Alperovitch commented, "It’s been clear for a while now that part of the reason for the rapid progress of Chinese AI models has been theft via distillation of US frontier models. Now we know this for a fact." He further contended that this revelation should provide "even more compelling reasons to refuse to sell any AI chips to any of these [companies]," suggesting that such sales would only serve to further advantage those engaged in illicit and unethical practices.

Beyond the immediate commercial competitive disadvantages, Anthropic also highlighted profound potential national security risks stemming from illicit distillation. The company emphasized that U.S. AI developers, including Anthropic, meticulously integrate safeguards into their systems to prevent both state and non-state actors from misusing advanced AI technologies for dangerous purposes, such as the development of bioweapons or the execution of malicious cyber activities. However, models constructed through illicit distillation are highly unlikely to retain these critical safeguards, meaning that potentially dangerous capabilities could proliferate without essential protections, posing a significant global security threat.

Anthropic specifically pointed to the heightened risk of authoritarian governments deploying frontier AI for nefarious purposes, including "offensive cyber operations, disinformation campaigns, and mass surveillance." This risk, the company noted, is further amplified if such compromised models are subsequently released as open-source, making them widely accessible to a broader range of actors who might lack ethical constraints or operate with malicious intent.

TechCrunch has reportedly reached out to DeepSeek, MiniMax, and Moonshot for their comments regarding these serious accusations, though no immediate responses were included in the original reporting. The gravity of this situation underscores the urgent need for international cooperation and robust policy frameworks to address the complex ethical, legal, and security challenges posed by advanced AI development and its potential misuse.