Anthropic Just Caught 3 Chinese Rivals Stealing Its AI’s Brains

Welcome back to SavvyMonk, your daily dose of AI and tech news that actually matters.

Today: Anthropic just published the most detailed public accusation of AI theft in the industry's history. Three Chinese labs. 24,000 fake accounts. 16 million conversations. And a technique that could hollow out any AI model from the inside.

Let's get into it.

On Monday, Anthropic published a detailed report naming three Chinese AI laboratories, DeepSeek, Moonshot AI, and MiniMax, for running what it calls "industrial-scale distillation attacks" on Claude.

These are not small companies. DeepSeek made global headlines earlier this year for matching GPT-4 performance at a fraction of the cost. Moonshot AI runs the widely-used Kimi model. MiniMax is one of China's best-performing labs across most AI benchmarks.​

Together, according to Anthropic, they created over 24,000 fraudulent accounts and generated more than 16 million exchanges with Claude, systematically extracting its capabilities to train and improve their own models in violation of Anthropic's terms of service and China's restricted access status.

What is Distillation?

Before getting into the attacks, it helps to understand what distillation is and why it is so powerful.

When you train an AI model, it is expensive. You need massive compute, vast datasets, and months of engineering. A distillation shortcut exists: instead of learning from raw data, a weaker model can learn by studying the outputs of a stronger one.

The weaker model asks the stronger model thousands of questions, observes how it reasons and responds, and essentially copies its behaviour.

Done legitimately, this is how companies create smaller, cheaper versions of their own flagship models. It is standard industry practice.

Done illicitly, you skip years of development and hundreds of millions in compute costs by feeding off someone else's work. You get the capability without the investment.

That is what Anthropic says happened here, at industrial scale, deliberately and systematically.

How They went After Claude

Each lab followed a similar approach but targeted different capabilities.

DeepSeek's campaign involved over 150,000 exchanges focused on complex reasoning and reinforcement learning. Their most telling technique, prompts that asked Claude to explain its internal reasoning step by step, effectively harvesting chain-of-thought training data at scale. They were not just asking questions. They were extracting the reasoning process itself.​

Moonshot AI ran a much larger operation with over 3.4 million exchanges targeting agentic reasoning, tool use, coding, and computer vision. In later phases, the campaign specifically tried to reconstruct Claude's reasoning traces. Anthropic says it traced the accounts back to senior Moonshot staff through request metadata that matched public profiles.​

MiniMax ran the largest operation by far: over 13 million exchanges focused on agentic coding and tool use. Anthropic caught this one while it was still active, giving unusual visibility into how these attacks actually unfold. The most striking detail: when Anthropic released a new version of Claude during the active campaign, MiniMax pivoted within 24 hours, redirecting nearly half its traffic to capture capabilities from the newer model.​

That pivot time tells you everything about the sophistication and intentionality of the operation.

How They Avoided Detection

Getting 16 million conversations out of Claude without triggering alarm systems requires infrastructure. The labs did not just sign up for accounts.

They used commercial proxy services running what Anthropic calls "hydra cluster" architectures, sprawling networks of fraudulent accounts spread across both Claude's own API and third-party cloud platforms. One proxy network reportedly managed more than 20,000 fraudulent accounts simultaneously, deliberately mixing distillation traffic with legitimate-looking customer requests to avoid triggering anomaly detection.​

Anthropic says it attributed each campaign with high confidence using IP address correlation, request metadata analysis, and infrastructure indicators that differed sharply from normal customer traffic. Other AI labs and cloud providers observed the same actors on their own platforms, providing independent corroboration.

Why This is Bigger Than Corporate IP theft

Anthropic is careful to frame this not just as a business problem but as a national security one. The framing is deliberate.

When a foreign lab illicitly distils an American AI model, they do not just get the capability. They get it stripped of its safeguards. Claude has extensive safety alignment built in, restrictions on harmful outputs, refusals of dangerous requests, limits on surveillance-related tasks. A distilled version of Claude, rebuilt into a Chinese lab's own model, carries none of those constraints.​

Those capabilities can then be fed into military, intelligence, and surveillance systems without the guardrails the original model was designed to enforce.​

Anthropic's head of threat intelligence, Jacob Klein, was explicit: "We have high confidence these labs were conducting distillation attacks at scale." The company is not hedging.​

This is also not an Anthropic-only problem.

Two weeks before Anthropic's disclosure, Google published a threat intelligence report revealing that Gemini was facing the same category of attack, with some operations exceeding 100,000 queries targeting Gemini's core reasoning mechanisms. OpenAI has also acknowledged the problem, noting that solving it requires "ecosystem security" involving US government assistance because "adversaries will simply default to the least protected provider."

What Anthropic is Doing about It

In response, Anthropic says it has built behavioural fingerprinting systems to detect distillation patterns, developed classifiers that flag attack-style usage, tightened verification for educational and research accounts, and started sharing technical indicators with other AI labs, cloud providers, and authorities.​

They are also working on model-level countermeasures designed to make Claude's outputs less useful for distillation without degrading the experience for legitimate users. The idea is to subtly alter outputs in ways that confuse a distillation model without confusing a human.​

But Anthropic was explicit that no single company can solve this alone. The problem is structural, any open AI API is theoretically extractable through enough queries. The only real defences are detection, deterrence, and coordination across the industry.

What This Means for the AI Industry

This disclosure changes something. Previous accusations of AI theft were vague or came in legal filings.

Anthropic just published a technical report naming specific companies, describing specific techniques, providing specific numbers, and sharing it publicly.

That is an escalation in how the AI industry handles competitive intelligence theft. It is also a political act. Naming Chinese labs specifically, framing the problem in national security terms, and calling for government-coordinated response signals that Anthropic is trying to push this into policy territory, not just legal territory.

Whether the named companies deny, respond, or stay silent will say a lot about how this plays out. So far, DeepSeek, Moonshot, and MiniMax have not publicly responded to the accusations.

The Bottom Line

Three of China's top AI labs allegedly spent months running what amounts to a systematic, coordinated intelligence operation against Anthropic's flagship model. They used fake identities, proxy networks, and sophisticated behavioural mimicry to extract 16 million conversations worth of reasoning capability, then built those capabilities into their own systems with no safety constraints attached.

Anthropic caught them, named them publicly, and is now pushing for a coordinated industry and government response.

This is not a corporate IP dispute. It is the first clear, documented case of what AI-era industrial espionage actually looks like in practice. And based on Google's simultaneous disclosure, it is not happening to just one company.

The question now is whether the industry can build defences fast enough to keep pace with attacks that get more sophisticated every time a new, more capable model ships.

Category: Image Generation

“Transform the person in the input image into a highly stylized 3D cartoon character following the exact visual style of the reference cartoon image provided. Use all facial traits from the real person image: hair shape, eyebrows, eyes, jawline, skin tone, and expression. Emphasize exaggerated features such as a hyper-defined jaw, thick eyebrows, cheek dimples, and a confident, mischievous smile with visible upper teeth. Skin should show subtle microtextures and visible beard stubble.”

Does Anthropic naming these companies publicly change anything, or is the damage already done? Hit reply, I read every response.

See you soon with another story.

— Vivek

P.S. Know someone following AI security or geopolitics? Forward this. They can subscribe at https://savvymonk.beehiiv.com/