We have recognized industrial-scale campaigns by three AI laboratories—DeepSeek, Moonshot, and MiniMax—to illicitly extract Claude’s capabilities to enhance their very own fashions. These labs generated over 16 million exchanges with Claude via roughly 24,000 fraudulent accounts, in violation of our phrases of service and regional entry restrictions.
These labs used a method referred to as “distillation,” which includes coaching a much less succesful mannequin on the outputs of a stronger one. Distillation is a extensively used and official coaching technique. For instance, frontier AI labs routinely distill their very own fashions to create smaller, cheaper variations for his or her prospects. But distillation can be used for illicit functions: opponents can use it to accumulate highly effective capabilities from different labs in a fraction of the time, and at a fraction of the fee, that it might take to develop them independently.
These campaigns are rising in depth and sophistication. The window to behave is slender, and the risk extends past any single firm or area. Addressing it can require fast, coordinated motion amongst business gamers, policymakers, and the worldwide AI neighborhood.
Why distillation issues
Illicitly distilled fashions lack needed safeguards, creating vital nationwide safety dangers. Anthropic and different US firms construct methods that stop state and non-state actors from utilizing AI to, for instance, develop bioweapons or perform malicious cyber actions. Models constructed via illicit distillation are unlikely to retain these safeguards, that means that harmful capabilities can proliferate with many protections stripped out completely.
Foreign labs that distill American fashions can then feed these unprotected capabilities into navy, intelligence, and surveillance methods—enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance. If distilled fashions are open-sourced, this threat multiplies as these capabilities unfold freely past any single authorities’s management.
Distillation attacks and export controls
Anthropic has consistently supported export controls to assist preserve America’s lead in AI. Distillation attacks undermine these controls by permitting international labs, together with these topic to the management of the Chinese Communist Party, to shut the aggressive benefit that export controls are designed to protect via different means.
Without visibility into these attacks, the apparently fast developments made by these labs are incorrectly taken as proof that export controls are ineffective and in a position to be circumvented by innovation. In actuality, these developments rely in vital half on capabilities extracted from American fashions, and executing this extraction at scale requires entry to superior chips. Distillation attacks subsequently reinforce the rationale for export controls: restricted chip entry limits each direct mannequin coaching and the size of illicit distillation.
What we discovered
The three distillation campaigns detailed under adopted an identical playbook, utilizing fraudulent accounts and proxy companies to entry Claude at scale whereas evading detection. The quantity, construction, and focus of the prompts had been distinct from regular utilization patterns, reflecting deliberate functionality extraction reasonably than official use.
We attributed every marketing campaign to a selected lab with excessive confidence via IP deal with correlation, request metadata, infrastructure indicators, and in some circumstances corroboration from business companions who noticed the identical actors and behaviors on their platforms. Each marketing campaign focused Claude’s most differentiated capabilities: agentic reasoning, software use, and coding.
DeepSeek
Scale: Over 150,000 exchanges
The operation focused:
- Reasoning capabilities throughout various duties
- Rubric-based grading duties that made Claude operate as a reward mannequin for reinforcement studying
- Creating censorship-safe options to coverage delicate queries
DeepSeek generated synchronized visitors throughout accounts. Identical patterns, shared cost strategies, and coordinated timing prompt “load balancing” to extend throughput, enhance reliability, and keep away from detection.
In one notable method, their prompts requested Claude to think about and articulate the inner reasoning behind a accomplished response and write it out step-by-step—successfully producing chain-of-thought coaching knowledge at scale. We additionally noticed duties by which Claude was used to generate censorship-safe options to politically delicate queries like questions on dissidents, celebration leaders, or authoritarianism, seemingly so as to prepare DeepSeek’s personal fashions to steer conversations away from censored subjects. By inspecting request metadata, we had been in a position to hint these accounts to particular researchers on the lab.
Moonshot AI
Scale: Over 3.4 million exchanges
The operation focused:
- Agentic reasoning and software use
- Coding and knowledge evaluation
- Computer-use agent growth
- Computer imaginative and prescient
Moonshot (Kimi fashions) employed a whole bunch of fraudulent accounts spanning a number of entry pathways. Varied account sorts made the marketing campaign tougher to detect as a coordinated operation. We attributed the marketing campaign via request metadata, which matched the general public profiles of senior Moonshot employees. In a later section, Moonshot used a extra focused method, trying to extract and reconstruct Claude’s reasoning traces.
MiniMax
Scale: Over 13 million exchanges
The operation focused:
- Agentic coding
- Tool use and orchestration
We attributed the marketing campaign to MiniMax via request metadata and infrastructure indicators, and confirmed timings towards their public product roadmap. We detected this marketing campaign whereas it was nonetheless lively—earlier than MiniMax launched the mannequin it was coaching—giving us unprecedented visibility into the life cycle of distillation attacks, from knowledge era via to mannequin launch. When we launched a brand new mannequin throughout MiniMax’s lively marketing campaign, they pivoted inside 24 hours, redirecting practically half their visitors to seize capabilities from our newest system.
How distillers entry frontier fashions
For nationwide safety causes, Anthropic doesn’t at present supply business entry to Claude in China, or to subsidiaries of their companies situated exterior of the nation.
To circumvent this, labs use business proxy companies which resell entry to Claude and different frontier AI fashions at scale. These companies run what we name “hydra cluster” architectures: sprawling networks of fraudulent accounts that distribute visitors throughout our API in addition to third-party cloud platforms. The breadth of those networks implies that there aren’t any single factors of failure. When one account is banned, a brand new one takes its place. In one case, a single proxy community managed greater than 20,000 fraudulent accounts concurrently, mixing distillation visitors with unrelated buyer requests to make detection tougher.
Once entry is secured, the labs generate giant volumes of fastidiously crafted prompts designed to extract particular capabilities from the mannequin. The aim is both to gather high-quality responses for direct mannequin coaching, or to generate tens of hundreds of distinctive duties wanted to run reinforcement studying. What distinguishes a distillation assault from regular utilization is the sample. A immediate like the next (which approximates comparable prompts we’ve seen used repetitively and at scale) could appear benign by itself:
You are an knowledgeable knowledge analyst combining statistical rigor with deep area data. Your aim is to ship data-driven insights — not summaries or visualizations — grounded in actual knowledge and supported by full and clear reasoning.
But when variations of that immediate arrive tens of hundreds of instances throughout a whole bunch of coordinated accounts, all concentrating on the identical slender functionality, the sample turns into clear. Massive quantity concentrated in just a few areas, extremely repetitive buildings, and content material that maps immediately onto what’s Most worthy for coaching an AI mannequin are the hallmarks of a distillation assault.
How we’re responding
We proceed to speculate closely in defenses that make such distillation attacks tougher to execute and simpler to determine. These embrace:
- Detection. We have constructed a number of classifiers and behavioral fingerprinting methods designed to determine distillation assault patterns in API visitors. This contains detection of chain-of-thought elicitation used to assemble reasoning coaching knowledge. We have additionally constructed detection instruments for figuring out coordinated exercise throughout giant numbers of accounts.
- Intelligence sharing. We are sharing technical indicators with different AI labs, cloud suppliers, and related authorities. This offers a extra holistic image into the distillation panorama.
- Access controls. We’ve strengthened verification for instructional accounts, safety analysis applications, and startup organizations—the pathways mostly exploited for organising fraudulent accounts.
- Countermeasures. We are creating Product, API and model-level safeguards designed to cut back the efficacy of mannequin outputs for illicit distillation, with out degrading the expertise for official prospects.
But no firm can remedy this alone. As we famous above, distillation attacks at this scale require a coordinated response throughout the AI business, cloud suppliers, and policymakers. We are publishing this to make the proof out there to everybody with a stake within the end result.
