I have spent years reporting on the quiet rivalries that define artificial intelligence research, but few episodes feel as consequential as this one. In late February 2026, Anthropic publicly accused three Chinese AI companies of orchestrating what it described as “industrial-scale distillation attacks” against its Claude models. The allegation is stark: more than 24,000 fake Claude accounts were allegedly created, generating over 16 million exchanges designed to replicate Claude’s advanced capabilities. – Claude Data Extraction.
Within the first days of disclosure, the claims ricocheted across global technology media. According to Anthropic’s blog post dated February 22–23, 2026, the firms—DeepSeek, Moonshot AI, and MiniMax—systematically queried Claude to extract strengths in agentic reasoning, coding, data analysis, computer vision, and tool use.
Anthropic says it detected the activity through advanced monitoring systems that flagged anomalous usage patterns, synchronized account behavior, proxy networks, and metadata correlations. No public response has emerged from the accused companies as of February 26, 2026.
At stake is more than competitive advantage. Anthropic argues that distillation at this scale strips away safety guardrails, potentially enabling misuse in cyber operations, surveillance systems, or censorship evasion. The allegations deepen an already tense geopolitical climate where artificial intelligence models are increasingly treated as strategic assets.
What Anthropic Claims Happened
Anthropic’s allegations center on a coordinated effort to distill Claude’s capabilities through high-volume querying. Distillation is a known machine learning technique in which a smaller or newer model learns by mimicking outputs from a larger, more capable one. In academic contexts, it is common. In commercial settings, particularly when conducted without authorization, it can violate terms of service and intellectual property protections.
Anthropic alleges that over 24,000 fake Claude accounts were created to distribute traffic across infrastructure and avoid detection. Those accounts collectively generated more than 16 million chat exchanges. The scale alone distinguishes this case from casual misuse. – Claude Data Extraction.
The company characterizes the activity as systematic rather than exploratory. Prompts allegedly targeted specific strengths of Claude, including multi-step reasoning, external tool orchestration, and high-level programming tasks. According to Anthropic, this pattern diverged sharply from organic customer behavior.
The company further claims that MiniMax adapted within 24 hours of a new Claude model release, redirecting queries to probe updated capabilities. That speed, Anthropic suggests, indicates a premeditated monitoring and replication strategy rather than sporadic testing.
Read: Pentagon Grok AI Expansion: Strategy, Risks and Timeline
Breakdown of Alleged Activity by Company
Anthropic detailed the scale and focus areas of each firm’s alleged campaign. The following table summarizes the company’s claims:
| Company | Alleged Exchanges | Primary Targets | Notable Characteristics |
|---|---|---|---|
| DeepSeek | 150,000+ | Logic, alignment, censorship queries | Focused probing of safeguards |
| Moonshot AI | 3.4 million+ | Agentic reasoning, coding, data analysis, vision | Broad technical targeting |
| MiniMax | 13 million+ | Full-spectrum capability extraction | Rapid pivot after model release |
Anthropic alleges that DeepSeek’s exchanges centered heavily on logic puzzles and censorship circumvention prompts. Moonshot AI allegedly pursued broader technical capabilities including computer vision and tool usage. MiniMax is described as having conducted the largest operation, adapting swiftly to new Claude releases.
None of the companies have publicly denied or addressed the claims as of publication. – Claude Data Extraction.
Understanding Distillation and Why It Matters
Distillation itself is not inherently malicious. In fact, model distillation has been a cornerstone of machine learning efficiency research since Geoffrey Hinton and colleagues formalized knowledge distillation techniques in 2015 (Hinton, Vinyals, & Dean, 2015).
What transforms distillation into a legal or ethical problem is authorization and intent. Commercial AI systems like Anthropic’s Claude are governed by usage terms that prohibit automated extraction of model outputs for replication.
Dr. Margaret Mitchell, chief ethics scientist at Hugging Face, previously noted in public commentary that “large-scale scraping or querying of proprietary models to reproduce capabilities raises serious intellectual property and safety concerns” (Mitchell, 2023).
Anthropic argues that distillation at this scale strips safety guardrails. Claude’s architecture includes alignment techniques designed to reduce harmful outputs. Extracting performance signals without copying those constraints could produce models optimized for power without restraint.
The company frames this not merely as commercial infringement but as a national security issue.
Detection: How Anthropic Says It Found the Activity
Anthropic describes deploying advanced monitoring tools capable of identifying anomalous usage patterns. According to the company, red flags included repetitive prompts centered on specific technical capabilities, synchronized traffic across clusters of accounts, and shared payment infrastructure.
The company also cited “hydra cluster” proxy networks that blended distillation queries with legitimate traffic, complicating detection.
A second table outlines the detection layers Anthropic described:
| Detection Layer | Indicators Identified |
|---|---|
| Behavioral Analysis | Repetitive technical prompts, unnatural volume |
| Network Correlation | Shared IP blocks, proxy clustering |
| Payment & Metadata Links | Overlapping payment methods, account timing patterns |
| Roadmap Alignment | Query spikes after Claude model releases |
Anthropic says it corroborated findings with industry partners and shared intelligence with authorities. The company also claims it intervened mid-campaign in some instances, blocking operations before product launches.
Cybersecurity scholar Bruce Schneier has long warned that AI systems introduce novel attack surfaces. “When AI models become infrastructure, attacks shift from code exploitation to capability extraction,” he wrote in 2023 (Schneier, 2023).
The Geopolitical Context
The accusations emerge against a backdrop of escalating U.S.–China competition in advanced AI. Since 2022, U.S. export controls have limited advanced semiconductor shipments to China (U.S. Department of Commerce, 2022). Access to high-end AI chips remains constrained, intensifying pressure on Chinese firms to innovate efficiently.
Distillation offers a pathway to replicate capabilities without training from scratch. Training frontier models can cost hundreds of millions of dollars. Extracting knowledge through querying is comparatively cheaper.
AI policy expert Helen Toner of Georgetown’s Center for Security and Emerging Technology has argued that frontier models increasingly resemble dual-use technologies. “Advanced AI systems can have both civilian and military applications, and the governance challenges are significant,” she wrote in 2023 (Toner, 2023).
Anthropic’s framing of the alleged activity as a national security risk taps directly into that debate. – Claude Data Extraction.
Silence from the Accused Firms
As of February 26, 2026, none of the three companies—DeepSeek, Moonshot AI, or MiniMax—had issued public statements addressing Anthropic’s claims. Coverage in major outlets including TechCrunch and The Wall Street Journal noted the absence of rebuttals.
Silence can signal many things: internal legal review, ongoing negotiations, geopolitical caution, or strategic non-engagement. Without direct responses, interpretation remains speculative.
Online discussions on Reddit and X have debated whether distillation at scale is inevitable in competitive AI markets. Some argue that open weights models make such behavior redundant. Others contend that proprietary frontier systems still offer meaningful performance advantages worth extracting. – Claude Data Extraction.
Anthropic has not announced lawsuits. Instead, it emphasized technical countermeasures and intelligence sharing.
Legal Dimensions: Why No Lawsuit Yet?
Anthropic previously resolved a high-profile copyright lawsuit brought by authors over training data concerns in 2024. That case centered on dataset sourcing, not downstream extraction by competitors.
In this instance, Anthropic frames the issue as a terms-of-service violation and infrastructure abuse rather than copyright infringement. Filing lawsuits across jurisdictions, particularly involving Chinese firms, would present complex diplomatic and enforcement challenges.
Legal scholar Mark Lemley of Stanford has written that “intellectual property doctrines struggle to map cleanly onto AI model behavior” (Lemley, 2023). Model outputs are probabilistic, not direct copies of training data.
If Anthropic pursues legal remedies, they may involve trade secret claims or computer fraud statutes rather than traditional copyright pathways. For now, the company appears focused on containment and deterrence.
The Safety Argument
Anthropic emphasizes that distillation without alignment replication can remove safeguards. Claude’s system prompts and reinforcement learning techniques aim to limit harmful outputs. – Claude Data Extraction.
If another model learns primarily from Claude’s successful reasoning traces but not its refusal patterns, it could inherit strengths while discarding constraints.
Anthropic has positioned itself as a safety-focused lab since its founding by former OpenAI researchers in 2021. Its public messaging frequently references constitutional AI methods (Bai et al., 2022).
The company argues that widespread guardrail stripping increases risks in cyber operations, automated surveillance, and targeted disinformation campaigns.
Critics counter that frontier labs have not fully demonstrated that their alignment methods are robust enough to be national security assets in the first place.
Industry Implications
If Anthropic’s claims are accurate, the episode signals a new era of AI competition. Rather than solely training larger models, rivals may increasingly probe deployed systems to accelerate development cycles.
This shifts the security perimeter outward. AI companies must treat APIs not only as products but as potential intelligence sources for competitors.
The episode may accelerate:
- Stricter API verification and identity checks
- Rate limiting tied to behavioral anomaly detection
- International policy discussions about AI model protection
- Diplomatic tensions over cross-border AI extraction
Companies could also deploy watermarking techniques to detect output reuse. Research into output fingerprinting is ongoing across major labs.
The case may become a template for how AI firms publicly attribute and respond to capability extraction.
Takeaways
- Anthropic alleges over 24,000 fake accounts generated 16 million Claude exchanges.
- The targeted capabilities included agentic reasoning, coding, and tool integration.
- Detection relied on behavioral analytics, IP correlations, and metadata analysis.
- No public response has been issued by the accused firms.
- Anthropic has not announced lawsuits, focusing instead on technical countermeasures.
- The dispute underscores AI’s growing geopolitical and national security dimensions.
Conclusion
I see this moment as a turning point in how artificial intelligence companies define competition. For years, the focus remained on who could train the largest model or secure the most compute. Now the battleground appears to include deployed systems themselves.
Anthropic’s allegations, whether ultimately litigated or quietly resolved, highlight the fragility of proprietary advantage in an industry built on probabilistic systems. Distillation exists in a gray zone between research practice and commercial exploitation. When conducted at scale and without authorization, it transforms into something else entirely.
The silence from DeepSeek, Moonshot AI, and MiniMax leaves the public with only one side of the story. That imbalance underscores the opacity that still defines global AI development.
As governments debate export controls and safety frameworks, companies are waging quieter wars in server logs and proxy clusters. The future of AI may depend not only on innovation but on the invisible defenses guarding it.
FAQs
What is model distillation?
Model distillation is a technique where one AI model learns to mimic another by training on its outputs, often to replicate capabilities efficiently.
Why does Anthropic call this a national security issue?
The company argues that copying capabilities without safety guardrails could enable misuse in cyber operations or surveillance systems.
Have DeepSeek, Moonshot AI, or MiniMax responded?
As of February 26, 2026, none of the companies have publicly addressed Anthropic’s claims.
Will Anthropic file lawsuits?
Anthropic has not announced legal action and appears focused on technical containment and intelligence sharing.
How did Anthropic detect the activity?
The company cited anomalous usage patterns, synchronized account behavior, shared payment methods, and IP clustering.
