The Great Extraction: How Three Chinese Labs Siphoned Claude's Intelligence at Industrial Scale

Anthropic's latest revelation reads like the opening scene of a geopolitical techno-thriller: three major Chinese AI labs--DeepSeek, Moonshot (Kimi), and MiniMax--spent months siphoning Claude's capabilities at industrial scale. More than 16 million illicit exchanges. Roughly 24,000 fraudulent accounts. Systematic extraction of reasoning, coding competency, agentic behavior--and even the safety-sensitive abilities that U.S. labs work hardest to secure.

Anthropic put it bluntly: "We have identified industrial-scale campaigns ... to illicitly extract Claude's capabilities to improve their own models."

For years, policymakers wondered how Chinese AI labs were advancing so quickly despite U.S. chip export controls. Anthropic's disclosure offers the most concrete answer to date: some of that "progress" wasn't local innovation at all, but quietly imported cognition.

What Is Distillation?

Distillation is a standard and useful part of modern AI development. A powerful "teacher" model generates examples--finished answers, step-by-step reasoning, or demonstrations--that a smaller, cheaper "student" model learns to mimic.

Picture compressing the wisdom of a world-class professor into a highly competent high-school teacher. The student isn't as brilliant, but can deliver much of the material at far lower cost.

Used on one's own models, distillation is essential. It produces lightweight versions, reduces compute costs, and enables safety training pipelines. But used on a competitor's model, distillation becomes something else entirely: a high-bandwidth extraction attack. Instead of spending hundreds of millions to train a state-of-the-art system, a lab can query one and directly transfer its capabilities.

As Anthropic warned, "Distillation can be used for illicit purposes ... competitors can use it to acquire powerful capabilities ... in a fraction of the time, and at a fraction of the cost."

The Operation: How Three Labs Extracted Claude

Anthropic's announcement offers one of the clearest public windows into distillation attacks in the wild.

DeepSeek: Reasoning and Censorship -- 150,000+ Exchanges

DeepSeek generated more than 150,000 targeted prompts designed to force Claude to reveal its internal reasoning. Their queries explicitly requested full chain-of-thought breakdowns--exactly the data needed to build stronger reasoning systems.

They also probed politically sensitive areas, using Claude to generate "censorship-safe alternatives" to questions about dissidents, authoritarianism, or party leadership. In effect, DeepSeek was using an American AI to help engineer a politically sanitized reasoning model for deployment in China.

Moonshot/Kimi: Agentic Reasoning and Computer Use -- 3.4 Million Exchanges

Moonshot's Kimi mounted a far larger campaign: more than 3.4 million exchanges focused on agentic reasoning and computer-use capabilities. This reflects an intent to build models that can act more autonomously--handling tools, sequencing multi-step tasks, and executing workflows.

This wasn't chatbot tuning. It was early agent building.

MiniMax: Massive-Scale Agentic Coding -- 13 Million+ Exchanges

MiniMax led by scale with more than 13 million interactions. Crucially, Anthropic discovered the operation while it was active, offering rare visibility into how illicit distillation pipelines adapt in real time.

One detail stands out: when Anthropic released a more capable Claude model, MiniMax "pivoted within 24 hours," immediately redirecting nearly half its extraction volume to the new system. They targeted agentic coding capabilities--models that can write, execute, and refine code autonomously.

Hydra Clusters: The Infrastructure of Theft

Claude is not offered commercially in China, so the labs operated through proxy services running "hydra clusters"--vast networks of fraudulent accounts designed to obscure the source of traffic and bypass geographic restrictions.

These clusters distribute millions of queries across thousands of burner accounts, making detection difficult. Anthropic traced around 24,000 fraudulent accounts across the three campaigns.

This was not ad-hoc experimentation. It was organized, industrial-scale capability theft.

The Broader Context: Revisiting the DeepSeek R1 Shock

With this disclosure, the industry is revisiting the DeepSeek R1 controversy) from early 2025. When R1 dropped, its chain-of-thought quality stunned observers. Many questioned how a Chinese lab--limited by U.S. export controls on Nvidia's most advanced chips--could train such a system.

OpenAI accused DeepSeek of "free-riding on the capabilities developed by OpenAI and other US frontier labs," but lacked hard evidence.

Anthropic's announcement now provides that missing evidence. DeepSeek was extracting chain-of-thought data, politically sensitive reasoning, and safety-aligned behaviors--all elements reflected in R1's strengths.

The disclosure doesn't prove R1 was fully distilled, but it strongly suggests that distillation played a meaningful role in DeepSeek's abrupt leap in capability.

Export Controls: A Counterintuitive Reframe

Anthropic's announcement also addresses one of the most contentious questions in AI policy: Are U.S. export controls on advanced chips working?

Critics argue they're not. After all, Chinese labs keep releasing powerful models.

Anthropic proposes a different interpretation:

"Without visibility into these attacks, the apparently rapid advancements ... are incorrectly taken as evidence that export controls are ineffective. In reality, these advancements depend in significant part on capabilities extracted from American models."

The underlying logic:

• China is restricted from buying frontier-class AI chips
• Training frontier models from scratch requires those chips
• Chinese labs still released advanced models
• Many concluded export controls were ineffective
• But these advances were partly siphoned from U.S. models
• Therefore the controls worked--they forced extraction over independent training

It's a provocative claim: the very "successes" used to argue that export controls have failed may be the clearest evidence that they're succeeding.

The Safety Dimension: Why This Is Bigger Than IP Theft

Anthropic stresses that the danger isn't simply competitive or economic. Illicitly distilled models don't inherit a frontier model's safety guardrails.

Restrictions against bioweapon design, cyber offense, surveillance optimization, or dangerous code aren't reliably transferred through distillation. As the company put it: "Illicitly distilled models lack necessary safeguards," creating real national security risks.

Such models could be used for:

• Military and intelligence targeting
• Offensive cyber operations
• State surveillance infrastructure
• Censorship enforcement
• Harmful biological or chemical design after further fine-tuning

And once they're running inside China's AI ecosystem, U.S. labs lose visibility entirely.

Expert Reactions

The disclosure has drawn sharp responses from the security and policy community.

Dmitri Alperovitch, chairman of Silverado Policy Accelerator and co-founder of CrowdStrike, told TechCrunch: "It's been clear for a while now that part of the reason for the rapid progress of Chinese AI models has been theft via distillation of US frontier models. Now we know this for a fact. This should give us even more compelling reasons to refuse to sell any AI chips to any of these companies, which would only advantage them further."

Not everyone is sympathetic. On X, critics pointed to the irony of an AI company complaining about data extraction--given that frontier models like Claude were trained on vast amounts of publicly available internet data, often without explicit consent from creators. "Oh no, another company stole your data," became a recurring refrain, with some arguing that Anthropic is invoking IP protections it didn't extend to the writers, artists, and developers whose work shaped its own models.

The tension highlights a genuine fault line in AI ethics: the same data practices that enabled the current generation of frontier models are now being weaponized against their creators.

What Comes Next

Anthropic is rolling out increasingly sophisticated detection mechanisms that analyze usage patterns, prompt signatures, and coordinated account behavior. Catching MiniMax's campaign in real time suggests that behavior-based monitoring is already effective at identifying active distillation attacks.

Future countermeasures include:

• Stronger enforcement of regional access restrictions
• Closer coordination with U.S. policymakers and intelligence agencies
• Hardware-level or network-level anti-scraping controls
• Broader industry collaboration on shared threat intelligence

Anthropic's announcement marks a turning point. Distillation is no longer merely a technical method behind model compression--it's a new front in geopolitics, IP protection, and national security.

Conclusion

Anthropic's revelations are the most detailed account yet of how frontier AI capabilities are being illicitly extracted at scale. More than 16 million fraudulent interactions weren't just a violation of terms of service--they were a transfer of cognitive capital.

The disclosure reshapes debates about Chinese AI progress, export control efficacy, and the future of AI safety. And it signals a new reality: the next phase of the global AI race will be fought not only with compute and algorithms, but in the shadows of API logs and detection systems.

The stakes--technological dominance, geopolitical stability, and security--could not be higher.

Sources: Anthropic -- Detecting and preventing distillation attacks, February 24, 2026

Related: OpenAI Podcast Ep. 12: "State of the AI Industry" -- Sarah Friar and Vinod Khosla discuss the AI landscape, including competitive dynamics and investment trends