Anthropic Flags Industrial-Scale AI “Distillation Attacks” — News

Anthropic reports three AI labs used 24,000 fake accounts to run over 16 million queries against its Claude model to illicitly extract capabilities via distillation. 

Anthropic, the U.S. artificial-intelligence developer behind the Claude family of large language models, disclosed on February 23, 2026 that it has detected what it characterizes as “industrial-scale” campaigns by three AI laboratories — DeepSeek, Moonshot, and MiniMax — to covertly extract high-value technical capabilities from Claude and train rival models. 

In a detailed announcement on its website, Anthropic said the campaigns used approximately 24,000 fraudulent accounts to engage Claude in more than 16 million exchanges, violating the company’s terms of service and regional access restrictions. The lab identified the technique used in these operations as “distillation,” a training method in which a smaller or less capable model is trained on the outputs of a more capable one. 

Anthropic noted that while distillation is a widely used and legitimate method within the AI industry for example, to produce lighter versions of complex models for customers, it can be abused when applied without authorization to extract proprietary capabilities from another developer’s model at scale. According to the company, the patterns of usage associated with the fraudulent accounts were distinct from normal activity and showed deliberate, coordinated prompting designed to generate training-quality data for reasoning, tool use, and coding tasks. 

Anthropic said it attributed the campaigns to the three labs with “high confidence” through analyses of IP address correlations, request metadata, and infrastructure indicators, as well as corroboration from industry partners. DeepSeek’s portion of the campaign, Anthropic reported, comprised over 150,000 exchanges that targeted reasoning capabilities, reinforcement-learning grading tasks, and the generation of “censorship-safe alternatives” for politically sensitive queries.

Moonshot’s activity reportedly generated more than 3.4 million exchanges focusing on agentic reasoning, coding, data analysis, computer-use agent development, and computer vision tasks.

MiniMax’s campaign was the largest in volume, accounting for over 13 million engagements that targeted agentic coding, tool use, and orchestration; Anthropic said it detected that campaign while it was still active and observed MiniMax rapidly adjusting traffic patterns following a new Claude model release. 

Anthropic explained that it does not offer commercial access to Claude in China where the labs are based, for national security reasons. The company said operators used proxy services that resell Claude access and deploy sprawling networks of fraudulent accounts to distribute request traffic across Anthropic’s API and third-party cloud platforms, complicating detection efforts. 

In its announcement, Anthropic warned that models trained through such illicit distillation could lack the safety safeguards embedded in frontier AI systems and could, if disseminated widely, be used in contexts that undermine protections against cyberattacks, misinformation campaigns, and other malicious applications. The company also framed the incidents as relevant to ongoing policy discussions on export controls for advanced computing hardware, arguing that restrictions on chip access are intended to limit not only domestic model training but also the scale of unauthorized distillation activities. 

To counter such operations, Anthropic said it is investing in defensive measures, including classifiers and behavioral fingerprinting systems to identify distillation patterns in API traffic, strengthened verification requirements for certain account types, and the development of model-level safeguards intended to reduce the utility of outputs for illicit training purposes. The company also noted it is sharing technical indicators of these campaigns with other AI developers, cloud providers, and relevant authorities as part of broader efforts to detect and deter similar activity. 

The disclosure by Anthropic follows similar assertions by OpenAI earlier in February 2026 that DeepSeek used distillation on outputs from OpenAI’s GPT-based models, reinforcing discussion among AI developers and policymakers about competitive practices and intellectual property protections in frontier artificial-intelligence development.