What Anthropic’s Distillation Attack Claims Mean for You

Anthropic just dropped a bombshell: three Chinese AI labs – DeepSeek, Moonshot, and MiniMax – ran 24,000 fake accounts to milk Claude for training data. 16 million API calls. Coordinated extraction campaigns. All to clone Claude’s capabilities without doing the expensive R&D work themselves.

If you use Claude, ChatGPT, or any frontier AI API, this will change how these platforms work. Rate limits might tighten. Verification requirements will get stricter. Some real use cases (large-scale evals, building synthetic datasets) might start triggering false positives.

Anthropic identified campaigns by DeepSeek, Moonshot, and MiniMax that generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, in violation of terms of service and regional access restrictions. They weren’t just using Claude – they were pulling out its capabilities to train their own models.

What Happened

The scale varies wildly. MiniMax generated more than 13 million exchanges, Moonshot more than 3.4 million, and DeepSeek generated more than 150,000. MiniMax did 100x the volume of DeepSeek. Yet DeepSeek’s getting the headlines. Why? We’ll get there.

Earlier in February 2026, OpenAI submitted an open letter to U.S. legislators, claiming to have observed activity “indicative of ongoing attempts by DeepSeek to distill frontier models.”Google also disclosed in February 2026 that it identified and disrupted distillation attacks aimed at Gemini’s reasoning capabilities through more than 100,000 prompts. This isn’t a one-off. It’s a pattern across every major AI provider.

How Distillation Attacks Work

First: distillation itself isn’t evil. Distillation is a widely used and legitimate training method. Frontier AI labs routinely distill their own models to create smaller, cheaper versions for their customers.OpenAI even offers official tools for it: Model distillation involves fine-tuning smaller, cost-efficient models using outputs from more capable models, allowing them to match performance on specific tasks at much lower cost.

The problem? Doing it to someone else’s model without permission.

Here’s the playbook Anthropic caught:

1. Bypass regional restrictions.Anthropic doesn’t offer commercial Claude access in China. To circumvent this, labs use commercial proxy services which resell access to Claude and other frontier AI models at scale.
2. Build a hydra network.These services are powered by “hydra cluster” architectures containing massive networks of fraudulent accounts. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder.
3. Hammer the API with crafted prompts.Labs generate large volumes of carefully crafted prompts designed to extract specific capabilities. The goal is either to collect high-quality responses for direct model training, or to generate tens of thousands of unique tasks needed to run reinforcement learning.
4. Extract reasoning traces.In one technique, prompts asked Claude to imagine and articulate the internal reasoning behind a completed response and write it out step by step – effectively generating chain-of-thought training data at scale.

An example prompt (approximated from Anthropic’s description):

You are an expert data analyst combining statistical rigor with deep domain knowledge.
Your goal is to deliver data-driven insights grounded in real data and supported by complete and transparent reasoning.

[Then: send this same structure 10,000 times with slight variations]

When variations of that prompt arrive tens of thousands of times across hundreds of coordinated accounts, all targeting the same narrow capability, the pattern becomes clear. Massive volume concentrated in a few areas, highly repetitive structures, and content that maps directly onto what is most valuable for training an AI model are the hallmarks of a distillation attack.

What You Can Learn From Their Detection Methods

Red flags from the platform’s perspective:

• Volume spikes in narrow domains. 50,000 requests all focused on coding tasks? You’re lighting up their dashboard.
• Repetitive prompt templates. Same structure, slight variations, over and over.
• Chain-of-thought extraction. Prompts that directly ask the model to “think step-by-step” or “show your reasoning” at scale.
• Synchronized traffic.DeepSeek generated synchronized traffic across accounts. Multiple accounts hitting the API at the exact same times.
• Real-time pivots.When Anthropic released a new model during MiniMax’s active campaign, they pivoted within 24 hours, redirecting nearly half their traffic to capture capabilities from the latest system.

Anthropic built classifiers and behavioral fingerprinting systems designed to identify distillation attack patterns in API traffic, including detection of chain-of-thought elicitation used to construct reasoning training data.

Pro tip: If you’re doing real large-scale API work (evals, dataset generation, stress tests), document your use case and contact support proactively. Anthropic’s tightening verification for educational accounts, research programs, and startup orgs – the pathways most abused for fraud. A preemptive “hey, we’re doing X for Y reason” can save you from getting flagged.

The 3 Things No One’s Admitting

1. The Copyright Paradox

A large fraction of community replies framed this as “labs trained on the internet now complaining about copying,” often explicitly contrasting scraping vs API-output extraction. Elon Musk, Reddit, half of X: “you trained Claude on scraped content without permission, and now you’re mad someone’s using your outputs?”

The legal reality is messier. OpenAI’s terms of use assign ownership of model outputs to the user – meaning even if a company can prove extraction occurred, it may not hold copyrights over the extracted data. Winston & Strawn noted this dynamic means “even if OpenAI can present enough evidence, OpenAI likely does not have copyrights over the data.” Same logic applies to Anthropic.

What’s actually being violated? Terms of Service. Not copyright law. It’s a contract dispute dressed up as IP theft.

2. The False Positive Problem

Anthropic’s detection criteria – huge traffic, repetitive prompts, narrow focus – also describes real power users. Running evaluations on your fine-tuned model? Building a synthetic dataset for a domain task? Stress-testing API latency? Academic research that needs thousands of model calls?

You might look like a distillation attack.

Anthropic hasn’t published safe-use thresholds. How many calls per hour is okay? What volume triggers a review? What’s the line between “real distillation” (which they acknowledge exists) and “unauthorized distillation”? No one knows. An AI professor from Singapore’s Nanyang Technological University told CNBC, “the boundary between legitimate use and adversarial exploitation is often blurry.”

This creates a chilling effect for researchers and startups.

3. The Volume Mismatch

MiniMax: 13 million exchanges. Moonshot: 3.4 million. DeepSeek: 150,000. DeepSeek did less than 1% of the total volume. Yet it dominates headlines, congressional hearings, policy debates.

Why?

The technique burst into public consciousness in January 2025 when DeepSeek released its R1 reasoning model, which appeared to match or approach the performance of leading American models at dramatically lower cost. DeepSeek shook the industry. Made Nvidia lose $600 billion in market cap. Forced every AI lab to rethink their cost assumptions.

MiniMax and Moonshot didn’t. So even though MiniMax did 100x more distillation, DeepSeek’s the villain. The narrative isn’t driven by the data – it’s driven by who disrupted the market.

Think about what that means for a second. The company that extracted the least is getting the most policy attention. Because they succeeded at building something that scared incumbents.

What This Means Right Now

If you’re a Claude API user:

• Stricter rate limits on educational and research accounts
• More verification steps for new accounts and high-volume users
• Potential output modifications to make distillation less effective (Anthropic’s developing “model-level safeguards designed to reduce the efficacy of outputs for illicit distillation”)

If you’re building on any frontier API:

1. Document your use case. Anything at scale? Leave a paper trail showing it’s real.
2. Diversify your API providers.OpenAI noted in its memo: “It is not enough for any one lab to harden its protection because adversaries will simply default to the least protected provider.” As one provider tightens, others become targets.
3. Assume outputs are being monitored. Storing completions or building datasets? Treat them as if someone’s watching the pattern.

Curious whether your favorite model was trained via distillation? Distillation benefits are jagged. For some capabilities, particularly if you don’t have a full training pipeline setup, quickly distilling data from the leading frontier model in that area can yield massive performance boosts. This can definitely help the lab catch up much more quickly. The technique works. That’s why it’s spreading.

Frequently Asked Questions

Is distillation illegal?

No. It’s a standard ML technique. What’s at issue: how it was done. Fraudulent accounts, violating ToS, bypassing regional restrictions. Breach of contract, not a criminal act. OpenAI’s ToS assigns output ownership to users, so proving IP theft is hard. Anthropic’s framing this as national security (models lose safety guardrails when distilled without permission), but the legal mechanism is ToS enforcement, not IP law.

Will this affect Claude’s API pricing or access?

Not immediately. But indirectly, yes. Anthropic’s investing in detection systems, behavioral fingerprinting, countermeasures – all of which cost money. They’ve tightened verification for educational, research, and startup accounts (the pathways most exploited). More friction for new users is coming. Possibly tiered access where verified orgs get higher rate limits. Pricing hasn’t changed as of February 2026, but if detection costs spiral or if they deploy output-level protections that degrade performance, it could ripple through. One scenario: they catch a 50,000-request eval run from a legitimate researcher and flag it – now that researcher needs to prove they’re not extracting. That friction is already happening.

Can I still use OpenAI’s official distillation tools without getting in trouble?

Yes. OpenAI’s Model Distillation feature is available to all developers today and can be used to distill any of their models, including GPT-4o and o1-preview. Stored Completions is available for free. You’re distilling your own API outputs (queried under your account, for your use) into a model you control. That’s allowed. What’s not: creating fake accounts to extract another company’s model at scale, or violating regional access restrictions via proxies. Using your real account, staying within rate limits, following ToS? You’re fine.

What you do next: If you’re using Claude or any frontier API at scale, check your account verification status and document your use case. Building a product that depends on API access? Consider a backup provider in case detection systems start flagging your traffic pattern. Just watching this unfold? Welcome to the messiest chapter yet in the AI race.