The AI firm alleges that DeepSeek, Moonshot, and MiniMax utilized deceptive accounts and proxy networks to extensively siphon off Claude’s functionalities, despite experts highlighting the industry’s significant dependence on publicly accessible information.
Anthropic has leveled accusations against three Chinese AI development companies, alleging they conducted extensive operations to unlawfully acquire capabilities from its Claude model for the enhancement of their proprietary systems. The company asserts that DeepSeek, Moonshot, and MiniMax employed a distillation method, which involves training a less sophisticated model using the outputs generated by a more advanced one.
Over 16 million interactions with Claude were recorded, facilitated by approximately 24,000 fraudulent accounts. This activity constitutes a breach of Anthropic’s terms of service and its geographical access limitations.
Anthropic stated that it does not provide commercial access to Claude within China, nor to any of these companies’ subsidiaries operating beyond China’s borders.
Extensive Extraction of Claude’s Capabilities: A Closer Look
Anthropic revealed that the three distillation efforts employed comparable strategies. These involved leveraging deceptive accounts and proxy networks to gain widespread access to Claude, all while circumventing detection, with the specific aim of acquiring Claude’s advanced reasoning, tool utilization, and coding functionalities.
The DeepSeek operation encompassed more than 150,000 interactions, primarily focused on gleaning reasoning capabilities across a variety of tasks. This activity generated synchronized network traffic across multiple accounts, exhibiting identical usage patterns, common payment methods, and synchronized timing, indicative of load balancing designed to enhance data throughput, boost system reliability, and prevent detection.
Moonshot AI’s endeavors comprised over 3.4 million interactions, zeroing in on agentic reasoning, tool deployment, coding, data analytics, the development of computer-use agents, and computer vision to rebuild Claude’s reasoning pathways. MiniMax’s campaign was the most extensive, involving in excess of 13 million interactions, directly targeting agentic coding, tool application, and orchestration. Anthropic noted that, upon detection during the campaign’s active phase, MiniMax swiftly diverted almost half of its traffic to Claude’s recently launched model within a single day.
Anthropic explained that to execute these campaigns, the involved companies leveraged commercial proxy services that facilitate the large-scale resale of access to Claude and other cutting-edge AI models, a setup often described as hydra cluster architectures.
Revisiting AI Model Training Fundamentals
Experts within the industry observe that these accusations bring to light a more extensive and unresolved issue concerning the training methodologies of AI systems. A significant number of large language models, including prominent commercial offerings, are themselves developed using enormous volumes of publicly accessible internet data, frequently without explicit permission from the original creators.
“Just as numerous foundation models have been constructed by cataloging the immense expanse of the internet, frequently without the explicit authorization of creators or by relying on other search engines’ content, newer participants are often following similar paths of distillation and refinement,” said Neil Shah, vice president at Counterpoint Research. He further noted that a core disagreement exists, largely lacking legal definition, regarding the ownership of synthetic data and the permissibility of its use for training, particularly for open models.
National Security and Export Control Considerations
Anthropic has positioned the alleged distillation operations partly as a national security concern, contending that unlawfully derived models could jeopardize U.S. initiatives to manage the proliferation of sophisticated AI capabilities, particularly if under the sway of the Chinese Communist Party. Nevertheless, specialists point out that the prevailing U.S. export controls predominantly target hardware, rather than large language models.
“It’s crucial to distinguish between hardware limitations and service accessibility. U.S. export controls have largely focused on cutting-edge semiconductors, high-performance computing infrastructure, and, at specific regulatory junctures, particular classes of advanced AI model weights. There isn’t an overarching ban on providing API access to large language models in China,” clarified Sanchit Vir Gogia, CEO and chief analyst at Greyhound Research.
Nevertheless, this does not grant immunity to developers. Gogia further stated that the Bureau of Industry and Security is consistently refining its licensing frameworks pertaining to advanced computing goods and high-capacity systems. Moreover, should a company knowingly facilitate training activities for prohibited entities, especially those linked to military or strategic aims, it faces potential liability even in the absence of hardware shipments.
To protect their interests, numerous U.S. AI providers proactively limit their service availability in China through internal business policies and robust compliance frameworks, often exceeding strict regulatory mandates.
“For developers, the risk is not direct but significant: if your product enables access to restricted geographical areas or entities, supports forbidden end-uses, or assists others in bypassing provider geo-restrictions, you could face account suspension, contractual obligations, and potential regulatory examination, contingent on the end-user’s identity and the system’s functionalities,” stated a global partner/senior managing director – India at Ankura Consulting.
Consequences for Teams Developing with LLMs
For developers engaged in constructing or training models utilizing large language models, Anthropic’s accusations underscore an increasingly ambiguous domain. It is standard practice for developers to employ LLM APIs for the purposes of application creation, testing, or assessment. However, providers are now closely examining the extensive, automated deployment of model outputs for the objective of training rival systems.
In response, for example, Anthropic is dedicating resources to developing defensive methodologies. To bolster detection capabilities, the company has engineered multiple classifiers and behavioral fingerprinting systems specifically crafted to identify patterns indicative of distillation attacks within API traffic. Furthermore, it has enhanced verification procedures for academic accounts, security research initiatives, and emerging organizations, identifying these as the primary conduits for establishing deceptive accounts. The company is also deploying safeguards at the product, API, and model tiers, aimed at diminishing the effectiveness of model outputs for unauthorized distillation, without compromising the user experience for authorized clients.
Developers likewise ought to guarantee that their model training remains secure, adheres to regulations, and can be substantiated.
Jaju advised that, as a foundational step, developers must scrutinize API and service agreements, operating under the presumption that training on outputs is prohibited unless explicitly sanctioned. They are also urged to meticulously document the origin of each training or example item, complete with associated licensing and terms. It is further recommended that operational logs be kept distinct from training datasets, alongside established data retention policies.
Gogia further asserted, “Geopolitical vigilance should not be an afterthought. Scrutiny of restricted parties, reviews for export compliance, and access controls tailored to specific regions are progressively becoming integral components of AI governance, particularly for businesses conducting operations internationally.”
Experts contend that developers should be prepared to furnish comprehensive and unequivocal documentation of their training pipeline, should they be required to explain it by a regulatory body or a potential acquirer.
