In February 2026, Anthropic published a detailed account of something that had been happening for months: coordinated, systematic attempts by Chinese AI companies to extract Claude’s capabilities through what they called distillation attacks.
The three companies named: DeepSeek, Moonshot AI, and MiniMax. The method: approximately 24,000 fraudulent accounts that collectively sent over 16 million queries to the Claude API. Each company targeted different capability areas. All three were trying to build training datasets from Claude’s outputs to improve their own models.
This is worth understanding in depth — both technically and strategically.
What Is Knowledge Distillation and Why Is It Valuable
Knowledge distillation is a legitimate technique in machine learning. The idea: you have a large, expensive “teacher” model and a smaller “student” model. You train the student to mimic the teacher’s outputs. Done well, the student captures a significant fraction of the teacher’s capability at a fraction of the compute cost.
The technique has been used openly in academia and industry for years. OpenAI’s papers mention it. Meta’s Llama models benefited from it. It’s not inherently problematic.
What DeepSeek, Moonshot, and MiniMax did was different: they used another company’s production API — without permission, through fraudulent accounts designed to evade detection — to generate large-scale training data. This isn’t distillation as a machine learning technique. It’s systematic IP theft using technical infrastructure.
How The Attack Worked
Anthropic’s account described the attack pattern in detail.
The accounts were created in batches to avoid rate limiting. They used varied IP addresses, billing information, and usage patterns to appear as legitimate developers. The queries weren’t random — they were carefully crafted to elicit high-quality, exemplary outputs in specific capability areas.
Each company targeted what they wanted most:
DeepSeek focused primarily on reasoning tasks — complex multi-step problems, mathematical reasoning, and structured problem-solving. Their goal was to improve what became their R1 and V3 reasoning capabilities.
Moonshot AI targeted tool use and function calling — how Claude interprets and executes structured API calls, handles tool results, and chains tool calls across multi-step tasks.
MiniMax focused on coding tasks — particularly agentic coding patterns, code generation quality, and how Claude handles complex software engineering problems.
At 16 million queries, this wasn’t a proof of concept. This was an industrial-scale data collection operation.
Why This Is Technically Effective
The reason distillation attacks work is a property of how large language models learn. The output distribution of a well-trained model encodes significant knowledge — not just the final answer, but the structure of reasoning, the patterns of error recovery, the style of explanation.
When you train a model on outputs from a superior model, you’re not just training it on correct answers. You’re training it on the way the teacher reasons. If the teacher’s output on a reasoning problem shows step-by-step chain of thought, the student learns that pattern of reasoning — not just the specific answer.
This is why 16 million examples is valuable even though Claude has vastly more training data. You’re not trying to replicate all of Claude — you’re surgically improving specific capabilities by showing the student model exactly how the teacher handles those cases.
The Detection Problem
Anthropic detected this because they were looking for it. The tell-tale patterns: accounts that appeared legitimate on registration but showed highly structured, non-organic query patterns at scale. The same capability areas queried repeatedly with variations designed to maximize coverage of the capability space.
This is genuinely hard to detect. A legitimate company stress-testing their integration might send large volumes of similar queries. A developer building an evaluation harness might send structured queries across many capability dimensions. The signal-to-noise ratio is difficult.
Anthropic’s response was to terminate the accounts and publish the findings — a disclosure strategy that was simultaneously a PR move (positioning themselves as the company being stolen from) and a legitimate contribution to the field (documenting the attack pattern for others to watch for).
What This Means for the Industry
Several things are now true that weren’t clearly articulated before.
Model outputs are effectively IP. The legal landscape here is unsettled, but Anthropic is arguing that using API outputs to systematically train competing models is a terms-of-service violation that causes competitive harm. Whether that’s legally actionable is a separate question from whether it’s true.
The cost of frontier model capability is being externalized. Training Claude’s capabilities cost Anthropic enormous compute and research investment. Distillation attacks let competitors capture some fraction of that capability for the cost of 16 million API calls. At $5–15 per 1M tokens depending on model tier, 16 million calls might cost $80,000–240,000. That’s an extraordinarily cheap way to improve a competing model.
Chinese AI labs specifically have incentive to do this. Export controls and compute restrictions make it harder for Chinese labs to train at the frontier. Distillation provides an alternative path — not to frontier performance, but to competitive performance on specific benchmarks at lower compute cost. DeepSeek’s benchmark results on reasoning tasks post-dating this period become more interpretable in this context.
The Honest Assessment
I want to be direct about what we know and don’t know.
Anthropic’s account is one-sided — this is their telling of what happened. DeepSeek, Moonshot, and MiniMax have not published detailed rebuttals. The technical details Anthropic shared are specific enough to be credible, but the framing is obviously self-serving.
More importantly: distillation from closed API outputs is happening across the industry in forms that range from clearly illegitimate (fake accounts, evading rate limits) to legally gray (using Claude API to generate a benchmark dataset that helps evaluate your model) to clearly legitimate (academic research with proper attribution). The industry has not reached consensus on where those lines are.
What Anthropic documented was the clearest, most egregious end of that spectrum: industrial-scale, covert, targeted extraction through fraudulent accounts. That’s not a gray area.
For developers and companies building on API services: this matters because it shapes how API providers will respond. Expect rate limits to tighten, usage monitoring to increase, and terms of service around training data to become more explicit. The distillation attacks disclosed by Anthropic have already changed how the major labs think about their API policies.
The frontier is getting harder to steal from. That changes the economics for everyone.