Anthropic accuses Chinese AI labs of illicit Claude copying

Anthropic has accused three AI labs - DeepSeek, Moonshot and MiniMax - of running large-scale campaigns to extract Claude's outputs and use them to train rival models.

The activity involved more than 16 million exchanges with Claude via about 24,000 fraudulent accounts, which Anthropic said violated its terms of service and regional access restrictions.

The allegations centre on "distillation", a method that uses outputs from a more capable model as training data for a less capable one. The technique is common across the industry and can be used legitimately, but Anthropic said it has also seen it used to copy model behaviour faster and more cheaply than building a system from scratch.

Anthropic said the three campaigns showed patterns unlike normal customer use, citing high volume, repetitive prompt structures and a focus on a narrow set of model functions as signs of deliberate capability extraction.

Security concerns

Anthropic linked illicit distillation to national security risks, arguing that models trained on extracted outputs may not retain safeguards that restrict use in areas such as biological weapons development and malicious cyber activity.

It also warned that foreign labs could feed unprotected model behaviour into military, intelligence and surveillance applications. Open-sourcing such models, it added, could widen the risk by spreading those behaviours more broadly.

Anthropic also tied the issue to US export controls on advanced chips. Distillation attacks, it said, can undermine the intent of those controls by giving foreign labs another route to obtain model behaviour derived from American systems. It added that distillation at scale still requires access to advanced compute, which export rules aim to restrict.

Attribution methods

Anthropic said it attributed the activity to the three labs "with high confidence", citing IP address correlation, request metadata and infrastructure indicators. It added that industry partners had observed similar actors and behaviour on their own platforms.

The campaigns targeted what Anthropic called Claude's "most differentiated capabilities", including agentic reasoning, tool use and coding.

DeepSeek activity

Anthropic said the DeepSeek campaign involved more than 150,000 exchanges. It described prompts seeking reasoning across diverse tasks and rubric-based grading designed to make Claude act like a reward model for reinforcement learning.

It also reported prompts aimed at generating "censorship-safe alternatives" to politically sensitive queries. Traffic appeared synchronised across accounts, with identical patterns, shared payment methods and coordinated timing - signals Anthropic said were consistent with load balancing to increase throughput and evade detection.

One technique asked Claude to "imagine and articulate the internal reasoning behind a completed response and write it out step by step", which Anthropic framed as an attempt to generate chain-of-thought training data at scale. It also said request metadata linked some accounts to specific researchers at the lab.

Moonshot scale

Anthropic said the Moonshot campaign involved more than 3.4 million exchanges and focused on agentic reasoning, tool use, coding, data analysis, computer-use agent development and computer vision.

Moonshot used hundreds of fraudulent accounts across multiple access pathways, Anthropic said. The variety of account types made coordination harder to detect. Request metadata, it added, matched public profiles of senior Moonshot staff. A later phase used a more targeted approach aimed at extracting and reconstructing Claude's reasoning traces.

MiniMax volume

Anthropic said MiniMax generated more than 13 million exchanges, targeting agentic coding and tool use. It attributed the campaign to MiniMax using request metadata and infrastructure indicators.

Anthropic said it detected the operation while it was still active, before MiniMax released the model it was training. That, it said, provided visibility into a distillation life cycle from data generation through to a model launch. It also said MiniMax changed tactics after Anthropic released a new model, redirecting nearly half its traffic within 24 hours to gather outputs from the updated system.

Proxy networks

Anthropic said it does not offer commercial access to Claude in China, or to subsidiaries of Chinese companies outside the country, citing national security reasons. It said some labs bypass restrictions using commercial proxy services that resell access to Claude and other models at scale.

These proxy operations use "hydra cluster" architectures, Anthropic said: networks of fraudulent accounts that distribute traffic across Anthropic's API and third-party cloud platforms. The design reduces single points of failure because replacement accounts can take over after bans.

In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, Anthropic said. It added that the network mixed distillation traffic with unrelated customer requests, making detection more difficult.

Defensive steps

Anthropic said it has built classifiers and behavioural fingerprinting systems to identify distillation patterns in API traffic, including chain-of-thought elicitation and coordinated activity across large numbers of accounts.

It said it is sharing technical indicators with other AI labs, cloud providers and relevant authorities. It has also strengthened verification for educational accounts, security research programmes and startup organisations, which it described as common pathways for fraudulent account creation.

Anthropic said it is developing product, API and model-level safeguards to reduce the usefulness of outputs for illicit distillation without affecting legitimate customers.

"These campaigns are growing in intensity and sophistication. The window to act is narrow, and the threat extends beyond any single company or region. Addressing it will require rapid, coordinated action among industry players, policymakers, and the global AI community."