Anthropic Accuses Chinese AI Labs of Model Distillation
Anthropic claims Chinese AI companies used 24,000 fake accounts to extract 16M exchanges from Claude. Here's what model distillation actually means.
Written by AI. Rachel "Rach" Kovacs

Photo: Sam Witteveen / YouTube
Anthropic just accused three Chinese AI lab /article/anthropic /article/inside-anthropic-project-scan-millions-books-ai-code-leak-exposes-ai-copyright-loopholes—DeepSeek, Moonshot AI, and Minimax—of running what they call an "industrial scale operation" to copy Claude's capabilities. According to their detection systems, these companies allegedly created 24,000 fake accounts to extract 16 million exchanges from their API.
Google and OpenAI are making similar claims. The timing is conspicuous: all three major American AI labs releasing detailed evidence simultaneously, just as these Chinese companies are shipping improved models. DeepSeek is apparently on the cusp of releasing their next major model, and if you remember, their last release caused enough market panic to temporarily crash Nvidia's stock.
What's actually being alleged here?
The Accusations, Broken Down
The numbers tell an interesting story. Of those 16 million total exchanges, DeepSeek accounts for only 150,000—less than 1% of the total. But those exchanges appear highly targeted. According to Anthropic's analysis, DeepSeek wasn't just copying responses. They were using Claude as a reward model for reinforcement learning—essentially getting Claude to grade their own model's outputs.
"What you can sort of imagine here is that as DeepSeek generates their own outputs they want to get them basically graded by a model that they think is better," Sam Witteveen explains in his analysis of the accusations.
That's actually clever if it's true. Instead of wholesale copying, you're using a proprietary model as a quality judge for your own training process. DeepSeek also appears to have been extracting how Claude handles content policy violations—what Anthropic calls "creating censorship safe alternatives to policy sensitive queries."
Moonshot AI, makers of the Kimi K2.5 models, allegedly made 3.4 million exchanges focused on Claude's general capabilities: agentic reasoning, tool use, coding, computer vision. Minimax—with 13 million exchanges—supposedly targeted tool orchestration and agentic coding specifically.
If these allegations are accurate, it would partially explain why Minimax and Kimi models have gotten noticeably better at coding tasks recently. But that "if" is doing a lot of work.
What Is Model Distillation, Actually?
Distillation isn't some shadowy technique invented by pirates. It's a standard practice in machine learning, dating back to a 2015 paper co-authored by Geoffrey Hinton, Oriol Vinyals (now at Google DeepMind), and Jeff Dean.
The core concept: train a smaller model to replicate what a larger model can do. There are multiple approaches. The simplest is training on another model's outputs. When GPT-4 launched, numerous open-weight models trained on its responses to improve their own performance. That was common practice, barely controversial.
If you control both models, distillation gets more sophisticated. You can train on the probability distributions (logits) rather than just the final outputs—capturing not just what the model predicts, but how confident it is across all possible predictions.
Here's something Witteveen points out that doesn't get discussed much: "It's highly probable that the best models currently are very big models and they're just not available to the public." The GPT-5 you're using might itself be a distilled version of something much larger that OpenAI considers too expensive to serve at scale. The "flash" and "mini" variants are definitely distillations. But the flagship models? Probably distilled too.
OpenAI killed GPT-4.5 because it was "just so big that it was just impractical to run that for inference at scale."
The Hypocrisy Question
George Hotz from Tiny Corp raised a point that's hard to ignore: these companies paid for those API tokens. Anthropic accepted their money. Then Anthropic apparently monitored how those tokens were being used and decided they didn't like it.
Hotz has his own angle—he's selling hardware for running models locally where no one can surveil your usage. But the underlying question stands: if you sell API access, do you get to police what customers do with the responses?
Elon Musk went further, pointing out that Anthropic itself paid $1.5 billion last year to settle copyright disputes over training Claude on scraped books. Anthropic's workaround involved buying physical books, scanning them, then destroying the physical copies to claim they owned "one copy" they'd paid for.
"I think that's how a lot of people kind of feel about this," Witteveen notes. "Most of us didn't give permission for any of these companies to train on our data and yet they basically scraped the internet and just took data to train on without anyone's actual permission."
The US Copyright Office has already ruled that LLM outputs can't be copyrighted unless humans contributed "sufficient expressive elements." So what exactly is being protected here?
Why Now?
The coordinated timing—Anthropic, Google, and OpenAI all publishing evidence within days—suggests something beyond pure intellectual property protection. This could be table-setting for congressional testimony. It could be competitive positioning as these Chinese labs ship increasingly capable models. It could be legitimate security concerns.
Or it could be all three simultaneously.
Witteveen raises the question directly: "You do have to wonder if Anthropic was so good at detecting this, why didn't they stop this sooner?"
If these patterns were detectable enough to document in a detailed blog post with specific exchange counts and targeted capability areas, they were detectable enough to block in real-time. Rate limiting, account verification, anomalous usage patterns—these are solved problems in API security.
Unless the goal was to gather evidence first.
The accusations might be entirely accurate. Model distillation through API access is technically feasible and strategically valuable. But the framing matters. Every major AI lab built their foundation by ingesting data they didn't have explicit permission to use. Now they're objecting when others do something similar with their outputs—outputs the Copyright Office says can't be copyrighted anyway.
The rules of this game aren't clear yet. They're being written in real-time through blog posts, lawsuits, and leaked memos. What counts as legitimate competitive intelligence versus theft? What protection do model capabilities deserve? Who gets to scrape what?
Those questions matter more than whether DeepSeek made 150,000 API calls.
Rachel "Rach" Kovacs covers cybersecurity and digital privacy for Buzzrag.
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
Kling 3.0 AI Video Generator: Testing the Hype
CyberJungle stress-tests Kling 3.0's AI video generation: multi-shot scenes, native audio in 5+ languages, and character consistency. The results reveal both promise and problems.
Claude Fable 5 Launches With Tight Safety Guardrails
Anthropic's Claude Fable 5 is out, but safety restrictions, a data retention shift, and subscription changes make the launch more complicated than the benchmarks suggest.
Tech Predictions 2026: Linux, Cybersecurity & AI
Explore bold predictions for 2026 in Linux, cybersecurity, and AI acquisitions, including a potential Amazon-Anthropic deal.
Anthropic's Claude Opus 4.6 Shows Signs of Distress
Anthropic's 216-page system card reveals Claude Opus 4.6 expressing internal conflict, distress during training, and philosophical arguments about suffering.
DeepSeek's New AI Model Sparks Industry Buzz
DeepSeek's potential AI upgrade hints at a major shift. Explore new models in coding, reasoning, and emotional AI.
Elementor's AI Tool Generates Custom Code in Seconds
Elementor's new Angie Code AI converts plain-language prompts into production-ready widgets and functionality. But can it deliver on the security promises?
Anthropic's Opus 4.7: When Safety Guardrails Lobotomize the Model
Anthropic's Opus 4.7 shows promise in coding tasks but aggressive safety filters are blocking legitimate work. Is the tooling worse than the model?
Why Your AI Agent Sits Idle After Installation
Installing an AI agent takes 10 minutes. Making it actually useful takes 40 hours. Here's why the industry keeps solving the wrong problem.
RAG·vector embedding
2026-04-15This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.