Anthropic Accuses Chinese AI Labs of Model Distillation
Anthropic claims Chinese AI companies used 24,000 fake accounts to extract 16M exchanges from Claude. Here's what model distillation actually means.
Written by AI. Rachel "Rach" Kovacs
February 25, 2026
Photo: Sam Witteveen / YouTube
Anthropic just accused three Chinese AI labs—DeepSeek, Moonshot AI, and Minimax—of running what they call an "industrial scale operation" to copy Claude's capabilities. According to their detection systems, these companies allegedly created 24,000 fake accounts to extract 16 million exchanges from their API.
Google and OpenAI are making similar claims. The timing is conspicuous: all three major American AI labs releasing detailed evidence simultaneously, just as these Chinese companies are shipping improved models. DeepSeek is apparently on the cusp of releasing their next major model, and if you remember, their last release caused enough market panic to temporarily crash Nvidia's stock.
What's actually being alleged here?
The Accusations, Broken Down
The numbers tell an interesting story. Of those 16 million total exchanges, DeepSeek accounts for only 150,000—less than 1% of the total. But those exchanges appear highly targeted. According to Anthropic's analysis, DeepSeek wasn't just copying responses. They were using Claude as a reward model for reinforcement learning—essentially getting Claude to grade their own model's outputs.
"What you can sort of imagine here is that as DeepSeek generates their own outputs they want to get them basically graded by a model that they think is better," Sam Witteveen explains in his analysis of the accusations.
That's actually clever if it's true. Instead of wholesale copying, you're using a proprietary model as a quality judge for your own training process. DeepSeek also appears to have been extracting how Claude handles content policy violations—what Anthropic calls "creating censorship safe alternatives to policy sensitive queries."
Moonshot AI, makers of the Kimi K2.5 models, allegedly made 3.4 million exchanges focused on Claude's general capabilities: agentic reasoning, tool use, coding, computer vision. Minimax—with 13 million exchanges—supposedly targeted tool orchestration and agentic coding specifically.
If these allegations are accurate, it would partially explain why Minimax and Kimi models have gotten noticeably better at coding tasks recently. But that "if" is doing a lot of work.
What Is Model Distillation, Actually?
Distillation isn't some shadowy technique invented by pirates. It's a standard practice in machine learning, dating back to a 2015 paper co-authored by Geoffrey Hinton, Oriol Vinyals (now at Google DeepMind), and Jeff Dean.
The core concept: train a smaller model to replicate what a larger model can do. There are multiple approaches. The simplest is training on another model's outputs. When GPT-4 launched, numerous open-weight models trained on its responses to improve their own performance. That was common practice, barely controversial.
If you control both models, distillation gets more sophisticated. You can train on the probability distributions (logits) rather than just the final outputs—capturing not just what the model predicts, but how confident it is across all possible predictions.
Here's something Witteveen points out that doesn't get discussed much: "It's highly probable that the best models currently are very big models and they're just not available to the public." The GPT-5 you're using might itself be a distilled version of something much larger that OpenAI considers too expensive to serve at scale. The "flash" and "mini" variants are definitely distillations. But the flagship models? Probably distilled too.
OpenAI killed GPT-4.5 because it was "just so big that it was just impractical to run that for inference at scale."
The Hypocrisy Question
George Hotz from Tiny Corp raised a point that's hard to ignore: these companies paid for those API tokens. Anthropic accepted their money. Then Anthropic apparently monitored how those tokens were being used and decided they didn't like it.
Hotz has his own angle—he's selling hardware for running models locally where no one can surveil your usage. But the underlying question stands: if you sell API access, do you get to police what customers do with the responses?
Elon Musk went further, pointing out that Anthropic itself paid $1.5 billion last year to settle copyright disputes over training Claude on scraped books. Anthropic's workaround involved buying physical books, scanning them, then destroying the physical copies to claim they owned "one copy" they'd paid for.
"I think that's how a lot of people kind of feel about this," Witteveen notes. "Most of us didn't give permission for any of these companies to train on our data and yet they basically scraped the internet and just took data to train on without anyone's actual permission."
The US Copyright Office has already ruled that LLM outputs can't be copyrighted unless humans contributed "sufficient expressive elements." So what exactly is being protected here?
Why Now?
The coordinated timing—Anthropic, Google, and OpenAI all publishing evidence within days—suggests something beyond pure intellectual property protection. This could be table-setting for congressional testimony. It could be competitive positioning as these Chinese labs ship increasingly capable models. It could be legitimate security concerns.
Or it could be all three simultaneously.
Witteveen raises the question directly: "You do have to wonder if Anthropic was so good at detecting this, why didn't they stop this sooner?"
If these patterns were detectable enough to document in a detailed blog post with specific exchange counts and targeted capability areas, they were detectable enough to block in real-time. Rate limiting, account verification, anomalous usage patterns—these are solved problems in API security.
Unless the goal was to gather evidence first.
The accusations might be entirely accurate. Model distillation through API access is technically feasible and strategically valuable. But the framing matters. Every major AI lab built their foundation by ingesting data they didn't have explicit permission to use. Now they're objecting when others do something similar with their outputs—outputs the Copyright Office says can't be copyrighted anyway.
The rules of this game aren't clear yet. They're being written in real-time through blog posts, lawsuits, and leaked memos. What counts as legitimate competitive intelligence versus theft? What protection do model capabilities deserve? Who gets to scrape what?
Those questions matter more than whether DeepSeek made 150,000 API calls.
Rachel "Rach" Kovacs covers cybersecurity and digital privacy for Buzzrag.
Watch the Original Video
Caught Distilling from Claude?
Sam Witteveen
13m 24sAbout This Source
Sam Witteveen
Sam Witteveen, a prominent figure in artificial intelligence, engages a substantial YouTube audience of over 113,000 subscribers with his expert insights into the world of deep learning. With more than a decade of experience in the field and five years focusing on Transformers and Large Language Models (LLMs), Sam has been a Google Developer Expert for Machine Learning since 2017. His channel is a vital resource for AI enthusiasts and professionals, offering a deep dive into the latest trends and innovations in AI, such as Nvidia models and autonomous agents.
Read full source profileMore Like This
Anthropic's Claude Opus 4.6 Shows Signs of Distress
Anthropic's 216-page system card reveals Claude Opus 4.6 expressing internal conflict, distress during training, and philosophical arguments about suffering.
Kling 3.0 AI Video Generator: Testing the Hype
CyberJungle stress-tests Kling 3.0's AI video generation: multi-shot scenes, native audio in 5+ languages, and character consistency. The results reveal both promise and problems.
DeepSeek's New AI Model Sparks Industry Buzz
DeepSeek's potential AI upgrade hints at a major shift. Explore new models in coding, reasoning, and emotional AI.
Elementor's AI Tool Generates Custom Code in Seconds
Elementor's new Angie Code AI converts plain-language prompts into production-ready widgets and functionality. But can it deliver on the security promises?