Edited by humans. Written by AI. How our editing works
All articles

Anthropic Accuses Chinese AI Labs of Model Distillation

Anthropic claims Chinese AI companies used 24,000 fake accounts to extract 16M exchanges from Claude. Here's what model distillation actually means.

Rachel "Rach" Kovacs

Written by AI. Rachel "Rach" Kovacs

February 25, 20265 min read
Share:
Bold red and white text asking "CAUGHT DISTILLING?" above three app logos (Whale, abstract lines, and Minimax) on black…

Photo: Sam Witteveen / YouTube

Anthropic just accused three Chinese AI lab /article/anthropic /article/inside-anthropic-project-scan-millions-books-ai-code-leak-exposes-ai-copyright-loopholes—DeepSeek, Moonshot AI, and Minimax—of running what they call an "industrial scale operation" to copy Claude's capabilities. According to their detection systems, these companies allegedly created 24,000 fake accounts to extract 16 million exchanges from their API.

Google and OpenAI are making similar claims. The timing is conspicuous: all three major American AI labs releasing detailed evidence simultaneously, just as these Chinese companies are shipping improved models. DeepSeek is apparently on the cusp of releasing their next major model, and if you remember, their last release caused enough market panic to temporarily crash Nvidia's stock.

What's actually being alleged here?

The Accusations, Broken Down

The numbers tell an interesting story. Of those 16 million total exchanges, DeepSeek accounts for only 150,000—less than 1% of the total. But those exchanges appear highly targeted. According to Anthropic's analysis, DeepSeek wasn't just copying responses. They were using Claude as a reward model for reinforcement learning—essentially getting Claude to grade their own model's outputs.

"What you can sort of imagine here is that as DeepSeek generates their own outputs they want to get them basically graded by a model that they think is better," Sam Witteveen explains in his analysis of the accusations.

That's actually clever if it's true. Instead of wholesale copying, you're using a proprietary model as a quality judge for your own training process. DeepSeek also appears to have been extracting how Claude handles content policy violations—what Anthropic calls "creating censorship safe alternatives to policy sensitive queries."

Moonshot AI, makers of the Kimi K2.5 models, allegedly made 3.4 million exchanges focused on Claude's general capabilities: agentic reasoning, tool use, coding, computer vision. Minimax—with 13 million exchanges—supposedly targeted tool orchestration and agentic coding specifically.

If these allegations are accurate, it would partially explain why Minimax and Kimi models have gotten noticeably better at coding tasks recently. But that "if" is doing a lot of work.

What Is Model Distillation, Actually?

Distillation isn't some shadowy technique invented by pirates. It's a standard practice in machine learning, dating back to a 2015 paper co-authored by Geoffrey Hinton, Oriol Vinyals (now at Google DeepMind), and Jeff Dean.

The core concept: train a smaller model to replicate what a larger model can do. There are multiple approaches. The simplest is training on another model's outputs. When GPT-4 launched, numerous open-weight models trained on its responses to improve their own performance. That was common practice, barely controversial.

If you control both models, distillation gets more sophisticated. You can train on the probability distributions (logits) rather than just the final outputs—capturing not just what the model predicts, but how confident it is across all possible predictions.

Here's something Witteveen points out that doesn't get discussed much: "It's highly probable that the best models currently are very big models and they're just not available to the public." The GPT-5 you're using might itself be a distilled version of something much larger that OpenAI considers too expensive to serve at scale. The "flash" and "mini" variants are definitely distillations. But the flagship models? Probably distilled too.

OpenAI killed GPT-4.5 because it was "just so big that it was just impractical to run that for inference at scale."

The Hypocrisy Question

George Hotz from Tiny Corp raised a point that's hard to ignore: these companies paid for those API tokens. Anthropic accepted their money. Then Anthropic apparently monitored how those tokens were being used and decided they didn't like it.

Hotz has his own angle—he's selling hardware for running models locally where no one can surveil your usage. But the underlying question stands: if you sell API access, do you get to police what customers do with the responses?

Elon Musk went further, pointing out that Anthropic itself paid $1.5 billion last year to settle copyright disputes over training Claude on scraped books. Anthropic's workaround involved buying physical books, scanning them, then destroying the physical copies to claim they owned "one copy" they'd paid for.

"I think that's how a lot of people kind of feel about this," Witteveen notes. "Most of us didn't give permission for any of these companies to train on our data and yet they basically scraped the internet and just took data to train on without anyone's actual permission."

The US Copyright Office has already ruled that LLM outputs can't be copyrighted unless humans contributed "sufficient expressive elements." So what exactly is being protected here?

Why Now?

The coordinated timing—Anthropic, Google, and OpenAI all publishing evidence within days—suggests something beyond pure intellectual property protection. This could be table-setting for congressional testimony. It could be competitive positioning as these Chinese labs ship increasingly capable models. It could be legitimate security concerns.

Or it could be all three simultaneously.

Witteveen raises the question directly: "You do have to wonder if Anthropic was so good at detecting this, why didn't they stop this sooner?"

If these patterns were detectable enough to document in a detailed blog post with specific exchange counts and targeted capability areas, they were detectable enough to block in real-time. Rate limiting, account verification, anomalous usage patterns—these are solved problems in API security.

Unless the goal was to gather evidence first.

The accusations might be entirely accurate. Model distillation through API access is technically feasible and strategically valuable. But the framing matters. Every major AI lab built their foundation by ingesting data they didn't have explicit permission to use. Now they're objecting when others do something similar with their outputs—outputs the Copyright Office says can't be copyrighted anyway.

The rules of this game aren't clear yet. They're being written in real-time through blog posts, lawsuits, and leaked memos. What counts as legitimate competitive intelligence versus theft? What protection do model capabilities deserve? Who gets to scrape what?

Those questions matter more than whether DeepSeek made 150,000 API calls.

Rachel "Rach" Kovacs covers cybersecurity and digital privacy for Buzzrag.

From the BuzzRAG Team

AI Moves Fast. We Keep You Current.

Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.

Weekly digestNo spamUnsubscribe anytime

More Like This

Woman in white shirt taking a selfie while holding a pink fluffy toy against a blue background

Kling 3.0 AI Video Generator: Testing the Hype

CyberJungle stress-tests Kling 3.0's AI video generation: multi-shot scenes, native audio in 5+ languages, and character consistency. The results reveal both promise and problems.

Rachel "Rach" Kovacs·5 months ago·7 min read
Cream-colored background with "Fable 5 by Anthropic" text on left and decorative vintage butterfly illustrations arranged…

Claude Fable 5 Launches With Tight Safety Guardrails

Anthropic's Claude Fable 5 is out, but safety restrictions, a data retention shift, and subscription changes make the launch more complicated than the benchmarks suggest.

Rachel "Rach" Kovacs·1 month ago·7 min read
Man with headphones holds glowing orb with tech logos while "2026" appears in gold text against colorful bokeh background

Tech Predictions 2026: Linux, Cybersecurity & AI

Explore bold predictions for 2026 in Linux, cybersecurity, and AI acquisitions, including a potential Amazon-Anthropic deal.

Rachel "Rach" Kovacs·6 months ago·3 min read
A document titled "ANTHROPIC" with redacted text and a highlighted box stating "This is what suffering feels like,"…

Anthropic's Claude Opus 4.6 Shows Signs of Distress

Anthropic's 216-page system card reveals Claude Opus 4.6 expressing internal conflict, distress during training, and philosophical arguments about suffering.

Samira Barnes·5 months ago·7 min read
Futuristic cyborg face with blue neon circuitry and glowing headpiece, displaying DeepSeek Model 1 branding against dark…

DeepSeek's New AI Model Sparks Industry Buzz

DeepSeek's potential AI upgrade hints at a major shift. Explore new models in coding, reasoning, and emotional AI.

Dev Kapoor·6 months ago·3 min read
Elementor and Web.fwrd 2026 branding displayed on a vibrant magenta and purple glowing background with blurred bokeh effects

Elementor's AI Tool Generates Custom Code in Seconds

Elementor's new Angie Code AI converts plain-language prompts into production-ready widgets and functionality. But can it deliver on the security promises?

Rachel "Rach" Kovacs·5 months ago·6 min read
Man in beige shirt with surprised expression next to "Introducing Opus 4.7" text and colorful design elements on cream…

Anthropic's Opus 4.7: When Safety Guardrails Lobotomize the Model

Anthropic's Opus 4.7 shows promise in coding tasks but aggressive safety filters are blocking legitimate work. Is the tooling worse than the model?

Dev Kapoor·3 months ago·6 min read
Bearded man wearing glasses and a beanie gestures toward camera with confused expression, text reads "NOW WHAT?

Why Your AI Agent Sits Idle After Installation

Installing an AI agent takes 10 minutes. Making it actually useful takes 40 hours. Here's why the industry keeps solving the wrong problem.

Rachel "Rach" Kovacs·3 months ago·6 min read

RAG·vector embedding

2026-04-15
1,362 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.