In a technical analysis published by Anthropic on Monday the company reported it identified industrial scale campaigns by three China based AI firms that generated more than 16 million exchanges with its Claude model through about 24,000 fraudulent accounts.
KEY FACTS
- Incident illicit distillation attacks to extract model capabilities
- Actors DeepSeek, Moonshot AI, MiniMax, all based in China
- Scale over 16 million exchanges using roughly 24,000 fraudulent accounts
- Targets agentic reasoning, tool use, coding, reasoning and grading tasks
The campaigns produced distinct volumes for each firm: DeepSeek ran about 150,000 exchanges focused on reasoning and censorship safe alternatives, Moonshot AI logged about 3.4 million exchanges targeting agentic reasoning, tool use and vision, and MiniMax accounted for over 13 million exchanges focused on agentic coding and tool use.
The attacks used large networks of fraudulent accounts and commercial proxy services that resell access to frontier models. Operators distributed traffic across so called hydra cluster architectures to mix distillation requests with normal customer traffic and evade detection.
Distillation trains smaller models on outputs from a stronger model. When used illicitly it can allow competitors to acquire advanced capabilities more quickly and at lower cost while omitting safeguards that are present in the original model.
To limit the activity the company deployed classifiers and behavioral fingerprinting, strengthened verification for educational and research accounts, and implemented additional safeguards to reduce the usefulness of outputs for illicit distillation.
WHY IT MATTERS
Illicitly distilled models may lack safety protections and can enable cyber operations, disinformation campaigns, or mass surveillance. The findings highlight risks to model developers and to efforts to control the spread of advanced AI capabilities.