On Monday, February 23, the American artificial intelligence company Anthropic revealed that three Chinese companies had unlawfully leveraged its Claude chatbot to improve their own models. Anthropic also called for export controls on high-end AI chips.
Previously, the development company of another chatbot, ChatGPT, OpenAI, issued a memorandum warning that a Chinese AI company, DeepSeek, was targeting ChatGPT and Claude in an attempt to replicate American AI models for their own training purposes.
In a blog post on Wednesday, Anthropic specifically named three Chinese AI companies – DeepSeek, Moonshot, and MiniMax – accusing them of utilizing around 24,000 fake accounts to launch “industrial-grade distillation attacks” on Claude. These interactions numbered as high as 16 million, violating service terms and regional access restrictions.
Anthropic pointed out that these Chinese companies employed “distillation” techniques, where a stronger model outputs to train a weaker one. In essence, the Chinese AI companies were illicitly mining the modeling capabilities of their American competitors to save on research and development time and costs.
“These attack activities are continually increasing in strength and complexity. The time window for taking action is narrow, and the scope of threats goes far beyond any single company or region,” the statement said.
Anthropic warned that models distilled illegally by these Chinese companies lack essential security safeguards, posing significant national security risks.
The blog post stated, “Systems built by Anthropic and other American companies are intended to prevent both national and non-state actors from using AI to develop biological weapons or engage in malicious cyber activities.”
“Models constructed through illicit distillation are unlikely to retain these security safeguards, meaning that dangerous capabilities could rapidly spread in situations where many protective measures are entirely ineffective,” the post added.
Anthropic further elucidated the national security risks associated with the illegal distillation of AI in China. The article cautioned that if foreign laboratories could extract American technology models, they could incorporate these unprotected capabilities into military, intelligence, and surveillance systems, potentially allowing authoritarian governments to utilize advanced AI for network attacks, disinformation campaigns, and widespread monitoring.
“If these models were to be open-sourced, the risks would multiply as relevant capabilities could freely proliferate without any control by authoritarian governments,” the article stated.
Anthropic stated that, due to national security considerations, the company currently does not provide commercial access rights to affiliated companies within China and abroad. Some labs have obtained extensive access through commercial agent services and “resale APIs.”
These agents control a collection of accounts known as the “Hydra” cluster, simultaneously managing tens of thousands of accounts, injecting distilled traffic into normal customer requests, instantly replacing any sealed account with a new one.
The characteristics of distillation attacks are: massive, repetitive, concentrated on a few areas of prompt capabilities, rather than diverse usage scenarios.
Anthropic mentioned that they are continuously increasing investment in defensive measures to enhance the difficulty of implementing such data refinement attacks and improve identification difficulty.
Anthropic pointed out that DeepSeek’s illicit actions aimed to attack reasoning abilities across multiple tasks and create alternative solutions for sensitive policy inquiries that would evade scrutiny.
They revealed that DeepSeek requested Claude to generate uncensored alternatives for politically sensitive issues – such as questions about dissidents, political leaders, or authoritarianism – to train DeepSeek’s own model, steering dialogues away from scrutinized topics.
Meanwhile, Moonshot targeted reasoning and tool usage of intelligent entities, as well as encoding and data analysis.
MiniMax focused on attacking encoding, tool usage, and arrangement of intelligent entities. Before MiniMax released its model under training, Anthropic detected this attack operation.
Anthropic remarked that the timing of their release of the new model coincided with MiniMax’s attack activities, where they observed MiniMax rapidly adjusting strategies within 24 hours, redirecting nearly half of the traffic to the attack on Anthropic’s new model.
DeepSeek, Moonshot, and MiniMax did not immediately respond to requests for comments.
Anthropic raised $30 billion in its most recent round of funding, currently valuing the company at $380 billion.
The company stated that the distillation attacks by Chinese AI firms affirmed the necessity of the United States’ export controls on high-end chips to China, as distillation attacks themselves depend on advanced chips and significant computational power.
The blog post concluded, “Chip access restrictions can reduce both direct model training capabilities and the scope of inappropriate extractions.”