KartavyaDesk
news

Why is Anthropic accusing Chinese AI labs over distillation attacks

Kartavya Desk Staff

Training a frontier AI model requires billions of dollars in compute power and massive, curated datasets. But, a parasitic economy has emerged in the industry’s underbelly, allowing competitors to bypass these costs through a technique known as “distillation.” This week, that conflict burst into the open after Anthropic, the maker of Claude chatbot, accused China’s DeepSeek and two other AI labs in that country — Moonshot and MiniMax — of launching industrial-scale campaigns to siphon the intelligence of its flagship model. While distillation is not technically a wrong method to train a model, it can certainly be seen as IP theft by a competitor. This method, which was earlier used by DeepSeek last year to train its V1 model, lets a frontier model developer build scratch. An operator queries a superior model, which is called the ‘teacher’ millions of times and feeds the resulting high-quality answers into a smaller, cheaper ‘student’ model. The student eventually starts mimicking the teacher’s reasoning without the operator ever paying the initial training costs. According to Anthropic, the three labs generated over 16 million exchanges with Claude, utilising a sprawling infrastructure of 24,000 fraudulent accounts to harvest its advanced coding and reasoning capabilities. This represents a catastrophic leak of proprietary value. To prevent this, companies impose strict rate limits and blocking tools. But these prevention techniques have limited utility as Anthropic claims the Chinese AI labs used commercial proxy service firms to distill Claude’s capabilities. #### ‘Hydra clusters’ and commercial proxy services To refine or extract from a frontier model effectively, an attacker needs volume. But millions of queries from a single source will instantly trigger an anomaly entry, cutting access to the model. Anthropic claims, the AI labs used ‘hydra clusters’ for refining. These are massive networks of accounts that are routed through commercial proxy services. These services allow traffic to appear as if they are coming from millions of distinct, legitimate devices scattered across the globe. While proxy firms often market themselves as legitimate tools for ad verification and SEO monitoring, their networks are often built on compromised hardware. For an AI firm that is distilling student models illegally, this infrastructure provides the ultimate camouflage. By rotating API requests, an attacker can make a million extraction attempts look like one query each from a million distinct households. To an AI company’s standard defence systems that rely on reputation scores associated with IP addresses, this traffic will appear entirely organic as it mimics the chaotic, distributed nature of genuine human usage. These proxy services have lowered the technical bar for distillation attacks, enabling competing AI labs to achieve near-SOTA performance at a fraction of the cost. Anthropic’s accusations against DeepSeek, Moonshot, and MiniMax suggest that this strategy has been institutionalised within parts of the Chinese tech sector, leveraging Western innovation to circumvent U.S. export controls on advanced semiconductors. #### New ways to detect attacks As detailed in Anthropic’s update, the company is moving away from network-level defences toward behavioural analysis. The defence team has developed a method to detect distillation not by looking at who is asking, but by analysing what is being asked. To train a competent student model, an AI lab cannot ask random questions. The queries must cover a specific, mathematically diverse range of topics to capture the full breadth of the teacher’s capabilities. This necessity creates a unique statistical signature. Anthropic has used a new detection technique to measure the conditional probability of the incoming prompts, essentially identifying when a stream of queries is too mathematically perfect to be human. While a human user’s interactions are erratic and topical, a distiller’s queries follow a distinctive pattern designed to maximise information gain per token. This pivot marks a significant upgrade in the defence against IP theft. It suggests that the use of commercial proxy networks in AI distillation may be nearing a plateau. If the detection logic occurs at the semantic level by analysing the text and intent rather than the connection source then masking the IP address becomes irrelevant . Nevertheless, the market for commercial proxies remains robust. As AI labs deploy these statistical defences, distillers will likely respond by introducing noise into their data collection, deliberately making their queries less efficient to mimic human randomness. The proxy firms, sitting in the middle of this flow, continue to profit from the demand for anonymity. For the AI industry, the challenge has evolved from a game of whack-a-mole with IP addresses to a deeper forensic analysis of intent. Published - February 25, 2026 08:28 am IST ### Related Topics technology (general)

AI-assisted content, editorially reviewed by Kartavya Desk Staff.

About Kartavya Desk Staff

Articles in our archive published before our editorial team was expanded. Legacy content is periodically reviewed and updated by our current editors.

All News