Anthropic: DeepSeek, Moonshot, and MiniMax Ran Industrial-Scale Claude Distillation
On February 23, 2026, Anthropic published “Detecting and preventing distillation attacks,” alleging three Chinese AI labs—DeepSeek, Moonshot, and MiniMax—used roughly 24,000 fraudulent accounts to generate more than 16 million Claude exchanges for illicit capability extraction. The company framed the campaigns as ToS and regional-access violations and detailed detection and defense investments against industrial-scale distillation.
TLDR
Anthropic on February 23, 2026 said it identified industrial-scale distillation campaigns by DeepSeek, Moonshot, and MiniMax aimed at extracting Claude capabilities. Operators allegedly used about 24,000 fraudulent accounts and generated over 16 million exchanges, in violation of terms of service and regional access rules. The disclosure is the most granular public lab report of concurrent multi-lab extraction against a single U.S. frontier stack that month—following OpenAI’s Feb 12 congressional memo on DeepSeek.
What Anthropic disclosed
From the primary Anthropic news post and same-day NYT coverage:
- Named labs: DeepSeek, Moonshot, and MiniMax—three prominent Chinese AI startups.
- Method: Distillation—training less capable models on outputs of a stronger model (Claude) at industrial query scale.
- Scale: ~24,000 fraudulent accounts; >16 million exchanges combined.
- Violations claimed: Terms of service forbidding surreptitious harvesting for distillation; China regional access restrictions (Claude not authorized for use in China under Anthropic’s rules).
- Risk framing: Distillation can strip or bypass safety guardrails intended to block misuse (e.g., weapons, mass surveillance), creating national-security concern beyond pure IP theft.
- Defenses: Continued investment in detection and prevention so distillation is harder to run and easier to spot (behavioral fingerprinting, account integrity, monitoring).
NYT reported Anthropic’s blog as the source of the account and volume figures and noted distillation is common in AI research but prohibited under Anthropic’s commercial terms when done covertly and at this scale.
Sequence in the February distillation wave
| Date | Actor | Signal |
|---|---|---|
| Feb 12 | OpenAI | Memo to House China committee on DeepSeek distillation tactics |
| Feb 12 | Google Threat Intelligence (cited) | Distillation / adversarial AI tracker notes |
| Feb 23 | Anthropic | Named three labs; 24k accounts; 16M+ exchanges |
Why this story matters
Frontier labs spent billions on training and safety; distillation turns that investment into a query budget problem. Naming three competitors with concrete operational metrics forces cloud providers, policymakers, and enterprise customers to treat model-output abuse as strategic security, not only spam moderation—foreshadowing later 2026 export-control and NSTM-style policy responses.
Sources
- Anthropic: “Detecting and preventing distillation attacks” (anthropic.com/news/detecting-and-preventing-distillation-attacks, February 23, 2026). Primary.
- The New York Times: Anthropic accuses three Chinese companies of harvesting Claude data (February 23, 2026).
- Prior context: OpenAI House committee memo (February 12, 2026).
Featured Image Alt Text
Claude logo with blocked fraudulent account network and distillation arrows labeled DeepSeek, Moonshot, MiniMax.
Tags
Anthropic, Distillation, DeepSeek, Moonshot, MiniMax, Claude, Security, China