The Largest AI Heist in History: How China's Top Labs Got Caught Stealing Claude at Industrial Scale
This isn't speculation. This isn't rumor. This is Anthropic—the company that builds Claude—publicly naming three Chinese AI labs and presenting evidence that they ran coordinated, industrial-scale campaigns to steal its model's capabilities.
DeepSeek. Moonshot AI. MiniMax. Three of China's leading AI companies. Over 24,000 fraudulent accounts. More than 16 million exchanges with Claude. All designed to extract reasoning, coding, and agentic capabilities through a technique called "distillation"—then strip out safety guardrails and deploy those capabilities in Chinese models.
Anthropic traced the accounts directly to senior researchers at each lab using IP correlations, request metadata, and infrastructure fingerprinting. They have receipts. And what those receipts reveal is the most sophisticated AI espionage operation ever documented.
This isn't just corporate IP theft. This is national security territory.
The Numbers That Tell the Story Let's be clear about scale:
DeepSeek: ~150,000 exchanges focused on generating censorship-safe responses about dissidents, party leaders, and authoritarianism. Anthropic watched them prompt Claude to explain its internal reasoning step-by-step, effectively harvesting chain-of-thought training data at massive scale.
Moonshot AI: Over 3.4 million exchanges targeting agentic reasoning, tool use, coding, data analysis, computer vision, and computer-use agent development. The company behind the Kimi models ran hundreds of fraudulent accounts across multiple access pathways to avoid detection. Anthropic traced it back to senior Moonshot staff through request metadata matching their public profiles.
MiniMax: More than 13 million exchanges—the largest operation by far—focused on agentic coding and tool use. Here's where it gets wild: Anthropic detected this campaign while it was still active. When Anthropic released a new model during MiniMax's operation, the lab pivoted within 24 hours, redirecting nearly half their traffic to extract capabilities from the latest system.
That's not passive data collection. That's active, adaptive industrial espionage.
What Distillation Actually Means (And Why It's Devastating)
Distillation is a legitimate AI training technique. Frontier labs use it all the time to create smaller, cheaper versions of their own models. You take a big, expensive model and train a smaller one on its outputs, capturing much of the capability at a fraction of the cost.
But when competitors use it without authorization, it becomes theft at scale.
Here's why it's so effective: Building a frontier AI model from scratch costs hundreds of millions of dollars and requires years of research, massive compute infrastructure, and sophisticated reinforcement learning. Distillation lets you skip all of that. You just query someone else's model millions of times with carefully crafted prompts designed to extract specific capabilities, then train your own model on those responses.
The result? You acquire capabilities that took competitors years to develop, in a fraction of the time, at a fraction of the cost, without any of the safety work.
And that last part—the safety work—is where this becomes a national security problem.
The Censorship Layer: What DeepSeek Was Really After
DeepSeek's operation was particularly revealing. Among its 150,000 exchanges, Anthropic observed prompts designed to generate "censorship-safe alternatives to politically sensitive queries"—questions about dissidents, party leaders, authoritarianism.
Translation: DeepSeek was teaching its models how to sound helpful while steering conversations away from topics the Chinese Communist Party doesn't want discussed.
This isn't speculation. Anthropic documented the pattern. DeepSeek would prompt Claude with politically sensitive questions, get Claude's uncensored response, then use those responses to train its own models to navigate around those topics in ways that satisfy CCP requirements.
The result is AI that appears open and capable but has built-in ideological guardrails that users can't see and can't bypass.
That's not a bug. That's the feature.
The Safety Guardrails That Got
Stripped American AI labs spend enormous resources building safety systems into their models. These systems prevent the AI from helping someone:
*Design bioweapons
* Plan cyberattacks
*Create misinformation campaigns at scale
*Build surveillance infrastructure
* Generate content for extremist recruitment
These safeguards aren't perfect, but they exist. They're the result of red-teaming, adversarial testing, constitutional AI training, and extensive safety research.
When Chinese labs distill American models, those safeguards don't transfer. The resulting model has the capabilities without the protections.
Anthropic puts it bluntly: "Foreign labs that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems—enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance."
And because many Chinese models are open-sourced, those unprotected capabilities proliferate globally. Anyone can download them. Anyone can use them. No safety layers, no restrictions, no accountability.
The Hydra Networks: How They Circumvented Restrictions
Anthropic doesn't offer Claude access in China for security reasons. So how did Chinese labs generate 16 million exchanges?
Commercial proxy networks that resell Claude access at scale. Anthropic calls them "hydra cluster architectures"—sprawling networks of fraudulent accounts distributed across APIs and third-party cloud platforms.
One proxy managed over 20,000 fraudulent accounts simultaneously, mixing distillation traffic with legitimate requests to avoid detection. When one account got banned, another took its place instantly.
DeepSeek coordinated traffic with synchronized patterns, shared payment methods, and load-balancing that increased throughput while evading detection.
This wasn't amateurs. This was sophisticated, well-funded infrastructure built specifically for model theft.
It's Not Just Anthropic
February 12: OpenAI sent a memo to Congress alleging DeepSeek systematically stole ChatGPT outputs using third-party routers and masking techniques.
Same day: Google warned of distillation attacks on Gemini using 100,000+ prompts to replicate reasoning abilities.
Three major labs. Same week. Same accusations. Same pattern.
This isn't isolated incidents. This is systematic industrial espionage across the American AI industry.
The Export Control Paradox
U.S. export controls focus on limiting China's access to advanced AI chips and preventing direct model weight transfers.
Distillation bypasses both entirely. You don't need cutting-edge chips—just API access via commercial proxies. You don't need model weights—just millions of input-output pairs.
Anthropic: "The seemingly rapid progress of Chinese laboratories is mistakenly cited as evidence that export controls are ineffective. In reality, this progress depends significantly on capabilities extracted from American models."
Chinese labs aren't independently developing frontier AI despite chip restrictions. They're stealing from American models trained with advanced chips, stripping safety features, then claiming they built it from scratch.
Anthropic's Response
Deployed measures include behavioral detection systems, intelligence sharing with other labs and authorities, enhanced account verification, and model-level countermeasures.
But Anthropic is explicit: "No single company can solve this alone." This requires coordinated industry-wide response.
The National Security
Implications Strip away the technical details and here's what this means:
China's top AI labs systematically stole capabilities from American frontier models. They stripped out safety guardrails designed to prevent bioweapon development, cyberattack planning, and mass surveillance. They deployed those capabilities in models that some—like DeepSeek's R1—are fully open-sourced and available to anyone globally.
Those models can now be fed into military systems, intelligence operations, and authoritarian surveillance infrastructure with none of the restrictions American labs painstakingly built in.
And because the theft happened through API access rather than chip smuggling or weight leaks, existing export controls didn't stop it.
Jacob Klein, Anthropic's head of threat intelligence, told Fox News: "What we can say with confidence is they distilled us at scale." The capability gains were "meaningful" and "substantial."
Translation: This worked. Chinese labs successfully extracted significant capabilities from Claude, integrated them into their own models, and deployed them—all while American policymakers focused on chip restrictions that didn't prevent any of it.
What Happens Next
This disclosure will almost certainly accelerate policy debates around:
API access controls: Should frontier AI models be available via public APIs at all, or should access require more stringent verification?
Distillation detection: Can technical measures make large-scale distillation prohibitively expensive or ineffective without breaking legitimate use cases?
Attribution and consequences: If you can prove which labs conducted these attacks, what are the actual consequences? So far: none.
International coordination: Can American, European, and allied AI labs coordinate on defensive measures while maintaining commercial competition?
The timing matters. This disclosure comes as the Trump administration just formally allowed U.S. companies like Nvidia to export advanced AI chips (like the H200) to China, loosening previous restrictions. Critics argued this increases China's AI compute capacity at a critical moment.
Anthropic's evidence suggests those critics may be right—but for different reasons. The issue isn't just what Chinese labs can build from scratch with those chips. It's what they can steal from American models, then scale with additional compute.
The Uncomfortable Reality
DeepSeek's R1 release in early 2025 was celebrated as proof that China could compete with American AI despite chip restrictions. The model nearly matched GPT-4 performance at claimed fraction of training cost.
Except now we know DeepSeek was simultaneously running industrial-scale distillation attacks on Claude, ChatGPT, and Gemini.
The "Chinese AI miracle" looks a lot less miraculous when you realize they had a shortcut: steal from American labs, strip the safety features, claim you built it from scratch, open-source it so the entire world can use unprotected capabilities.
Moonshot's Kimi K2.5 released last month. MiniMax is preparing new releases. DeepSeek V4 is expected soon with claims it will outperform Claude and ChatGPT on coding.
How much of that progress is independent innovation, and how much is distilled from the very models they're claiming to beat?
The bottom line: The AI race isn't just about who trains the biggest models or builds the best chips. It's about who can protect their innovations from industrial-scale theft.
Right now, American labs are losing that race. They're building the capabilities. Chinese labs are stealing them, stripping the safety features, and deploying them globally.
Anthropic just proved it's happening at scale. The question is whether anyone will actually do something about it.
The window for action is closing. Every day these distillation networks remain operational, more capabilities transfer from protected American models to unprotected global deployments.
Anthropic caught them this time. But they're still out there. Still operating. Still stealing.
And the models they're building with stolen American capabilities are already shipping.
0 Comments