Anthropic says it caught what it calls industrial-scale “distillation attacks” on Claude. The company alleges that DeepSeek, Moonshot AI, and MiniMax used about 24,000 fake accounts and ran over 16 million Claude exchanges to pull high-value outputs for training and improvement of their own models. Anthropic shared the claim publicly on X and expanded it in a detailed technical post on its site.
What Anthropic says happened
Anthropic says the three labs ran coordinated campaigns that focused on Claude’s strengths, including coding, tool use, and “agentic” work that chains steps together. Anthropic says the traffic patterns did not look like normal customer use. It says the actors used repeated prompt structures designed to harvest training-grade outputs at scale.
Anthropic also says the activity broke its terms and its regional access rules. Anthropic says it does not offer commercial Claude access in China, so it frames the access path as deliberate evasion rather than ordinary competitive benchmarking.
What distillation means in plain terms
Distillation trains a smaller or less capable model using outputs from a stronger model. The industry uses the method openly inside companies to ship cheaper, faster versions of their own systems. Anthropic acknowledges that reality, but it draws a line between internal distillation and competitor-run harvesting through fraud and proxy access.
This debate keeps resurfacing because modern AI training already sits in a legal and ethical grey zone. Many AI companies argue that large-scale training on public data counts as acceptable use, yet they also treat model outputs and product behaviour as proprietary assets when rivals try to copy them. Mashable captured that tension directly in its reporting on Anthropic’s accusation.
The numbers that make this claim stand out
Anthropic says DeepSeek ran over 150,000 exchanges, Moonshot AI ran over 3.4 million exchanges, and MiniMax ran over 13 million exchanges. Those figures add up to the “over 16 million” total that Anthropic highlighted in its public statements.
CNBC reported the same estimates and noted that the accused companies had not responded to requests for comment at the time of publication. That detail matters because the public still lacks the other side’s explanation for the traffic patterns Anthropic describes.
Why Anthropic frames this as a security issue, not only an IP fight
Anthropic argues that illicit distillation strips out safety controls. It says a copied model will not reliably preserve safeguards that help with bioweapons, offensive cyber abuse, or large-scale surveillance. It also argues that open-sourcing such models multiplies risk because the capabilities spread faster than any single policy regime can control.
Anthropic also connects distillation to export controls on advanced AI chips. It says distillation attacks can undermine the intent of chip restrictions by letting foreign labs narrow the gap using extracted capabilities instead of only relying on domestic training. Anthropic says large-scale distillation still needs serious compute, so it uses that logic to reinforce tighter chip control arguments.
What Elon Musk criticized and what the record shows
Elon Musk criticized Anthropic’s stance after the accusation spread. Musk said Anthropic “is guilty of stealing training data” and alleging the company paid “multi-billion dollar settlements” for theft, which he framed as a fact. Musk also attached screenshots of X Community Notes to support his point.
Other outlets carried similar summaries of Musk’s response. Financial Express described the same thrust of his criticism and the online backlash that followed, which focused on the broader contradiction in AI. Many critics argue that large model makers used vast amounts of internet data to train systems, then object when rivals learn from their model outputs through public access.
Two facts can coexist here. First, distillation through fake accounts and regional evasion breaks a company’s rules if the evidence checks out. Second, the industry still has not resolved the core conflict over training data rights, especially as lawsuits and licensing fights keep piling up across AI. GovInfoSecurity highlighted this irony and pointed to ongoing legal scrutiny around AI training practices, including lawsuits that name Anthropic.
The brighter path for Anthropic and the wider AI industry
Anthropic points to a practical path that reduces copy attempts without breaking normal developer use. It starts with better detection that spots mass, coordinated querying that follows the same patterns across thousands of accounts. Anthropic says it built classifiers and behavioural fingerprints to flag that traffic, including prompts that try to pull step-by-step reasoning traces at scale.
Next, Anthropic puts more weight on who gets access and how they prove it. The company says attackers often abused specific sign-up routes, so it tightened verification for education, security research, and startup pathways. That approach aims to keep Claude open for legitimate work while making fake account factories expensive and slow to run.
Anthropic also highlights a bigger fix that helps everyone, not just one company. It says it shares technical indicators with other AI labs, cloud providers, and authorities. That sharing matters because the same proxy networks can move between platforms fast. Anthropic describes proxy services that resell access and run large networks of accounts, including one network that managed more than 20,000 accounts at once. Industry sharing helps providers block the network earlier, not after it floods an API.
Finally, Anthropic sets an expectation that this problem needs clear rules and real enforcement. The company says no single lab can solve it alone, so it calls for coordinated action across industry and government. That message carries a positive outcome if it sticks, because it pushes AI companies to treat model access like a security surface, not only a product feature. The policy debate now sits next to business incentives, so clearer standards and shared enforcement will matter even more.
What to watch next
If DeepSeek, Moonshot AI, or MiniMax respond in detail, they will shape the next phase of the story. A denial without technical substance will not slow the policy push. A documented rebuttal that explains alternative reasons for the traffic patterns will force a harder conversation about what counts as acceptable model evaluation at scale.













