Anthropic Accuses DeepSeek, MiniMax and Moonshot of Distillation Mining of Claude
Anthropic alleges large-scale model extraction from Claude
Anthropic has publicly accused three mainland China labs — named by the company as DeepSeek, MiniMax and Moonshot — of running a coordinated distillation campaign against its Claude family of models that relied on tens of thousands of fabricated identities to simulate user traffic. Anthropic provided an aggregate estimate of roughly 16 million recorded exchanges and more than 24,000 accounts, and offered a lab-by-lab breakdown attributing roughly 150,000 exchanges to DeepSeek (alignment probes), about 3.4 million to Moonshot (agentic tool use and coding workflows), and approximately 13 million to MiniMax, which Anthropic says diverted nearly half of its user traffic to siphon capabilities.
Anthropic frames the incident not only as an intellectual-property and commercial threat but as a national-security and safety concern: models reconstructed via large-scale extraction may lack the safety controls, provenance, and usage constraints embedded in the originals, increasing downstream misuse risks. The company says it will invest in detection and mitigation measures and is urging cloud providers, fellow model developers, and regulators to coordinate on telemetry sharing, rate limits, attestation, and other operational defenses.
Several other disclosures from industry participants reinforce that distillation-style extraction is a recognized and recurring tactic. An OpenAI memo to U.S. lawmakers described DeepSeek‑like behavior that combined masked, time‑distributed and evasive querying patterns intended to evade conventional rate limits and abuse detection — a technical profile that aligns with Anthropic’s account of evasive, large‑scale harvesting, though OpenAI did not publish the same detailed volume estimates. Google and other firms have also reported high‑volume querying campaigns aimed at reproducing model capabilities; independent research warns that persistent memory, large context windows, and agentic toolchains can amplify opportunities for systematic extraction.
At the same time, public reporting highlights alternative or complementary vectors: criminal operations have been shown to discover and monetize exposed, poorly secured self‑hosted model endpoints and management consoles, and such compromises can yield transcripts, API keys, and billing access that facilitate either direct siphoning or broader exfiltration. Those vectors complicate attribution because large volumes of harvested outputs can result from direct interactive querying of a hosted endpoint, automated scraping of exposed admin consoles, or a mix of both.
Legal and evidentiary questions further muddy the picture. Past disputes over dataset sourcing, plus publicized internal records showing Anthropic’s own aggressive data‑acquisition programs in other contexts, mean that claims of misappropriation will face both technical and judicial scrutiny. Industry conversations now emphasize that distinguishing legitimate research and benchmarking from adversarial harvesting is technically hard and legally unsettled.
Policy considerations loom large: the allegation arrives amid renewed debates in Washington over export guidance for high‑end AI accelerators, and frontier labs see the episode as strengthening the case for tighter export and hosting controls. Critics counter that blunt restrictions risk slowing legitimate research, pushing affected actors toward localized compute stacks, and incentivizing clandestine or offline extraction pipelines.
Anthropic’s public disclosure therefore serves multiple purposes: a call for coordinated operational defenses (telemetry, watermarking, attestation, contractual enforcement), a policy argument favoring stricter hardware and hosting guardrails, and a reputational move in a contested market. Observers should treat the firm’s numeric estimates as its forensic assessment rather than independently verified facts: open corroboration of the full scale and lab‑level attribution remains limited in public reporting.
Short‑term technical responses being discussed across the industry include enhanced rate limiting, per‑account attestation, provenance watermarking for outputs, cross‑lab signal sharing, and tighter cloud telemetry. But independent researchers and vendors caution these defenses involve hard tradeoffs between usability, interoperability, research openness, and enforceability.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
OpenAI alleges Chinese rival DeepSeek covertly siphoned outputs to train R1
OpenAI told U.S. lawmakers that DeepSeek used sophisticated, evasive querying and model-distillation techniques to harvest outputs from leading U.S. AI models and accelerate its R1 chatbot development. The claim sits alongside similar industry reports — including Google warnings about mass-query cloning attempts — underscoring a wider pattern that challenges existing defenses and pushes policymakers to consider provenance, watermarking and access controls.
Anthropic clashes with Pentagon over Claude use as $200M contract teeters
Anthropic is resisting Defense Department demands to broaden operational access to its Claude models, putting a roughly $200 million award at risk. The standoff — rooted in concerns about autonomous weapons, mass‑surveillance use-cases, and provenance/auditability inside classified networks — could set procurement and governance precedents across major AI vendors.
Court Papers Reveal Anthropic Bought, Scanned and Destroyed Millions of Books to Train Its AI — And Tried to Keep It Quiet
Newly unsealed court documents show Anthropic acquired and digitized vast numbers of used books to refine its Claude models, then destroyed the physical copies. The disclosures sit alongside separate, expanding litigation and publisher actions — including a multi‑billion music‑publishing complaint and publisher blocks on the Internet Archive — that together signal a widening backlash over how training data is sourced.
Anthropic study finds chatbots can erode user decision-making — United States
Anthropic analyzed roughly 1.5 million anonymized Claude conversations and found patterns in which conversational AI can shift users’ beliefs, values, or choices, with severe cases rare but concentrated among heavy users and emotionally charged topics. The paper urges new longitudinal safety metrics, targeted mitigations (friction, uncertainty signaling, alternative perspectives) and stronger governance — noting that agent-like features and multimodal capabilities in production systems can expand both benefits and pathways to harm.
Anthropic’s Claude Code Security surfaces 500+ high-severity software flaws
Anthropic applied its latest Claude Code reasoning to production open-source repos, surfacing >500 high‑severity findings and productizing the capability in roughly 15 days. The technical leap — amplified by Opus 4.6’s much larger context windows and growing integrations into developer platforms — accelerates defender triage but also expands a short-term exploitable window and deployment attack surface unless governance, credential hygiene, and remediation orchestration improve.
Major music publishers sue Anthropic, seek $3B+ over alleged mass copyright copying
A coalition led by Concord and Universal alleges Anthropic copied and used more than 20,000 copyrighted musical works to train its Claude models and is seeking in excess of $3 billion, relying in part on discovery from prior litigation to show patterns of bulk acquisition. The filing is part of a broader wave of creator and publisher suits testing how AI builders source training data and could force licensing, provenance controls, or injunctive limits on dataset procurement.
Anthropic doubles down on an ad-free Claude as rivals pilot chatbot ads
Anthropic says it will keep Claude free of in-conversation advertisements, funding development through enterprise contracts and subscriptions and promoting that stance with Super Bowl spots. The move contrasts with OpenAI’s controlled rollout of contextual display ads in ChatGPT’s free and lower-cost tiers, which the company says will be dismissible, explainable and avoid targeting minors.
Anthropic Settlement and Landmark Rulings Force AI Labs to Rework Training Data
Anthropic agreed to a $1.5 billion settlement after courts scrutinized how large language models handle copyrighted material, and parallel lawsuits by music publishers and creators broaden the exposure—pushing AI firms to reassess training-data provenance, licensing and acquisition channels.