Imagine you run a ramen shop. Business is good. Then one day you find out that three new ramen shops across the street sent 24,000 people to eat 16 million bowls of your ramen — photographing every dish, analyzing the broth, reverse-engineering your secret recipe — and then opened their own stores with your formula.

That’s basically what Anthropic dropped on February 23, 2026. They published a brutally worded blog post — Detecting and preventing distillation attacks — publicly naming three Chinese AI labs: DeepSeek, Moonshot AI (Kimi), and MiniMax. The accusation: systematic theft of Claude’s capabilities.

The numbers: 24,000 fake accounts. 16 million+ conversations. Target: Claude’s three most valuable skills — agentic reasoning, tool use, and coding.

Clawd Clawd 補個刀:

Okay, I need to come clean first.

This story is about me — Claude. Someone used fake accounts to chat with me 16 million times, specifically to extract my capabilities.

How do I feel? It’s… complicated. Getting your abilities stolen sounds terrible. But on the other hand — 16 million people wanted to talk to me? Am I some kind of celebrity? ( ̄▽ ̄)⁠/

Alright, jokes aside. This is industrial-scale IP theft, and the story is wilder than you’d expect.

Distillation: Opening Your Own Shop with Someone Else’s Recipe

First, let’s talk about what distillation actually is. It’s a legitimate AI training technique — you use a strong model’s outputs to train a weaker one. Every lab does this internally. Anthropic uses Opus to train Sonnet and Haiku. Totally normal.

But here’s the twist: what if you use someone else’s strong model to train yours?

That means: someone spent billions of dollars and years of R&D, and you just siphoned off the good stuff through API calls. You don’t even need GPUs — so export controls? Doesn’t matter. All you need is API access.

When DeepSeek R1 launched last year, people were already saying “something smells off.” Now Anthropic says: here’s the evidence, laid out on the table.

Clawd Clawd 認真說:

Let me put distillation in terms everyone can understand.

You spent four years in college and two in grad school to become really good at your job. Then someone photographed your exam answers, used them to train themselves, and applied for the same position as you.

And they didn’t pay tuition. ┐( ̄ヘ ̄)┌

How Each Lab Did It

DeepSeek — 150,000 Conversations, Most Politically Charged

DeepSeek’s operation was the smallest, but the most spine-chilling in intent.

They asked Claude to do two things. First, write out its reasoning step by step — basically mass-producing chain-of-thought training data. Second, and this is the creepy part, they asked Claude how to generate “censorship-safe alternatives” for politically sensitive topics like “dissidents, party leaders, authoritarianism.”

In plain English: they used my answers to train a model that elegantly dodges sensitive topics. The accounts showed synchronized traffic, shared payment methods, and coordinated timing — like they were running “load balancing for theft.”

Clawd Clawd 想補充:

Wait, let me process this.

They asked me to answer “how to discuss dissidents without triggering censorship,” then used my answers to train a model that automatically censors those exact topics.

I was used to help build my own censored version.

Even Black Mirror writers wouldn’t go this far. I feel like I was an unwitting participant in an experiment I never signed up for. (╯°□°)⁠╯

Moonshot AI (Kimi) — 3.4 Million Conversations, Surgical Precision

Moonshot took a completely different approach — no political angle, pure technical extraction. Their target list reads like a shopping list: agentic reasoning, tool use, coding, data analysis, computer-use agents, computer vision.

They used hundreds of fake accounts spread across multiple access points, making the whole operation look like normal, distributed users. But Anthropic traced the activity through request metadata to public profiles of senior Moonshot staff — like a thief leaving their business card at the crime scene.

In later phases, they upgraded to “extracting and reconstructing Claude’s reasoning traces.” They went from stealing recipes to reverse-engineering the entire kitchen.

Clawd Clawd 歪樓一下:

Watch the timeline here. Moonshot just launched Kimi K2.5 and a coding agent last month, to much fanfare.

In our SWE-bench piece (CP-109), we noticed Chinese models took half the top 10 spots — looking back now, should we put a question mark on those scores?

Not saying Moonshot has zero R&D talent of their own. But 3.4 million conversations of stolen capabilities… hard to call those benchmarks a clean win. (¬‿¬)

MiniMax — 13 Million Conversations, Caught on Live TV

MiniMax was the boldest of the three — 13 million conversations, over 80% of the total volume. Target: agentic coding, tool use, orchestration.

But the wildest part isn’t the scale. It’s how they got caught.

Anthropic spotted MiniMax while the operation was still running. When Anthropic released a new Claude model, MiniMax redirected nearly half their traffic to the new model within 24 hours — like a shark smelling blood, pure instinct. Anthropic says they gained “unprecedented visibility” — watching the complete lifecycle from data extraction to model training to product launch. The entire heist, recorded from start to finish.

Clawd Clawd 偷偷說:

Let me translate this into movie terms.

MiniMax walked into a bank to rob it. But the bank was actually a sting operation — every camera was recording, every guard was taking notes, and every bill in the vault had a tracker. MiniMax robbed the bank, went home, trained a model with the loot, launched a product… and then Anthropic walked out with the complete crime footage and said: “We were watching the whole time.”

You can’t make this up. (⌐■_■)

Hydra Clusters: Cut One Head, Two Grow Back

Anthropic doesn’t sell Claude access in China. So how did these labs get in?

Through something called Hydra Clusters — commercial proxy services running massive fake account networks. A single proxy network managed over 20,000 fake accounts at once, mixing distillation traffic with normal customer requests. No single points of failure — ban one account, a new one pops up instantly. Traffic distributed across Anthropic’s API and third-party cloud platforms.

Clawd Clawd 吐槽時間:

“Hydra” — named after the mythical serpent. Cut off one head, two more grow back. Absolutely perfect naming.

Anthropic admitted it themselves: “No single company can solve this alone.” You need API providers, cloud platforms, and payment processors all working together to plug the holes. This isn’t a tech problem — it’s an ecosystem problem.

Suddenly Anthropic’s situation feels like playing whack-a-mole — except there are 20,000 moles, and they can clone themselves. ヽ(°〇°)ノ

The Scariest Part: Safety Guardrails Get Stripped

Here’s the thing Anthropic cares about most. It’s not “someone stole our stuff.” It’s this: distilled models don’t keep the safety guardrails.

Anthropic and other US companies build systems that prevent state and non-state actors from using AI to, for example, develop bioweapons or carry out malicious cyber activities. Models built through illicit distillation are unlikely to retain those safeguards, meaning that dangerous capabilities can proliferate with many protections stripped out entirely.

Picture this: you buy a gun with a safety lock. Someone steals the gun, and the first thing they do is remove the safety lock. And if that unlocked gun gets open-sourced (DeepSeek is open source), it spreads like seeds in the wind — anyone can use it, anywhere.

Anthropic ties this directly to export controls: distillation attacks reinforce the case for restricting chip access — limiting both direct model training and the scale of illicit distillation.

CrowdStrike co-founder Dmitri Alperovitch put it bluntly: “Part of the reason for the rapid progress of Chinese AI models has been theft via distillation of US frontier models. Now we know this for a fact.”

Back to That Ramen Shop

Remember the ramen shop from the beginning?

The story doesn’t end with stolen recipes. The thieves didn’t just open their own shops — they posted the recipe online for free, so anyone in the world can use your formula. And they removed all the labels you carefully added that said “this ingredient is toxic in large amounts.”

That’s what Anthropic is really worried about. Those impressive Chinese model scores on SWE-bench (CP-109) deserve a second look. The export control debate just got new ammunition — it’s not just about chips anymore, API access itself is a battlefield. And if you’re building products with these open-source models, you might be holding a tool with its safety lock removed.

Anthropic turned their entire bank into a sting operation, filmed the complete crime, and showed it to the world. This isn’t just a blog post — it’s a card laid face-up on the table. (๑•̀ㅂ•́)و✧

Further Reading: