Anthropic alleges large-scale model extraction from Claude

Anthropic has publicly accused three mainland China labs — named by the company as DeepSeek, MiniMax and Moonshot — of running a coordinated distillation campaign against its Claude family of models that relied on tens of thousands of fabricated identities to simulate user traffic. Anthropic provided an aggregate estimate of roughly 16 million recorded exchanges and more than 24,000 accounts, and offered a lab-by-lab breakdown attributing roughly 150,000 exchanges to DeepSeek (alignment probes), about 3.4 million to Moonshot (agentic tool use and coding workflows), and approximately 13 million to MiniMax, which Anthropic says diverted nearly half of its user traffic to siphon capabilities.

Anthropic frames the incident not only as an intellectual-property and commercial threat but as a national-security and safety concern: models reconstructed via large-scale extraction may lack the safety controls, provenance, and usage constraints embedded in the originals, increasing downstream misuse risks. The company says it will invest in detection and mitigation measures and is urging cloud providers, fellow model developers, and regulators to coordinate on telemetry sharing, rate limits, attestation, and other operational defenses.

Several other disclosures from industry participants reinforce that distillation-style extraction is a recognized and recurring tactic. An OpenAI memo to U.S. lawmakers described DeepSeek‑like behavior that combined masked, time‑distributed and evasive querying patterns intended to evade conventional rate limits and abuse detection — a technical profile that aligns with Anthropic’s account of evasive, large‑scale harvesting, though OpenAI did not publish the same detailed volume estimates. Google and other firms have also reported high‑volume querying campaigns aimed at reproducing model capabilities; independent research warns that persistent memory, large context windows, and agentic toolchains can amplify opportunities for systematic extraction.

At the same time, public reporting highlights alternative or complementary vectors: criminal operations have been shown to discover and monetize exposed, poorly secured self‑hosted model endpoints and management consoles, and such compromises can yield transcripts, API keys, and billing access that facilitate either direct siphoning or broader exfiltration. Those vectors complicate attribution because large volumes of harvested outputs can result from direct interactive querying of a hosted endpoint, automated scraping of exposed admin consoles, or a mix of both.

Legal and evidentiary questions further muddy the picture. Past disputes over dataset sourcing, plus publicized internal records showing Anthropic’s own aggressive data‑acquisition programs in other contexts, mean that claims of misappropriation will face both technical and judicial scrutiny. Industry conversations now emphasize that distinguishing legitimate research and benchmarking from adversarial harvesting is technically hard and legally unsettled.

Policy considerations loom large: the allegation arrives amid renewed debates in Washington over export guidance for high‑end AI accelerators, and frontier labs see the episode as strengthening the case for tighter export and hosting controls. Critics counter that blunt restrictions risk slowing legitimate research, pushing affected actors toward localized compute stacks, and incentivizing clandestine or offline extraction pipelines.

Anthropic’s public disclosure therefore serves multiple purposes: a call for coordinated operational defenses (telemetry, watermarking, attestation, contractual enforcement), a policy argument favoring stricter hardware and hosting guardrails, and a reputational move in a contested market. Observers should treat the firm’s numeric estimates as its forensic assessment rather than independently verified facts: open corroboration of the full scale and lab‑level attribution remains limited in public reporting.

Short‑term technical responses being discussed across the industry include enhanced rate limiting, per‑account attestation, provenance watermarking for outputs, cross‑lab signal sharing, and tighter cloud telemetry. But independent researchers and vendors caution these defenses involve hard tradeoffs between usability, interoperability, research openness, and enforceability.