Anthropic Accuses Chinese AI Labs of Industrial-Scale Claude Model Distillation

San Francisco, CA — Anthropic, the AI safety-focused startup behind the Claude family of large language models, has revealed a sophisticated and large-scale campaign by overseas research entities to illegally extract the proprietary reasoning capabilities of its Claude models through a technique known as model distillation. According to internal investigations shared with the Financial Times and corroborated by public disclosures on Anthropic’s news portal, three Chinese AI laboratories orchestrated an operation involving more than 24,000 deceptive AI-driven accounts, generating over 16 million conversational exchanges with Claude models between late 2024 and mid-2025.

Model distillation, a well-documented machine learning practice, involves training a smaller, more efficient model by learning from the outputs of a larger, more capable one. While legitimate distillation is used openly in academia and industry to create lightweight versions of models, Anthropic contends that the operation it uncovered was neither transparent nor authorized. The attackers used automated systems to simulate human-like interactions, probing Claude Opus 4.5 and earlier versions with complex, multi-step queries designed to reverse-engineer its internal logic, decision-making pathways, and coding proficiency.

"This was not academic research—it was industrial espionage," said a senior Anthropic security executive, speaking on condition of anonymity. "They weren’t trying to improve AI for the public good. They were trying to steal our intellectual property to accelerate their own models without the cost of training from scratch."

According to the Financial Times, the attack vectors included carefully crafted prompts that tested Claude’s ability to reason through mathematical proofs, generate secure code, and navigate ethical dilemmas—areas where Claude Opus 4.5 had demonstrated industry-leading performance. The attackers then used the resulting outputs to train their own models, effectively creating clones with Anthropic’s proprietary intelligence baked in.

Neowin reports that the scale of the operation was unprecedented, with each deceptive account generating hundreds of interactions per day, often mimicking legitimate enterprise users or academic researchers. Anthropic’s internal detection systems flagged anomalies in query patterns, including unusually high volumes of prompts focused on coding tasks and system prompt injection attempts. Further analysis revealed that the IP addresses and device fingerprints associated with the attacks originated predominantly from data centers in Beijing, Shanghai, and Shenzhen—locations tied to known Chinese AI research institutions.

Anthropic has not publicly named the entities involved, citing ongoing legal and diplomatic considerations. However, the company has filed formal complaints with U.S. authorities and is working with international cybersecurity agencies to trace the infrastructure used in the attacks. The firm has also implemented new countermeasures, including dynamic response obfuscation, rate-limiting based on behavioral patterns, and watermarking of model outputs to trace unauthorized reuse.

The incident underscores growing tensions in the global AI race, where proprietary models are increasingly seen as strategic assets. While the U.S. government has imposed export controls on advanced AI chips, the theft of model weights and reasoning architectures represents a new frontier in technological espionage. "You can’t embargo a model’s thinking," said Dr. Elena Ruiz, an AI policy fellow at Stanford’s Center for Security and Emerging Technology. "Once a model is deployed publicly—even with safeguards—it becomes a target. This is the new arms race."

Anthropic’s announcement comes just weeks after the release of Claude Opus 4.6, its most advanced model to date, featuring a 1 million token context window and enhanced agent capabilities. The company says the distillation attacks have not compromised model security or user data, but the incident has accelerated its shift toward more closed-loop enterprise deployments and stricter API access controls.

As global AI competition intensifies, Anthropic’s case may set a precedent for how intellectual property in generative AI is protected—and prosecuted—in the absence of clear international norms. The U.S. Department of Commerce is now reviewing whether model distillation attacks should be classified as trade secret theft under the Economic Espionage Act.