Everyone is distilling everyone

In February 2026, Anthropic published a detailed forensic report accusing three Chinese AI labs, DeepSeek, Moonshot AI, and MiniMax, of running industrial-scale distillation campaigns against Claude. Over 16 million exchanges. Approximately 24,000 fraudulent accounts. Coordinated proxy networks designed to evade detection. The report was thorough, the evidence was specific, and the message was clear: our competitors are stealing from us. But here is the thing nobody wants to say out loud. Distillation is not a bug in the AI ecosystem. It is the ecosystem. And Anthropic publishing this report is as much a competitive maneuver as it is a transparency exercise.

What actually happened

According to Anthropic's report, the three labs followed a similar playbook. They created thousands of fraudulent accounts, routed traffic through commercial proxy services to bypass regional access restrictions, and generated massive volumes of carefully crafted prompts targeting Claude's most valuable capabilities: agentic reasoning, tool use, and coding. The scale varied by lab. DeepSeek generated over 150,000 exchanges, focusing on reasoning capabilities and, notably, using Claude to generate censorship-safe alternatives to politically sensitive queries. Moonshot AI ran over 3.4 million exchanges targeting agentic reasoning, coding, and computer vision. MiniMax dwarfed both with over 13 million exchanges focused on agentic coding and tool orchestration. MiniMax's campaign was particularly revealing. Anthropic detected it while it was still active, before MiniMax had even released the model it was training. When Anthropic shipped a new Claude model mid-campaign, MiniMax pivoted within 24 hours, redirecting nearly half their traffic to capture capabilities from the latest system. That is not casual data collection. That is a live, adaptive extraction operation. The proxy infrastructure was equally sophisticated. Anthropic describes "hydra cluster" architectures, sprawling networks of fraudulent accounts distributed across API endpoints and third-party cloud platforms. One network managed over 20,000 accounts simultaneously, mixing distillation traffic with legitimate customer requests to make detection harder. When one account got banned, another took its place.

16 million exchanges is not an accident

The sheer volume tells you something important about the economics of modern AI development. Training a frontier model from scratch costs hundreds of millions, sometimes billions, of dollars. Distilling one costs a fraction of that. You do not need to collect and process massive datasets. You do not need tens of thousands of GPUs running for months. You just need access to someone else's API and enough clever prompts. This is what makes distillation so attractive and so difficult to police. The inputs look like normal usage. The outputs are just text. There is no break-in, no vulnerability, no misconfigured database. The attacker uses the product exactly as it was designed to be used, just not as it was intended to be used. Treblle's analysis of the incident put it well: "It's industrial espionage via API call." Traditional security tools look for break-ins. Distillation attacks look like revenue.

The open secret

Here is where the narrative gets uncomfortable. Distillation is not something only Chinese labs do. It is how a significant chunk of the open-source AI ecosystem got competitive so fast. Stanford's Alpaca project, one of the first viral open-source instruction-following models, was trained on 52,000 demonstrations generated from OpenAI's text-davinci-003. The researchers were transparent about it. The model was fine-tuned from Meta's LLaMA 7B using outputs harvested directly from OpenAI's API. It cost less than $600 to produce and went viral in the AI community. OpenAI objected, and the project was eventually shut down voluntarily. But Alpaca was not an anomaly. It was a template. Dozens of open-source models followed the same pattern: take a base model, fine-tune it on outputs from a stronger commercial model, release it, and claim competitive performance. Vicuna, WizardLM, and many others used variations of this approach. The entire instruction-tuning revolution of 2023 was built, in large part, on distilled data from commercial APIs. OpenAI noticed. In early 2025, after DeepSeek released R1, a reasoning model that matched o1's performance at a fraction of the reported training cost, OpenAI told U.S. lawmakers that DeepSeek was "free-riding" on American AI capabilities. Microsoft's security team reportedly detected large-scale data extraction activity linked to DeepSeek-affiliated accounts. Google reported a campaign involving over 100,000 prompts designed to extract Gemini's proprietary reasoning capabilities. By early 2026, all three major U.S. frontier labs, OpenAI, Anthropic, and Google, had publicly accused Chinese labs of distillation. They began sharing intelligence through the Frontier Model Forum, an industry nonprofit they co-founded in 2023. The message was coordinated: this is systematic theft, and it needs to stop. But the boundary between legitimate use and illicit extraction has always been blurry. As analysts told CNBC, "nuance is needed to distinguish between the different narratives." Every major AI lab distills its own models internally. The technique itself is standard practice. What makes it "illicit" is who is doing it, and to whom.

Anthropic's strategic timing

The report did not drop in a vacuum. Anthropic published it on February 23, 2026, right in the middle of a heated debate over U.S. AI chip export controls. Anthropic CEO Dario Amodei had been publicly pushing for tighter restrictions on chip sales to China, calling the Trump administration's decision to allow certain Nvidia chip exports "crazy" and comparing it to "selling nuclear weapons to North Korea." The company had spent over $1 million lobbying on export controls in Q3 2025 alone. The distillation report made a specific argument that tied directly to this lobbying effort: "Without visibility into these attacks, the apparently rapid advancements made by these labs are incorrectly taken as evidence that export controls are ineffective. In reality, these advancements depend in significant part on capabilities extracted from American models, and executing this extraction at scale requires access to advanced chips." In other words: Chinese labs are not innovating their way past export controls. They are cheating. And they need our chips to do it. Therefore, tighten the controls. This framing is clever. It recontextualizes every Chinese AI breakthrough as evidence of theft rather than independent capability. It positions Anthropic as a patriotic defender of American technology. And it provides a justification for export restrictions that directly benefit Anthropic's competitive position. None of this means the evidence is fabricated. The technical details in the report are specific and credible. IP address correlations, request metadata, infrastructure indicators, corroboration from other labs. But the decision to publish when they did, framed how they framed it, in the context they chose, that is strategy.

The legal and ethical gray zone

The legal framework around AI distillation is genuinely unsettled. Every major AI lab prohibits using their outputs to train competing models in their terms of service. OpenAI's terms explicitly state: "You may not use output from the Services to develop models that compete with OpenAI." Anthropic has similar restrictions. But enforcing these terms across international borders is a different matter entirely. Copyright law's applicability to AI-generated outputs remains contested. The U.S. Copyright Office has clarified that purely AI-generated content cannot be copyrighted, which creates an awkward legal foundation for claiming that someone "stole" your model's outputs. If the outputs are not copyrightable, what exactly was taken? Trade secret law offers a stronger path, but proving that a specific model was trained on specific outputs is technically difficult. You cannot look at a model's weights and determine with certainty what training data produced them. The evidence is necessarily circumstantial: behavioral similarities, timing correlations, metadata trails. A Berkeley Law analysis compared the situation to the longstanding tension between innovation and IP protection: "By allowing distillation as a legal practice, smaller AI companies could train efficient models using knowledge extracted from larger, more advanced AI systems without having to replicate the expensive training process from scratch." The question is where legitimate learning ends and illicit copying begins. This is not a new problem. The music industry fought sampling wars for decades. Academia has always wrestled with the line between citation and plagiarism. Open-source software licensing exists precisely because the boundaries of code reuse needed explicit definition. AI distillation is the latest iteration of an old argument about who owns knowledge and where the boundaries of intellectual property lie.

The safety argument and its limits

Anthropic's report makes a national security case: distilled models lack the safety training of the originals, which means dangerous capabilities can proliferate without guardrails. Foreign labs could feed unprotected capabilities into military, intelligence, and surveillance systems. This is a real concern, but it is also worth examining carefully. The argument assumes that safety training is a proprietary asset that gets "stripped out" during distillation. But safety alignment is not a secret sauce baked into the weights. It is a set of behavioral constraints applied through fine-tuning, RLHF, and system prompts. Any lab sophisticated enough to run a 13-million-exchange distillation campaign is sophisticated enough to apply its own safety training, or to deliberately remove it. The deeper issue is that safety and capability are not as separable as the report implies. A model that can reason well about biology can also reason well about bioweapons. A model that is good at coding can write malware. The capabilities themselves are dual-use, regardless of whether they were developed independently or distilled from a competitor. Framing distillation as primarily a safety risk, rather than primarily a business risk, serves Anthropic's positioning as the "safety-first" lab. But the company's primary concern is almost certainly economic: competitors reproducing their capabilities at a fraction of the cost undermines their business model.

What "moat" means now

If your model's outputs are someone else's training data, what does a competitive moat even look like? The traditional answer in tech is that moats come from scale, network effects, and distribution. In AI, the assumed moat was capability: whoever had the best model would win. But distillation erodes that advantage. If a competitor can approximate 90% of your model's performance by spending a few hundred thousand dollars on API calls instead of billions on training, the capability gap becomes less meaningful. This is already visible in the market. MiniMax's M2.5 matches Claude Opus on coding benchmarks at roughly 95% lower cost. DeepSeek offers reasoning models for pennies per million tokens. Whether these models achieved their performance purely through distillation, through independent innovation, or through some combination, the result is the same: the gap is closing and the price delta is enormous. The companies that recognize this are already shifting their moat strategy. OpenAI is pushing hard on ecosystem lock-in through ChatGPT and enterprise integrations. Google is leveraging distribution across its product suite. Anthropic is betting on trust, safety credentials, and enterprise relationships. But the uncomfortable truth remains: in a world where model outputs are functionally training data, the capability moat is temporary by design. Every API call is a potential lesson for a competitor.

For builders: act accordingly

If you are building on top of AI APIs, the practical takeaway is straightforward. Assume your prompts and outputs are, or could become, training data. Not necessarily because the provider you are using will train on them (most have opt-out policies), but because the broader ecosystem treats model outputs as a resource to be harvested. This has implications for how you think about proprietary workflows. If your competitive advantage depends on a specific chain of prompts that produces uniquely good results, that advantage is only as durable as the exclusivity of those outputs. As distillation becomes more widespread and more sophisticated, the value of any single model's outputs decreases because the knowledge they contain diffuses through the ecosystem. The real defensibility for application builders lies in the layers above the model: data, workflow design, user experience, domain-specific integrations. The model itself is increasingly a commodity input.

Does this accelerate or slow down AI?

The answer, counterintuitively, is both. Distillation accelerates the spread of capabilities. It is the reason open-source models went from laughably behind to competitive within 18 months. It is the reason a well-funded Chinese lab can approximate a frontier American model's performance without matching its R&D budget. It lowers the barrier to entry for every organization that wants to deploy AI, which, through something like Jevons paradox, increases total demand for AI compute and capability. But distillation also threatens to slow down the frontier. If the companies spending billions on fundamental research see their advances immediately absorbed by competitors at minimal cost, the incentive to invest in that research diminishes. Why push the boundary if someone else will harvest the results before you can monetize them? This is the core tension. The AI ecosystem needs both: frontier labs pushing capability forward and a broad ecosystem of builders adapting those capabilities for real-world use. Distillation makes the second part easier while potentially undermining the economics of the first. Anthropic, OpenAI, and Google are trying to solve this by making distillation harder: better detection, intelligence sharing, legal pressure, technical countermeasures. But as long as model outputs are accessible via API, the fundamental vulnerability remains. You cannot sell access to intelligence without also selling the intelligence itself.

The bigger picture

The distillation wars are really an argument about who gets to profit from AI capabilities and who gets to define the rules of competition. Anthropic frames it as national security. Critics frame it as monopolistic gatekeeping. The truth is probably somewhere in between. What is clear is that the current equilibrium is unstable. A world where frontier labs spend billions developing capabilities that can be extracted for thousands through API calls is not sustainable. Something has to give: either the business model changes, the technical defenses become effective enough to deter extraction, or the legal framework catches up to provide real enforcement. Until then, everyone is distilling everyone. The only question is who admits it.

References