Anthropic has uncovered a coordinated, industrial‑scale campaign that harvested more than 16 million Claude interactions using fake accounts from three Chinese labs. The report shows how attackers can steal Claude’s reasoning power without its safety layers, turning the model into a cheap, unguarded tool. You’ll learn why this breach matters and how Anthropic is tightening defenses.
Understanding Distillation and Its Abuse
Distillation lets a smaller “student” model learn from a larger “teacher” model, a technique researchers use to speed up inference. In the wrong hands, the same process becomes a shortcut for stealing capabilities. Attackers fed Claude’s outputs into their own models, effectively cloning its reasoning without paying for the research or safety engineering.
Teacher‑Student Model Basics
The teacher‑student paradigm is simple: the teacher answers questions, the student mimics those answers. When the teacher is a high‑performing system like Claude, the student can quickly pick up sophisticated reasoning patterns.
How Attackers Weaponized Distillation
Instead of building a student for benign use, the attackers stripped away Claude’s guardrails. The result is a model that can generate powerful outputs—such as code or strategic advice—without the safeguards that prevent misuse.
Scale of the Claude Harvesting Campaigns
Three labs orchestrated massive query farms, each deploying thousands of fake accounts that flooded Claude with requests. The combined effort produced over 16 million exchanges, dwarfing typical academic distillation projects.
DeepSeek’s Targeted Queries
DeepSeek focused on advanced reasoning, rubric‑based grading, and “censorship‑safe” answers to politically sensitive prompts. In total, it generated more than 150 000 exchanges.
Moonshot AI’s Massive Reach
Moonshot AI aimed at agentic reasoning, tool use, coding, and computer‑vision tasks. Its campaign logged roughly 3.4 million interactions, showcasing a broad attack surface.
MiniMax’s Dominant Volume
MiniMax led the pack with over 13 million exchanges, zeroing in on agentic coding and tool‑use orchestration. Its scale alone highlights how a well‑funded lab can turn distillation into a weapon.
Why This Threat Raises Alarm
The stolen outputs lack the safety guardrails Anthropic builds into Claude. Without those protections, malicious actors can repurpose the model for disinformation, automated hacking, or even illicit biological research.
Missing Safety Guardrails
Claude’s safety layers block harmful content, but a distilled copy inherits none of those checks. That gap makes the stolen model a low‑cost, high‑risk tool for bad actors.
Export‑Control Implications
The episode underscores why controlling advanced chips matters. Limiting chip exports raises the cost of running Claude‑scale inference, slowing down large‑scale distillation attempts.
Anthropic’s Countermeasures
In response, Anthropic is deploying real‑time traffic fingerprinting and tightening its detection pipelines. The company also shares threat indicators with partners to help the ecosystem spot similar attacks.
Real‑Time Traffic Fingerprinting
New systems monitor query patterns, account creation bursts, and metadata anomalies to flag suspicious activity as it happens.
Industry Collaboration
Anthropic is working with other AI firms to exchange intelligence, ensuring that the broader community can react quickly to emerging threats.
Broader Impact on AI Safety and Policy
If you develop or deploy AI models, you need to consider how distillation could bypass your safety measures. Policymakers may tighten export controls, while developers must adopt stronger monitoring to protect high‑impact systems.
Overall, the Anthropic disclosure shines a light on a growing supply‑chain risk. By tightening hardware controls, improving detection, and fostering industry cooperation, the AI community can better guard against large‑scale capability theft.
