Chinese AI Giants Caught Red-Handed: 16 Million Queries to Steal Claude's Brain

If you ever wondered whether the AI race has turned into an AI arms race, wonder no more. Anthropic dropped a bombshell on Monday, revealing that three major Chinese AI companies ran what the company describes as "industrial-scale campaigns" to illegally copy Claude's most advanced capabilities. We're not talking about a few curious engineers poking around. We're talking about 16 million carefully orchestrated exchanges designed to systematically extract the secret sauce that makes Claude tick.

The companies named in Anthropic's disclosure are DeepSeek, Moonshot AI, and MiniMax, all based in China where using Anthropic's services is explicitly prohibited due to legal, regulatory, and security concerns. The attackers didn't just sign up for accounts and start chatting. They operated through approximately 24,000 fraudulent accounts, using sophisticated proxy networks to mask their true origins while hammering Claude's API with prompts specifically designed to capture its reasoning patterns, coding abilities, and tool-use capabilities.

Before we dive deeper into the attack mechanics, it helps to understand what these companies were actually trying to accomplish. Distillation is a legitimate technique in AI development where a smaller, cheaper model learns by studying the outputs of a larger, more capable one. Think of it as a student copying homework, except the homework contains the cognitive architecture of a frontier AI system worth billions in R&D investment.

When a company distills its own models, that's standard practice. When a competitor does it to steal capabilities they couldn't develop themselves? That's industrial espionage at scale. And when foreign adversaries do it to acquire capabilities that could be weaponized for military intelligence, surveillance systems, or offensive cyber operations? That's a national security crisis.

Anthropic's disclosure makes this concern explicit. Models built through illicit distillation typically lack the safety guardrails that responsible AI developers spend enormous effort implementing. Those unprotected capabilities can then proliferate in ways that strip out critical restrictions, enabling everything from disinformation campaigns to autonomous systems that ignore ethical constraints entirely.

Each of the three Chinese AI labs ran distinct campaigns targeting different aspects of Claude's capabilities, though all shared the common objective of extracting as much valuable training data as possible.

DeepSeek's campaign was perhaps the most revealing from a political standpoint. Across more than 150,000 exchanges, their queries focused heavily on Claude's reasoning capabilities and rubric-based grading tasks. But what really stands out is their apparent interest in generating censorship-safe alternatives to politically sensitive queries. The attackers specifically probed Claude for help handling questions about dissidents, party leaders, and authoritarianism. It doesn't take much imagination to understand why a Chinese AI company might want to build a model capable of navigating those topics without accidentally saying something that gets executives called in for a chat with regulators.

Moonshot AI went after different targets across more than 3.4 million exchanges. Their focus centered on Claude's agentic reasoning and tool use capabilities, including coding abilities, computer-use agent development, and computer vision. This suggests Moonshot is working toward building AI agents capable of autonomously operating computers and interacting with software, a capability that both legitimate users and malicious actors desperately want.

MiniMax ran the largest campaign by volume, generating over 13 million exchanges focused on agentic coding and tool use. The sheer scale here is staggering. That's an enormous corpus of high-quality training data extracted from what is arguably one of the most capable coding assistants on the planet, acquired at a fraction of the cost and time it would take to develop those capabilities independently.

What makes these attacks particularly difficult to counter is the infrastructure the attackers employed. Anthropic describes networks of commercial proxy services that resell access to Claude and other frontier AI models at scale, powered by what the company calls "hydra cluster" architectures.

These networks maintain massive pools of fraudulent accounts, distributing traffic across them to avoid triggering rate limits or behavioral detection systems. When one account gets banned, another takes its place instantly. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with legitimate customer requests to make pattern detection exponentially harder.

This approach means there are no single points of failure. Banning individual accounts becomes a game of whack-a-mole that the attackers are designed to win. The infrastructure exists specifically to enable capability theft at industrial scale while maintaining plausible deniability through obfuscation.

Anthropic's disclosure arrives just weeks after Google's Threat Intelligence Group revealed similar attacks targeting Gemini. Google documented and disrupted distillation attempts that used more than 100,000 prompts specifically designed to extract Gemini's reasoning capabilities. The parallel timing suggests this isn't opportunistic behavior but rather a coordinated or at least concurrent strategic priority across multiple Chinese AI labs.

Google's assessment noted that model extraction and distillation attacks don't typically threaten average users since they don't compromise the confidentiality, availability, or integrity of AI services for normal customers. The real victims are model developers and service providers who watch years of R&D investment get siphoned off through systematic API abuse.

Anthropic says it has deployed several defensive measures in response to these campaigns. The company built classifiers and behavioral fingerprinting systems designed to identify suspicious distillation patterns in API traffic. They've strengthened verification requirements for educational accounts, security research programs, and startup organizations, all of which are frequently exploited to gain access. And they've implemented enhanced safeguards that reduce the usefulness of model outputs for illicit distillation, though the company didn't elaborate on what those safeguards entail.

The fundamental challenge remains. How do you distinguish between a legitimate power user asking thousands of questions and a state-backed operation systematically extracting your intellectual property? Both look similar from a traffic perspective, especially when the attackers deliberately mix malicious queries with innocent-looking ones to camouflage their intent.

This disclosure fundamentally reshapes how we should think about AI competition. The assumption that Chinese AI labs are rapidly catching up to American frontier models through pure engineering talent and investment needs revisiting. Some portion of that progress may come from systematically copying the leaders rather than innovating independently.

It also raises difficult questions about API access policies. Every AI company offering public API access is effectively running a training data extraction service for anyone willing to scale up fraudulent account creation. The more capable your model becomes, the more valuable it is as a distillation target, creating a perverse incentive where success breeds vulnerability.

For security professionals, the takeaway is that AI capabilities are now a critical infrastructure target deserving protection on par with traditional intellectual property. The organizations building and deploying these systems need to think like defenders, implementing detection systems, access controls, and behavioral analytics that can identify extraction campaigns before they achieve their objectives.

The AI race has entered a new phase. It's no longer just about who can train the biggest model or hire the best researchers. It's about who can protect their capabilities from systematic theft while navigating an increasingly adversarial landscape. Anthropic drew a line in the sand this week. The question now is whether the industry will unite behind meaningful countermeasures or continue treating API abuse as someone else's problem.