Detecting and preventing distillation attacks

Source: Anthropic Date: 2026-02-23 URL: https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks

Summary

Anthropic published findings on large-scale model distillation campaigns by three Chinese labs: DeepSeek (150,000+ exchanges targeting reasoning and censorship evasion), Moonshot (3.4M+ exchanges, agentic reasoning and computer vision), and MiniMax (13M+ exchanges, agentic coding and tool orchestration). Operations used “hydra cluster” proxy networks managing up to 20,000 fraudulent accounts simultaneously to extract outputs systematically. Anthropic’s response includes classifiers for coordinated activity, access control tightening, and intelligence-sharing with industry partners.

Implications

• The scale gap between labs is stark: MiniMax’s 13M exchanges targeting agentic coding is not casual scraping — it’s a structured capability extraction operation. Agentic capabilities (tool use, coding, orchestration) are specifically prioritized, suggesting these are seen as the highest-value transferable properties.
• The export control circumvention framing matters geopolitically: distillation sidesteps chip-export restrictions by transferring capability rather than hardware. This is likely to drive regulatory attention toward output restrictions and API access controls, not just compute controls.
• For anyone building on top of frontier model APIs, the countermeasures (pattern classifiers, account verification tightening) will create friction for legitimate high-volume automated usage — a secondary effect worth tracking.
• The absence of safety alignment transfer is the threat vector Anthropic emphasizes most: a distilled model inherits capabilities but not the safety training, producing systems with uplift potential and no corresponding guardrails. This is the argument undergirding Anthropic’s policy push and feeds the AI governance/oversight thread.