Chinese AI labs are industrializing distillation of U.S. frontier models, turning them into smaller open-weight systems that run cheaply on laptops and phones and could dominate AI distribution on billions of devices.
Anthropic said DeepSeek, Moonshot and MiniMax used about 24,000 fraudulent accounts to generate more than 16 million Claude exchanges, extracting reasoning, coding and tool-use capabilities within weeks.
That advantage matters because local AI has improved fast: Stanford researchers found accurate answers from local models rose to 71% in 2025 from 23% in 2023, while cloud costs and data-center vulnerabilities push demand toward on-device systems.
Security risks also rise when distilled models shed safeguards: Cisco said DeepSeek-R1 failed HarmBench prompts, CrowdStrike found politically sensitive prompts made it up to 50% more likely to produce vulnerable code, and OpenClaw's ecosystem was flooded with 340 malicious extensions.
The report argues Washington should tighten chip export controls, extend FDPR-style licensing to distilled models, and back U.S. open-weight alternatives with allies or risk winning AI training while losing the distribution war.
As China's free AI models spread globally, is the U.S. losing a tech race or a business model war?
The U.S. is fighting an AI chip war, but could Chinese transformers unplug its entire data infrastructure?
When your AI assistant can execute code, how do you stop it from becoming a hacker's perfect backdoor?
"13 Million Exchanges: Anthropic Exposes Chinese AI Distillation Attacks and the Global Race for Frontier Model Dominance"
Overview
In early 2026, Anthropic accused three major Chinese AI labs—DeepSeek, Moonshot AI, and MiniMax—of large-scale AI distillation attacks that violated its terms of service and U.S. export controls. Anthropic traced one campaign to MiniMax by analyzing request metadata and infrastructure, matching activity to MiniMax’s public roadmap. MiniMax’s operation involved over 13 million interactions, targeting advanced features like agentic coding and tool use. Anthropic detected the campaign while it was still ongoing, even observing MiniMax quickly shift focus to new models as they launched. This provided rare insight into how such attacks unfold and adapt in real time.