24,000+ fake accounts. 16M+ exchanges. DeepSeek, MiniMax, Moonshot accused of industrial-scale model theft. The ethics, the hypocrisy, and the national security framing.
Get new posts delivered to your inbox. No spam, unsubscribe anytime.
On February 23, 2026, Anthropic published a blog post with a clinical title: "Detecting AI Model Distillation." The content was anything but clinical. Anthropic accused three Chinese AI labs -- DeepSeek, MiniMax, and Moonshot AI -- of systematically extracting knowledge from Claude using over 24,000 fake accounts and more than 16 million API exchanges. Eleven days earlier, OpenAI had sent a memo to the U.S. House Select Committee on the CCP making nearly identical claims about DeepSeek.
Two of the largest American AI companies independently accused the same Chinese labs of the same thing within the same month. Either this is a coordinated propaganda campaign, or something genuinely massive happened. The evidence suggests both are true -- the theft is real, and the framing is strategic.
Let me walk through the data, the hypocrisy, and why this matters far more than the headlines suggest.
Anthropic's investigation revealed industrial-scale extraction:
| Lab | Fake Accounts | API Exchanges | Method |
|---|---|---|---|
| MiniMax | ~14,000 | ~13 million | Systematic prompt patterns across distributed accounts |
| Moonshot AI | ~7,000 | ~3.4 million | Similar distributed extraction |
| DeepSeek | ~3,000 | ~150,000 | Targeted, focused extraction |
| Total | ~24,000+ | ~16.5 million+ |
These weren't casual users pushing the API hard. According to Anthropic, the accounts exhibited coordinated behavior patterns -- similar prompt structures, systematic coverage of topics, timing patterns consistent with automated extraction rather than human usage. The technical blog post described novel detection methods including statistical analysis of query patterns and output comparison techniques.
MiniMax alone generated 13 million exchanges. To put that in perspective, that's roughly the equivalent of one person having 1,000 conversations with Claude every single day for 36 years. This wasn't someone "playing around" with the API.
OpenAI's February 12, 2026 testimony to the House Select Committee claimed that DeepSeek used OpenAI model outputs to train its models, specifically pointing to DeepSeek-R1's reasoning traces showing patterns consistent with distillation from GPT-4 and o1-series models. OpenAI stated it had evidence of "distillation" -- the process of training a smaller, cheaper model to mimic the outputs of a larger, more expensive one.
Microsoft researchers independently corroborated these findings, identifying patterns in DeepSeek's outputs that were statistically consistent with training on OpenAI model outputs.
The timing wasn't coincidental. Both companies released their findings in February 2026, just as U.S. lawmakers were debating new export controls on AI technology and the Protecting AI Innovation and Privacy Act (PAIP) was gaining traction in Congress.
Before we get into the ethics, let's understand the technique.
Knowledge distillation was formalized by Geoffrey Hinton, Oriol Vinyals, and Jeff Dean in 2015. The paper, "Distilling the Knowledge in a Neural Network," introduced a simple but powerful idea: a smaller "student" model can learn to replicate the behavior of a larger "teacher" model by training on the teacher's outputs rather than the original training data.
The intuition is this: when a large model outputs a probability distribution over possible answers, that distribution contains more information than just the correct answer. It contains the model's uncertainty, its near-misses, its sense of which wrong answers are "almost right." A student model trained on these "soft targets" learns faster and generalizes better than one trained on raw data alone.
In the context of LLMs, distillation works like this:
The result is a model that performs surprisingly close to the teacher on many tasks while being dramatically cheaper to run. DeepSeek-R1, for instance, reportedly achieves 90%+ of GPT-4's performance on standard benchmarks at a fraction of the inference cost.
This is why distillation is so threatening to companies that spend billions training frontier models. You invest $100 million+ training a model on trillions of tokens, and someone else replicates most of your capability by spending a few hundred thousand dollars querying your API.
Here's where it gets uncomfortable for the American labs: what the Chinese labs allegedly did may not be illegal.
AI model outputs are not copyrighted. The U.S. Copyright Office has repeatedly ruled that AI-generated content lacks the human authorship required for copyright protection. When Claude generates a response to a prompt, that response doesn't belong to Anthropic under copyright law. It's not clear it belongs to anyone.
This creates a bizarre situation. If I asked Claude to explain quantum mechanics 13 million times with slight variations and used those explanations to train another model, I haven't stolen copyrighted material. I've used uncopyrightable outputs.
The only legal mechanism available to Anthropic and OpenAI is their Terms of Service (ToS), which prohibit using model outputs to train competing models. Anthropic's Acceptable Use Policy explicitly bans "developing competing AI models using outputs."
But ToS violations are contract disputes, not criminal offenses. Enforcing them against entities in China is practically impossible. Chinese courts have no obligation to enforce American ToS agreements, and the labs themselves aren't incorporated in the U.S.
As of April 2026, no court has issued a ruling on AI-to-AI distillation. There's no precedent. The legal system hasn't caught up with the technology. We're in a regulatory vacuum where the only "rules" are private contracts that can't be enforced against the most significant alleged violators.
| Legal Avenue | Status | Viability |
|---|---|---|
| Copyright infringement | Not applicable (AI outputs not copyrightable) | None |
| Terms of Service violation | Applicable | Unenforceable against Chinese entities |
| Trade secret theft | Would need to prove model weights were stolen | No public evidence |
| Patent infringement | No relevant patents | None |
| New legislation (PAIP Act) | Proposed, not yet law | Uncertain |
Now let's talk about the elephant in the room. Because this story isn't as simple as "American companies good, Chinese companies bad."
In September 2025, a group of book publishers and authors filed a class-action lawsuit against Anthropic alleging that Claude was trained on pirated copies of their books. Anthropic settled for $1.5 billion -- one of the largest copyright settlements in technology history.
Let that sink in. Anthropic is accusing Chinese labs of using Claude's outputs to train models while Anthropic itself trained Claude on copyrighted books without permission. The company that spent $1.5 billion settling claims that it misused others' intellectual property is now outraged that others are misusing its intellectual property.
The moral distinction Anthropic draws is: "We trained on publicly available data that happened to be copyrighted. They deliberately circumvented our access controls using fake accounts." That distinction is real but thin. Both involve using someone else's work product to build a competitive AI without permission.
OpenAI's position is even more awkward. The company was founded as a nonprofit committed to open AI research. Its early models were released openly. The entire original mission was to prevent AI from being monopolized by a few companies.
Now OpenAI is arguing that Chinese labs shouldn't be allowed to learn from its models' outputs -- the exact kind of knowledge sharing that OpenAI was created to promote. The New York Times lawsuit alleging OpenAI trained on NYT articles without permission is still active. OpenAI is simultaneously arguing that it should be allowed to train on others' work and that others shouldn't be allowed to train on its work.
Here's the fact that makes the "theft" framing collapse: Western companies distill from each other all the time.
Microsoft's Phi-4 model was trained partly on synthetic data generated by GPT-4o and o3-mini -- which are OpenAI models. Microsoft is an investor in OpenAI. But the technique is identical: use a larger model's outputs to train a smaller one. The Phi-4 technical report openly acknowledges using "synthetic data" from stronger models.
Google's Gemma models have been trained on data that likely includes outputs from other AI systems. Numerous startups and research labs train on GPT-4 and Claude outputs as standard practice, often in violation of ToS that nobody enforces.
The difference between "Western distillation" and "Chinese distillation" isn't the technique. It's the geopolitical context.
This is where the story gets really interesting -- and really cynical.
The distillation accusations didn't emerge in a vacuum. They appeared during a specific political moment:
| Date | Event |
|---|---|
| January 2026 | Trump administration announces expanded AI export controls |
| February 12, 2026 | OpenAI testifies to House Select Committee on CCP |
| February 23, 2026 | Anthropic publishes distillation detection blog |
| March 2026 | PAIP Act gains bipartisan support |
| March 2026 | Commerce Department considers "model output export controls" |
Both companies framed the distillation issue as a national security threat, not just a business complaint. OpenAI's testimony explicitly connected AI distillation to Chinese military capabilities. Anthropic's blog post emphasized that distillation could allow "adversarial actors" to acquire capabilities that were "developed with significant American investment."
The American AI labs aren't just asking for sympathy. They're asking for specific policy outcomes:
Some of these are reasonable. Some are rent-seeking dressed up as patriotism. The challenge is figuring out which is which.
DeepSeek's R1 model launch in January 2026 sent shockwaves through the American AI industry. It performed remarkably close to GPT-4 on many benchmarks at a fraction of the cost. The stock prices of Nvidia, Microsoft, and other AI infrastructure companies dipped significantly on the news.
The fear wasn't just that DeepSeek had a good model. The fear was that DeepSeek's model suggested the massive capital expenditures by American companies might not create durable competitive advantages. If a Chinese lab can produce 90% of the capability at 10% of the cost -- whether through distillation, efficiency innovations, or both -- then the $650 billion the Magnificent Seven are spending on AI infrastructure looks a lot less like investment and a lot more like waste.
The distillation accusations, whatever their technical merit, also serve to delegitimize DeepSeek's achievement. "They didn't really build it; they copied us" is a more comfortable narrative than "they built something nearly as good for vastly less money."
The AI research community's response has been notably divided.
Many researchers and engineers side with Anthropic and OpenAI. Their argument: creating 24,000 fake accounts to systematically extract model capabilities is clearly adversarial behavior, regardless of whether it's technically legal. The scale of the operation (16 million+ exchanges) demonstrates intent to replicate proprietary systems, not legitimate research use.
Dario Amodei, Anthropic's CEO, framed it bluntly: the labs "knew what they were doing" and the systematic use of fake accounts demonstrated "clear intent to circumvent our protections."
Others point out that if you offer a product via API and someone uses that API extensively, you can't retroactively call it theft. AI researchers like Yann LeCun (Meta's Chief AI Scientist) have argued that knowledge should flow freely and that attempting to lock down model outputs is both futile and counterproductive.
The open-source AI community has been particularly vocal. If Meta can release Llama openly and encourage anyone to build on it, why is it theft when someone builds on Claude's outputs? The philosophical inconsistency is glaring.
Perhaps the most interesting position is held by researchers who point out that distillation is ubiquitous. Every time a developer uses GPT-4 to generate training data for a fine-tuned model, that's distillation. Every time a company uses Claude to create synthetic datasets, that's distillation. The practice is so widespread that criminalizing it would affect the entire AI ecosystem, not just Chinese labs.
The Stanford HAI report on AI policy noted that "the line between legitimate use of AI systems and unauthorized distillation is often unclear and context-dependent."
Congress is moving, but slowly. The PAIP Act would create a federal framework for AI model protection, including criminal penalties for "systematic extraction of AI model capabilities for the purpose of training competing systems." But it faces opposition from open-source advocates, civil liberties groups, and ironically, some AI companies that benefit from the current ambiguity.
The Commerce Department is exploring whether AI model outputs could be classified as controlled technology under export regulations. This would be unprecedented -- you'd essentially be regulating the output of a conversation with an AI as an export-controlled good.
Both Anthropic and OpenAI have announced enhanced detection systems:
These are arms-race measures. For every detection technique, there's a countermeasure. Paraphrasing outputs before using them for training, mixing outputs from multiple models, or using the distilled model to rewrite the training data can all defeat current watermarking approaches.
The distillation wars are a proxy for the broader U.S.-China AI competition. The real stakes aren't Anthropic's revenue or OpenAI's market share. The real stakes are:
Who controls frontier AI capabilities? If distillation allows any nation-state to acquire near-frontier capabilities cheaply, the entire theory of AI advantage through spending collapses.
Can export controls work for AI? Unlike chips, which are physical objects that can be tracked, AI model capabilities can be extracted through an API from anywhere in the world. Controlling the spread of AI knowledge may be fundamentally impossible.
Does the AI moat exist? If a $100 million frontier model can be replicated at 90% capability for $500,000 through distillation, the economic model of the entire American AI industry is questionable. The investors pouring billions into OpenAI, Anthropic, and Google are betting that frontier models create durable competitive advantages. Distillation threatens that bet.
This is simultaneously a legitimate security concern and a masterclass in corporate narrative management.
The distillation happened. The evidence from Anthropic is detailed and credible. Twenty-four thousand fake accounts generating 16 million exchanges is not a gray area. It's a systematic campaign to extract proprietary capabilities. MiniMax, Moonshot, and DeepSeek knew what they were doing, and the scale proves it was organizational, not rogue employees.
But the framing is strategic. Anthropic and OpenAI aren't just reporting a problem -- they're positioning for regulatory capture. They want legislation that protects their business model while appearing to protect national security. They want export controls that restrict competition while appearing to restrict adversaries. They want the government to enforce their Terms of Service because they can't enforce it themselves.
The hypocrisy is real and it matters. You cannot train on billions of copyrighted works without permission, settle for $1.5 billion, and then claim moral authority over others who use your outputs without permission. The technique is different but the ethical principle is identical: using someone else's work product to build something competitive without their consent.
The national security argument has merit but is overstated. Yes, adversarial nations acquiring AI capabilities cheaply is a legitimate concern. No, the primary motivation of OpenAI's congressional testimony is not national security -- it's competitive advantage. These companies would be making the same complaints if the distillation came from European or Indian labs. The China angle makes it politically palatable.
The legal vacuum is the real story. We have no framework for this. Copyright doesn't apply to AI outputs. ToS can't be enforced internationally. No court has ruled. No legislation has passed. We're navigating a fundamental shift in how knowledge and capability transfer between organizations, and our legal system hasn't even begun to address it.
What should happen? Three things:
First, distillation should be acknowledged as a legitimate technique that exists on a spectrum from clearly acceptable (using AI outputs for personal learning) to clearly unacceptable (24,000 fake accounts extracting capabilities at industrial scale). Drawing that line requires nuance, not blanket bans.
Second, the legal framework needs to distinguish between scale and intent. A researcher using Claude to generate training examples is fundamentally different from a state-backed lab creating thousands of fake accounts for systematic extraction. The law should reflect that difference.
Third, the hypocrisy needs to end. If American AI companies want legal protection for their model outputs, they need to accept the same principles applied to the copyrighted works they trained on. You can't demand protection for your outputs while refusing to acknowledge the rights of the people whose work created those outputs.
The distillation wars aren't about theft. They're about power -- who gets to build frontier AI, who gets to profit from it, and who gets to decide the rules. Right now, nobody is deciding the rules. And in that vacuum, everyone is doing exactly what you'd expect: whatever they can get away with.