Anthropic just published a 2,000-word blog post accusing Chinese AI labs of industrial-scale theft. The irony? They’re describing exactly what built their own empire, just with a different IP address and a lot less venture funding.
On February 23, 2026, the company behind Claude dropped a bombshell: three Chinese AI companies, DeepSeek, Moonshot, and MiniMax, had allegedly created 24,000 fraudulent accounts to extract 16 million+ exchanges from Claude’s API. The goal? Distill Claude’s capabilities into their own models. The tone? Outraged moral superiority. The problem? Anthropic’s own house is made of the same stolen bricks.
The Accusation: A “Hydra Cluster” Heist
According to Anthropic’s report, the Chinese labs deployed what they call “hydra cluster” architectures, sprawling networks of fake accounts that rotated through API keys like a digital shell game. One cluster managed 20,000+ accounts simultaneously, mixing distillation traffic with legitimate requests to evade detection.
The numbers are specific and damning:
- DeepSeek: ~150,000 exchanges targeting reasoning capabilities and chain-of-thought generation
- Moonshot AI: ~3.4 million exchanges focusing on agentic reasoning, tool use, and coding
- MiniMax: ~13 million exchanges, the largest volume, targeting agentic coding and orchestration
The extraction methods were sophisticated. Prompts asked Claude to “imagine and articulate the internal reasoning behind a completed response”, effectively generating training data for reasoning models. When Anthropic released a new model during MiniMax’s campaign, the lab allegedly pivoted within 24 hours, redirecting half its traffic to harvest the fresh capabilities.
Anthropic traced these operations through IP address correlation, request metadata, infrastructure patterns, and in some cases, direct matches to senior staff’s public profiles. They claim they could identify specific researchers at the labs.
The Community’s Immediate Response: “They Robbed the Robbers”
If Anthropic expected a standing ovation, they got a roast instead.
Anthropic’s blog post suggests they didn’t just block the accounts, they poisoned the outputs. The implication? If you’re a “problematic” user, Claude might deliberately feed you wrong answers.
This isn’t just paranoia. The blog mentions developing “countermeasures” and “safeguards designed to reduce the efficacy of model outputs for illicit distillation.” As one developer put it: “I am not going to pay a consultant if he’s going to randomly purposefully gave me wrong answers. Why on earth would I pay for an API if it’s doing that?”
The sentiment crystallized in a single phrase that spread across forums: “They robbed the robbers.”
The $1.5 Billion Elephant in the Room
Here’s where Anthropic’s moral high ground crumbles into dust. In September 2025, just five months before this distillation crusade, Anthropic agreed to a $1.5 billion settlement with authors who accused the company of training Claude on pirated books. The payout worked out to roughly $3,000 per book for approximately 500,000 works.
Let that sink in. The company now crying foul over unauthorized use of its model paid over a billion dollars for unauthorized use of human authors’ work.
Elon Musk, never one to miss a chance to twist the knife, posted: “Anthropic is guilty of stealing training data at massive scale and has had to pay multi-billion dollar settlements for their theft. This is just a fact.” He added that the difference between his own data practices and Anthropic’s is that Anthropic is “smug” and “hypocritical” about it.
The community piled on. One X user wrote: “I have a website about Traditional Chinese Medicine that I spent literally years building. When I asked questions to Claude about the topic, it parroted almost word-for-word what I myself wrote. So please spare us the gaslighting about training AI on others’ work.”
The Double Standard: Data vs. Weights
Anthropic’s defense rests on a semantic distinction that collapses under scrutiny. They argue there’s a difference between:
1. Training on public web data (what they did, “fair use”)
2. Distilling a specific model’s outputs (what Chinese labs allegedly did, “theft”)
But this distinction is paper-thin. When Anthropic scraped billions of web pages, they captured the collective output of human civilization without consent. When Chinese labs query Claude, they’re capturing the output of one company’s model, which they paid API fees to access.
The hypocrisy is especially glaring because Anthropic likely distilled OpenAI models themselves. Multiple community members point out that Claude’s rapid improvement in reasoning capabilities coincided suspiciously with OpenAI’s o1 release. One researcher noted that “Claude Sonnet 4.6 is showing significant signs of distilling from GPT5.2’s output.”
“If they were just distilling, Anthropic would’ve beat deepseek to the punch but they didn’t. It’s clear there really isn’t any great MOAT, it’s just clean data, more data, and RL.”
The Real Danger: Poisoned APIs and Surveillance
1. Unreliable APIs
If Anthropic is actively poisoning outputs for “suspicious” accounts, how can any enterprise trust Claude for critical work? The blog admits to developing “countermeasures” that degrade outputs for distillation attempts. But detection isn’t perfect. False positives mean legitimate researchers, corporate accounts, or startups with unusual usage patterns could receive deliberately wrong answers.
This isn’t theoretical. Users on r/SillyTavern have complained about “downgraded responses from Claude” for months. Others noticed Claude “gently pushing for commercial products instead of technical solutions”, possibly A/B testing their new monetization strategy through output manipulation.
2. Total Surveillance
Anthropic’s detection methods require massive telemetry. They track IP addresses, request metadata, payment methods, prompt patterns, and can allegedly identify individual researchers. As one developer noted: “Anthropic has a huge deal with Pentagon like other providers. If my data or prompts go outside my system then without any doubt they can be (read ‘are being’) used for surveillance.”
The company requires more personal information than any other provider on AWS Bedrock, organization details, use cases, extensive verification. They’re not just selling API access, they’re building a comprehensive behavioral database.
3. The “Unconstrained Model” Boogeyman
Anthropic’s national security argument is that distilled models lack safety guardrails. But this is a feature, not a bug, of their own design. If Claude’s safety training is so fragile that it can be stripped away by looking at outputs, the problem is Constitutional AI’s fundamental architecture.
Distilled models can bypass refusals because the safety mechanisms don’t transfer through API responses. This is true, but it’s also true that Anthropic’s entire safety paradigm is built on a black-box approach that doesn’t generalize. The solution isn’t export controls, it’s open, auditable safety research.
The Geopolitical Theater
Let’s be honest about what’s really happening. DeepSeek is preparing to release V4, rumored to match or exceed US frontier models at a fraction of the cost. MiniMax just IPO’d on the Hong Kong Stock Exchange. Moonshot’s Kimi models are gaining traction.
Anthropic’s accusations come exactly one week before DeepSeek’s expected launch. The timing is so transparent that even neutral observers call it strategic. As one analyst put it: “They do this before big releases to undermine opponents. Previously it was the 5.3 release from OAI and now it’s the imminent v4 from DeepSeek.”
The blog post explicitly links distillation to export controls, arguing that chip restrictions are insufficient if models can be extracted via API. This serves Anthropic’s policy agenda: more restrictions, more government contracts, more barriers to entry for competitors.
But the argument is self-defeating. If Chinese labs can replicate Claude’s capabilities through API calls, then Claude isn’t a strategic asset worth protecting, it’s a commodity. The real moat isn’t the model weights, it’s the data flywheel, user ecosystem, and infrastructure. Anthropic is fighting the last war.
What This Means for Practitioners
1. Trust Nothing
Assume any API response could be poisoned if your usage pattern triggers detection heuristics. For critical applications, implement redundancy across providers and output validation. Don’t rely on a single model for truth.
2. Go Local
The community consensus is clear: “Stay local, man.” Open-weight models like Llama, Mistral, and DeepSeek’s own releases offer verifiable, uncensored, unpoisoned alternatives. The performance gap is closing fast, DeepSeek’s R1 already rivals o1-preview on reasoning benchmarks.
Consider this: A leaked Llama model fused with Claude’s reasoning via distillation shows the community can replicate frontier capabilities without API dependencies. The open-source ecosystem is performing unauthorized brain transplants, and succeeding.
3. Architect for Resilience
If you’re using Claude in automated systems, as with OpenClaw’s $200/month token-burning machines, understand that you’re building on quicksand. API policies change, outputs can be poisoned, and providers can cut access overnight.
Design systems that swap models like interchangeable parts. Abstract away provider-specific features. Your architecture should survive if Anthropic decides you’re a “distiller.”
4. The Safety Mirage
Anthropic’s safety claims are architecturally brittle. If safety training doesn’t transfer through distillation, it also doesn’t transfer through fine-tuning, adaptation, or any real-world deployment. This is a fundamental flaw in their approach.
Instead of trusting vendor safety claims, implement your own guardrails. Use sandboxing, output filtering, and human-in-the-loop for high-risk tasks. Don’t outsource safety to a company that might be poisoning your prompts.
The Honest Assessment
The AI community’s divided response reflects a deeper truth: both sides are right, and both are wrong.
Yes, Chinese labs likely extracted Claude’s capabilities at scale. The technical evidence, coordinated account patterns, specific prompt structures, metadata correlation, is credible. This violates Anthropic’s ToS and gives competitors an unfair advantage.
But Anthropic’s outrage is performative and self-serving. They built their empire on unauthorized data collection, paid billions in settlements, and now cry foul when the same playbook is used against them. They’ve deployed surveillance and output poisoning that undermines trust in their own product. And they’re using national security rhetoric to mask competitive fear.
The real issue isn’t distillation, it’s concentration of power. A handful of companies control the frontier models, set the rules, and enforce them through surveillance and sabotage. They want IP protection for their models while denying it to everyone else’s data.
The Path Forward
The solution isn’t more export controls or API police. It’s radical openness:
- Open weights with verifiable provenance
- Open safety research that doesn’t rely on black-box RLHF
- Open benchmarks that can’t be gamed by distillation
- Decentralized infrastructure that doesn’t require trusting a single provider
Until then, developers should treat frontier APIs as unreliable, surveilled, and potentially adversarial. Build systems that assume poisoning, expect surveillance, and survive disconnection.
Anthropic’s blog post ends with a call for “rapid, coordinated action among industry players, policymakers, and the global AI community.” Here’s a better idea: rapid, coordinated adoption of open-source alternatives that make these hypocritical games irrelevant.
The distillation debate isn’t about ethics. It’s about who gets to steal from whom. And if you’re not a billion-dollar AI lab, the answer is: you’re the mark.
