Artificial intelligence company Anthropic has revealed new findings about large-scale attempts to extract capabilities from its AI models through a technique known as “distillation.” In a detailed technical update, the company explained how it identified coordinated campaigns attempting to replicate the capabilities of its flagship AI assistant Claude and outlined the steps it is taking to strengthen defenses against such activities.
Distillation is a common machine-learning practice used to train smaller or more efficient models using outputs generated by more powerful models. While this method can be used legitimately within organizations, Anthropic noted that it can also be misused when external actors attempt to collect model outputs at scale in order to replicate or approximate proprietary AI capabilities. The company’s investigation uncovered coordinated activity designed to extract Claude’s responses in high volumes, potentially allowing rival systems to train on those outputs.
Anthropic described the scale of these attempts in its public disclosure: “We’ve identified industrial-scale distillation attacks on our models by DeepSeek, Moonshot AI, and MiniMax.
These labs created over 24,000 fraudulent accounts and generated over 16 million exchanges with Claude, extracting its capabilities to train and improve their own models.”
According to the company, these accounts were created specifically to bypass safeguards and generate large volumes of interactions with Claude. By repeatedly querying the system, attackers could gather model responses that might later be used as synthetic training data for other AI systems.
The activity reportedly involved multiple AI laboratories, including DeepSeek, Moonshot AI, and MiniMax, which Anthropic said were responsible for orchestrating extensive querying campaigns against its models. Investigators found patterns across metadata, infrastructure usage, and request behavior that enabled them to link the activity to specific organizations with high confidence.
How Distillation Attacks Work
Distillation attacks occur when a model is prompted repeatedly to generate outputs that can be captured and reused to train another system. Instead of collecting massive human-generated datasets, developers can feed the outputs of advanced models into their own systems to accelerate development.
Anthropic noted that such practices, when conducted without authorization, can undermine the safeguards built into advanced AI systems. In particular, distilled models may replicate capabilities but fail to inherit the same alignment and safety protections implemented by the original developers.
This creates potential risks for the broader AI ecosystem, including the spread of powerful models without the guardrails intended to limit misuse. The company emphasized that addressing this issue requires stronger safeguards across the AI industry.
Also Read: Anthropic Introduces Claude Code Security to Empower Cyber Defenders with AI-Driven Vulnerability Detection
Strengthening AI Security Measures
As a result of these revelations, Anthropic has unveiled a range of protective steps that can help detect and prevent large, scale data extraction attempts. These measures comprise of an upgraded user behavioral monitoring, an advanced fraud detection system, and the incorporation of suspicious query pattern identification features in the infrastructure, level security of the network.
Moreover, the firm has pointed out that the collaboration of AI developers, cloud service providers, and legislators is crucial. The widespread usage and growing abilities of AI systems make the prevention of the unauthorized extraction of features of the models one of the main aspects of AI security.
Along with that, Anthropic made it clear that the problem does not belong to only one party. On the contrary, it is a challenge that a whole industry is facing where AI developers are trying to find a proper balance between being open, innovative, and protecting intellectual property rights.
A Growing Challenge for the AI Ecosystem
The increase in distillation attacks is a manifestation of the fast competition in the AI field. When companies are running at full speed to come up with the most sophisticated models, the possession of quality training data and model capabilities has thus become one of the main levers of strategy.
Anthropic is convinced that it will be necessary to combine detection/prevention, stronger defenses, and coordinated work within the technology ecosystem to be able to effectively hinder misuse.
The company is publishing information about these operations in order to raise people’s awareness of the threats that AI systems are going to face soon, in that way it hopes to get attraction of more people that are going to pay attention to the issue.
In the final analysis, it is the company’s point of view that in order to keep the safety and reliability of next, generation AI technologies, it is very important that only the owners of these AIs are the only ones who can exploit them, in effect that the protection of frontier AI models from unauthorized extraction goes beyond just the notion of intellectual property.
