Subject: 16 Million Exchanges. Three Labs. One Stolen Playbook. Preview: 24,000 fake accounts, CoT harvesting, and a pivot in 24 hours after a new model dropped.

ResearchAudio.io 16 Million Exchanges. Three Labs. One Stolen Playbook. 24,000 fake accounts, chain-of-thought harvesting, and a live pivot within 24 hours of a model launch.

One of Anthropic's competitors detected an active distillation campaign against Claude and redirected nearly half their API traffic to the newest Claude model within 24 hours of its release. The campaign was still running. Anthropic was watching.

On February 24, 2026, Anthropic published a detailed intelligence report naming three Chinese AI laboratories, DeepSeek, Moonshot AI, and MiniMax, and documenting industrial-scale efforts to extract Claude's capabilities through illicit distillation. The report covers more than 16 million fraudulent exchanges, approximately 24,000 fake accounts, and a technique called the "hydra cluster" that makes detection deliberately difficult.

16M+ Stolen exchanges

24K+ Fake accounts

3 Labs attributed

24h MiniMax pivot speed

Why Distillation Is a Safety Problem, Not Just a Business Problem

Distillation is a standard technique: train a smaller, less expensive model on the outputs of a larger one. Labs use it routinely on their own models. The problem is not the method, it is what gets lost in transit.

Claude's safety filters are built into its training. When a competitor distills Claude without those training processes, the resulting model can retain frontier-level capabilities while losing the safeguards that prevent misuse for bioweapon development, cyber operations, and disinformation campaigns. Anthropic's report frames this as a national security issue, not a competitive one.

Key Insight: Export controls on chips limit both direct model training and the scale of illicit distillation. Anthropic argues that apparent rapid progress from Chinese labs may partly reflect capability extraction from American models, not independent innovation, which actually strengthens the case for chip restrictions rather than weakening it.

The Three Campaigns, in Detail

[Attach diagram image: distillation-diagram.png]

DeepSeek 150K+ exchanges Targeted: reasoning, rubric-based reward model tasks, CoT elicitation, censorship-safe query generation

Moonshot AI 3.4M+ exchanges Targeted: agentic reasoning, tool use, computer vision, reasoning trace reconstruction

MiniMax 13M+ exchanges Targeted: agentic coding, tool orchestration. Caught live. Pivoted within 24h of new model release.

DeepSeek used a particularly sophisticated technique: prompting Claude to "imagine and articulate the internal reasoning behind a completed response and write it step by step." This is chain-of-thought elicitation used to generate training data for DeepSeek's own reasoning models. The campaign also asked Claude to produce censorship-safe alternatives to politically sensitive queries, likely to train models that steer away from discussions of dissidents or authoritarian governance.

Moonshot AI (the team behind Kimi) ran hundreds of fraudulent accounts across multiple access pathways to make the campaign harder to detect as coordinated activity. Anthropic attributed it through request metadata that matched public profiles of senior Moonshot staff. In a later phase, the team shifted to explicitly extracting and reconstructing Claude's reasoning traces.

MiniMax ran the largest operation at over 13 million exchanges. Anthropic caught it while still active, before MiniMax released the model it was training. This gave Anthropic visibility into the full lifecycle: from data generation through product launch. Timing was confirmed against MiniMax's public product roadmap.

How the Hydra Cluster Architecture Works

Access to Claude is commercially restricted in China. To work around this, the labs used proxy services that resell API access at scale. These services operate what Anthropic calls a "hydra cluster": a sprawling network of fraudulent accounts distributed across Anthropic's API and third-party cloud platforms.

The design is deliberately resilient. When one account is banned, another replaces it. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to dilute the signal. Detection requires looking at patterns across accounts, not just individual requests.

That prompt looks benign in isolation. The signal is repetition: tens of thousands of variations arriving across hundreds of coordinated accounts, all targeting the same narrow capability. Volume concentrated in few areas, repetitive structures, and content mapped precisely to training value. That is the fingerprint of a distillation attack.

Key Insight: The distinguishing feature of a distillation attack is not any single prompt but the statistical pattern across thousands of accounts: narrow capability targeting, high prompt repetition, and precise alignment with what is most valuable for model training. Single-request moderation cannot catch this. It requires behavioral fingerprinting at the account-graph level.

Anthropic's Response: Four Tracks

Anthropic's defensive approach operates on four fronts. First, detection: classifiers and behavioral fingerprinting systems designed to identify distillation patterns in API traffic, including specific detection for chain-of-thought elicitation and coordinated account activity. Second, intelligence sharing: technical indicators shared with other AI labs, cloud providers, and relevant authorities to build a broader view of the distillation landscape.

Third, access controls: stronger verification for educational accounts, security research programs, and startup organizations, which were the most common pathways exploited for fraudulent account creation. Fourth, countermeasures: product, API, and model-level safeguards designed to reduce the utility of Claude's outputs for illicit distillation without degrading legitimate use.

Key Insight: The fourth track, model-level countermeasures, is the most technically novel. Anthropic is developing ways to reduce the value of its own outputs for training competitor models, without changing the experience for legitimate users. This is an adversarial training problem applied to outputs rather than inputs.

Open Question: If model-level countermeasures reduce distillation value, a natural next step for attackers is to use multiple models together to triangulate what each one individually withholds. The arms race between distillation attacks and defenses may shift from access control to output design.

The Deeper Implication

The most significant finding in this report is not the scale of the attacks, though 16 million stolen exchanges is substantial. It is that Anthropic caught MiniMax while the campaign was live and watched the lab pivot in real time after a new model launch. That level of observability is new, and it changes what is possible for defensive response.

The problem Anthropic is describing, frontier capabilities proliferating without safety training, is not solved by catching individual campaigns. It requires the same coordinated infrastructure the attackers have: shared intelligence, industry-wide behavioral fingerprinting, and policy levers that make the cost of hydra cluster operations prohibitively high. The report is, at its core, a request for that coordination.

ResearchAudio.io | Technical AI research briefings Source: Anthropic, Detecting and Preventing Distillation Attacks (Feb 24, 2026)