A couple days ago, Anthropic publicly called out DeepSeek and two lesser-known Chinese AI labs, Moonshot AI and MiniMax, for conducting "industrial-scale distillation attacks": systematically using Anthropic's own models as training data to build their own.
Regardless of whether you think Anthropic 'deserves' this (given their own alleged theft of intellectual property to train those frontier models) or you're genuinely alarmed that China is systematically siphoning Western AI capabilities, what I want to dig into is exactly what's happening, why Chinese companies are doing it, and what Anthropic can realistically do to stop it.
So, if you're still with me, let's get started.
What Is Distillation?
Model distillation is how you train a weaker model to behave like a stronger one without access to the original architecture or training data.
You call the frontier model at scale, record its outputs, and use those outputs as training data for your own model. The student learns to replicate the teacher's behavior. Not by copying its weights, but by learning from its answers.
The technique isn't new or uniquely Chinese. Western labs use it extensively, internally. OpenAI used o1 to generate training data for o3 and o4-mini. The practice is legitimate and powerful, which is exactly why every major AI provider explicitly bans using their APIs for external model distillation in their terms of service.
Why Chinese Labs Do It
Training a frontier model from scratch costs between $50M and $200M, with projections pushing toward $1B+ for the largest runs by 2027, and that's assuming you can get the hardware. Since 2022, US semiconductor export controls have progressively restricted Chinese access to the NVIDIA H100s, H200s, and new Blackwell series chips that power those training runs.
Chinese labs, denied the hardware and blocked from the APIs, have found a more efficient route.
Rather than build from scratch, they build on top of what already exists. Over the last couple of years, Meta, Mistral, and others have released powerful open-source models that anyone can download and extend. Llama 3, Meta's flagship open-source model, was trained on trillions of tokens and holds its own against closed models from just a year ago. The expensive work of building that foundation is already done and freely available.
What's changed recently is where frontier intelligence actually comes from. Until about 2024, a model's capability was largely a function of how much compute went into pre-training. That's no longer true. The techniques that matter now are things like reinforcement learning from human feedback, where the model is trained on outputs that human reviewers prefer, and reinforcement learning from verifiable outcomes, where it learns by checking its answers against known correct ones. These are the layers that turn a capable base model into something that can reason through hard problems, write reliable code, or hold a complex argument together. And these are the capabilities distillation transfers most efficiently.
For Chinese labs boxed in by export controls and API blocks, this has become the default strategy: harvest outputs from models like Claude at industrial scale, use that data to post-train their own models, and emerge with near-frontier capability at a fraction of the cost.
What (if anything) Can Anthropic Do About It?
The API is already restricted in China, and every major provider explicitly bans distillation in their terms of service. Anthropic, OpenAI, and Google all enforce this, banning accounts when patterns emerge. But 24,000+ fraudulent accounts and 16 million+ Claude exchanges later, it's clear that determined actors using proxies (hello Astrill VPN!) and account rotation can still scale up.
In their February 23, 2026 blog post, Anthropic outlined what they're doing about it. They're investing in bunch of stuff that would bore you to read, so I'll save you the time and skip it. In general, they'll take steps to slow things down and degrade what gets through. But on an open internet with cheap proxies and determined actors, they really can't stop it.
One 'problem' for Chinese model companies using this method, is that distillation doesn't let anyone leapfrog the frontier. The student can't become the master. It's a catch-up mechanism, fast, cheap, and genuinely effective at closing gaps, but it's still derivative. Chinese labs are always training on last month's best models, not this month's. The gap narrows, but it never closes from inside.
For Western labs, the real race isn't about sealing every leak. It's about staying far enough ahead that even the best-executed distillation is always one step behind. Whether they can maintain that margin, given open-source releases, hardware improvements, and the pace of post-training research, is the actual question. And honestly, it's not obvious they can.