Anthropic detailed three “industrial-scale” AI model distillation campaigns by overseas labs designed to extract capabilities from Claude.
These competitors generated over 16 million exchanges using approximately 24,000 fraudulent accounts. Their goal was to obtain proprietary logic to improve competing platforms.
The extraction technique, known as distillation, involves training a weaker system based on the high-quality output of a more powerful system.
Legally applied, distillation allows companies to build smaller, cheaper versions of their applications for their customers. However, malicious actors exploit this method to gain powerful functionality at a fraction of the time and cost required for independent development.
Protect your intellectual property like Claude at Anthropic
Unmitigated distillation poses significant intellectual property challenges. Anthropic has blocked commercial access in China for national security reasons, so attackers circumvent regional access restrictions by deploying commercial proxy networks.
These services run an architecture that Anthropic calls a “Hydra Cluster,” which distributes traffic across APIs and third-party cloud platforms. The extensive reach of these networks means there is no single point of failure. As Anthropic pointed out, “If one account is banned, a new account will take its place.”
In one case identified, a single proxy network was managing over 20,000 fraudulent accounts simultaneously. These networks mix distilled traffic from AI models with standard customer requests to evade detection. This has a direct impact on enterprise resiliency and requires security teams to rethink how they monitor cloud API traffic.
Illegally trained models also bypass established safety guardrails, posing significant national security risks. For example, U.S. developers are building protections to prevent state and non-state actors from using these systems to develop biological weapons or carry out malicious cyber activities.
Clone systems lack the protections implemented in systems like Anthropic’s Claude, allowing dangerous features to flourish while completely stripped of protections. Foreign competitors could supply these unprotected capabilities to military, intelligence, and surveillance systems, allowing authoritarian governments to deploy them in offensive operations.
Once these distilled versions are open sourced, the danger increases further as their functionality can spread freely beyond the control of a single government.
Illegal mining causes foreign companies, including those controlled by the Chinese Communist Party, to lose competitive advantages protected by export controls. Without visibility into these attacks, rapid advances by foreign developers can be mistakenly perceived as innovations that circumvent export controls.
In reality, these advances rely heavily on the large-scale extraction of U.S. intellectual property, an effort that still requires access to advanced chips. Restricting access to the chip limits both direct model training and the scale of illegal distillation.
A playbook for distilling AI models
Perpetrators followed a similar operational plan, using fraudulent accounts and proxy services to access large systems while evading detection. The amount, structure, and focus of the prompts differ from normal usage patterns and reflect intentional feature extraction rather than legitimate use.
Anthropic believed these campaigns targeted Claude through IP address correlation, request metadata, and infrastructure metrics. Each operation targeted highly differentiated functionality, such as agent reasoning, tool usage, and coding.
One campaign generated over 13 million exchanges targeting agent coding and tool orchestration. Anthropic detected this operation while it was still active and mapped the timing against a competitor’s public product roadmap. When Anthropic released a new model, its competitors pivoted within 24 hours and redirected nearly half of their traffic to extract functionality from their latest systems.
Another operation generated more than 3.4 million requests focused on computer vision, data analytics, and agent inference. The group used hundreds of different accounts to obscure its organizational efforts. Anthropic believed the campaign was carried out by matching the request’s metadata to public profiles of senior staff at foreign laboratories. In a subsequent phase, this competitor attempted to extract and reconstruct the inference traces of the host system.
According to Anthropic, the third AI model distillation campaign for Claude extracted reasoning ability and rubric-based grading data across more than 150,000 interactions. The group forced the targeted systems to plan their internal logic step by step, effectively generating large amounts of thought chain training data. We also trained our own system to extract censorship-safe alternatives to politically sensitive questions and steer conversations away from restricted topics. The perpetrators generated synchronous traffic using identical patterns and shared payment methods to enable load balancing.
By requesting metadata for this third campaign, we were able to trace these accounts back to specific researchers at the institute. These requests often seem innocuous on their own, such as prompts asking the system to act as a professional data analyst providing fully inferential insights. But when variations of that exact prompt arrive tens of thousands of times across hundreds of tailored accounts targeting the same narrow feature, the extraction pattern becomes clear.
Large volumes concentrated in specific areas, highly repetitive structure, and content that maps directly to training needs are hallmarks of a distillation attack.
Introducing practical defenses
To protect your enterprise environment, you must employ layered defenses to make such extraction efforts harder to perform and easier to identify. Anthropic advises implementing behavioral fingerprinting and traffic classifiers designed to identify distilled patterns of AI models in API traffic.
IT leaders should also strengthen their validation processes for common vulnerability vectors such as educational accounts, security research programs, and startups.
Companies must integrate product-level and API-level safeguards designed to reduce the effectiveness of model outputs against illicit distillation. This must be done without degrading the experience of your legitimate paying customers.
Detecting coordinated activity across a large number of accounts is an absolute necessity. This includes specifically monitoring the continuous elicitation of thought chain outputs used to construct inference training data.
As these attacks increase in intensity and sophistication, cross-industry collaboration also remains essential. This requires rapid and coordinated intelligence sharing between AI labs, cloud providers, and policymakers.
Anthropic announced findings that Claude was the target of an AI model distillation campaign to provide a more complete picture of the situation and make evidence available to all parties. Treating AI architectures with strict access controls allows technical professionals to maintain a competitive edge while ensuring continuous governance.
See: How a disconnected cloud improves AI data governance
Want to learn more about AI and big data from industry leaders? Check out the AI & Big Data Expos in Amsterdam, California, and London. This comprehensive event is part of TechEx and co-located with other major technology events such as Cyber Security & Cloud Expo. Click here for more information.
AI News is brought to you by TechForge Media. Learn about other upcoming enterprise technology events and webinars.
