16 Million Queries: How China's AI Labs Used Claude as a Textbook
The full story behind Anthropic's disclosure of industrial-scale distillation attacks by DeepSeek, Moonshot AI, and MiniMax — 24,000 fake accounts, a "hydra cluster" infrastructure, and the blurry line between legal and illegal model training.
AI-assisted draft · Editorially reviewedThis blog content may use AI tools for drafting and structuring, and is published after editorial review by the Trensee Editorial Team.
Prologue: The Most Diligent Student
One day in February 2026, Anthropic's security team detected an anomalous signal. Somewhere, an extraordinarily systematic flood of questions was being directed at Claude — not out of curiosity, but with clear intent. "Reason through this problem step by step." "Complete this coding task using an agentic approach." "Explain exactly how to use this tool." Every query was precisely calibrated to extract Claude's most differentiated capabilities.
The investigation revealed that three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — had deployed over 24,000 fraudulent accounts to conduct more than 16 million exchanges with Claude. This article covers the how: the methods, the infrastructure, and the full anatomy of the attack.
1. What Happened: The Overview
Timing and Context
Anthropic published its findings on February 23, 2026. The timing was notable. The disclosure came as the US government was actively debating AI chip export controls, and OpenAI simultaneously submitted a letter to Congress warning of "industrial-scale distillation campaigns" by Chinese AI firms.
As of the time of reporting, DeepSeek, Moonshot AI, and MiniMax had not issued official responses.
The Numbers
| Company | Exchanges | Primary Target Capabilities |
|---|---|---|
| DeepSeek | 150,000+ | Logical reasoning, reward modeling (rubric grading), censorship-safe query generation |
| Moonshot AI | 3.4M+ | Agentic reasoning, tool use, coding, computer vision |
| MiniMax | 13M+ | Agentic coding and tool use (largest volume) |
| Total | 16M+ | 24,000+ fake accounts |
2. The Core Method: What Is Model Distillation?
Where Legal Ends and Illegal Begins
Model distillation is a legitimate machine learning technique: train a smaller, less capable model on the outputs of a larger, more capable one. When applied to your own models, it is entirely lawful and widely used across the industry to produce efficient, smaller versions of larger systems.
The line is crossed when a competitor's model outputs are used without authorization. Claude's API Terms of Service explicitly prohibit using API responses to train competing models. This case represents what may be the largest documented, systematic violation of that boundary to date.
DeepSeek's Distinctive Technique: Make It Think Out Loud
DeepSeek appears to have used a method distinct from the other two companies: Chain-of-Thought Elicitation. By prompting Claude to reason through problems step by step — "think through this carefully before answering" — DeepSeek harvested not just answers but Claude's reasoning process itself as training data.
Anthropic also noted that DeepSeek's queries included requests for help generating "censorship-safe alternatives" to politically sensitive topics — questions about dissidents, party leadership, and authoritarianism — with the apparent goal of bypassing content restrictions in their own model.
3. How They Tried to Stay Hidden: The Hydra Cluster
Infrastructure Design
All three campaigns shared a similar infrastructure pattern that Anthropic termed the "Hydra Cluster" architecture. The core structure:
[Attacker Server]
│
▼
[Proxy Network] ──── manages 20,000+ fake accounts simultaneously
│ │ │
▼ ▼ ▼
[Claude API] [Claude API] [Claude API]
(Account A) (Account B) (Account C)
A single network managed over 20,000 fake accounts concurrently, distributing traffic so that each individual account looked within normal usage bounds. If one account triggered a detection signal, the rest of the cluster continued operating uninterrupted — a structure named after the mythological Hydra, whose severed heads always grew back.
Evasion Tactics
- Traffic distribution: Kept per-account query volumes within normal user ranges
- Proxy routing: Concealed real IP addresses behind proxy services
- Credential cover: Accounts registered under the guise of legitimate research or educational use
4. How Anthropic Detected Them
Detection Methodology
Anthropic disclosed four signal types used in cross-analysis to identify the campaigns:
- IP address correlation: Different accounts accessing Claude from the same IP ranges or proxy services
- Request metadata analysis: Abnormal regularity in headers, timestamps, and request patterns
- Behavioral fingerprinting: Identification of repetitive, systematic query patterns across accounts
- Synchronized traffic: Similar queries fired simultaneously from coordinated account clusters
Anthropic also noted that intelligence sharing with industry partners contributed to detection — suggesting that information from OpenAI and other firms helped triangulate the attack patterns.
Response Actions
- Built and deployed classifiers for distillation attack pattern detection
- Strengthened verification requirements for educational and research account registrations
- Developing model-level safeguards to reduce distillation signal quality
- Shared technical indicators with industry partners and authorities
5. Six-Month Outlook: Three Scenarios
Scenario 1: Regulatory and Legal Escalation (Probability: 65%)
Anthropic's public disclosure is likely to be used as evidence in US Congressional debate over AI chip export controls. OpenAI's concurrent letter to Congress reinforces this direction. However, actual litigation faces significant hurdles: jurisdiction over Chinese entities is complex, and the legal protectability of AI model outputs remains unsettled.
Scenario 2: Arms Race in API Defense Technology (Probability: 80%)
With distillation attacks now officially confirmed at scale, major AI companies are expected to accelerate investment in API-level defenses — output watermarking, response pattern perturbation, and real-time anomaly detection. These measures may affect API service complexity and cost for legitimate users.
Scenario 3: Chinese AI Labs Pivot to Independent Data Strategies (Probability: 55%)
In the short term, evasion techniques may be refined. Over the medium term, if access to US AI models becomes significantly restricted, there is likely growing pressure to develop independent synthetic data generation methodologies — reducing reliance on frontier model distillation altogether.
6. Decision-Making Guide
If You Provide an AI API Service
| Check Question | If Yes: Priority Action |
|---|---|
| Does your ToS prohibit use of API responses for competing model training? | Establish a ToS violation monitoring framework |
| Do you have anomalous bulk API call detection in place? | Implement per-account query pattern anomaly detection |
| Have you evaluated output watermarking technology? | Begin assessment of model output traceability options |
| Do you share anomalous traffic intelligence with industry peers? | Explore joining AI security information sharing channels |
If Your Organization Uses the Claude API
| Check Question | If Yes: Priority Action |
|---|---|
| Have you reviewed Claude's API Terms of Service recently? | Check for material changes to usage restrictions |
| Is your API key management policy documented? | Audit internal API key access permissions |
| Do you know the training data provenance of external AI tools you use? | Conduct an AI supply chain risk review |
7. What Not to Overestimate
Risk 1: "Distillation made them equivalent to Claude"
Training on 16 million queries does not mean Claude's full capability set was replicated. Distillation can meaningfully improve specific skills, but it does not transfer overall alignment quality, the breadth of a knowledge base, or general reasoning depth. Anthropic itself flagged that the distilled models likely absorbed targeted capabilities without the corresponding safety guardrails — a concern, but a different one than wholesale capability transfer.
Risk 2: Generalizing to all Chinese AI companies
The accusations are explicitly limited to three companies: DeepSeek, Moonshot AI, and MiniMax. Extending this to characterize the entire Chinese AI ecosystem would be an unsupported generalization.
Risk 3: Casting Anthropic as a straightforward victim
Several outlets, including Futurism, noted that Anthropic itself faces questions about the transparency of data used to train Claude. This is part of a broader structural debate about training data ethics across the AI industry — one that applies well beyond this specific incident.
8. Epilogue: The First Official Salvo in a War Without Rules
Model distillation from competitor systems has long been an open secret in the AI industry — a gray zone everyone knew about but no one named publicly. Anthropic's disclosure represents the first attempt to formally draw a line in that gray zone.
Whether that line will hold remains unclear. Whether it carries legal force, whether it leads to regulation, or whether it simply triggers a technical arms race — the shape of those outcomes will only emerge over the coming months.
One thing seems certain: protecting AI model capabilities has moved beyond the scope of API terms of service and into the domain of geopolitics and industrial policy. Part 2 of this series examines the structural conditions that made this possible — the architecture of the US–China AI competition and why this gray zone existed in the first place.
Key Action Summary
| Role | Check Now | Review Within 3 Months |
|---|---|---|
| AI Service Developer | Confirm ToS prohibition on competitor model training | Evaluate anomalous traffic detection logic |
| Enterprise AI Adoption Lead | Review terms of external AI services currently in use | Build AI supply chain risk assessment framework |
| AI Policy / Strategy Lead | Read Anthropic's primary disclosure and OpenAI's Congressional letter | Monitor US AI chip export control developments |
| Security Lead | Audit API key management and access permissions | Explore AI security information sharing channels |
Frequently Asked Questions
Q1. Is model distillation illegal by default?
No. Distillation is a legitimate machine learning technique. Training a smaller in-house model on outputs from a larger in-house model is standard practice. What makes this case problematic is the unauthorized use of a third party's (Anthropic's) model outputs. Claude's API Terms of Service explicitly prohibit using API responses to train competing AI models.
Q2. Why did MiniMax account for the largest share — 13 million exchanges?
According to Anthropic's disclosure, MiniMax focused on agentic coding and tool use. Coding-related tasks tend to require multiple iterative exchanges to produce a single usable output, naturally inflating query counts. That said, a higher query count does not proportionally equal greater capability transfer.
Q3. Can Anthropic pursue legal action?
Potentially, but with significant complications. The most viable path would be a civil lawsuit for ToS breach and related damages. However, the defendants are Chinese entities, raising complex jurisdictional issues. The legal protectability of AI model outputs under copyright law also remains unsettled. It is also plausible that the public disclosure was designed to generate regulatory and political pressure rather than serve as a prelude to litigation.
Q4. Can these attacks be fully prevented?
The industry consensus is that complete prevention is technically difficult. Anthropic has committed to strengthening detection and defense, but sophisticated attackers can adapt their methods as defenses evolve. Watermarking, response perturbation, and real-time anomaly detection are all active research areas — but no comprehensive solution exists today.
Related Reading
- DeepSeek V4 Release: What the Signals Mean
- Open vs. Closed AI Stacks: A Deep Dive
- Claude Opus & Sonnet 4.6: What Changed
- Enterprise AI Governance: Pre-Adoption Checklist
Series Guide
- Part 1 (this article): Methods & Tech — How it was done
- Part 2 (scheduled 2026-02-26): Structure & Competition — Why it was possible (the gray zone of US–China AI rivalry)
- Part 3 (scheduled 2026-02-27): Regulation & Future — How AI model protection will change
Update Notes
- Content reference date: 2026-02-25 (KST)
- Update cadence: as significant developments occur
- Next scheduled review: 2026-03-10
References
- Anthropic official disclosure: https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks
- TechCrunch: https://techcrunch.com/2026/02/23/anthropic-accuses-chinese-ai-labs-of-mining-claude-as-us-debates-ai-chip-exports/
- CNBC: https://www.cnbc.com/2026/02/24/anthropic-openai-china-firms-distillation-deepseek.html
- Fortune: https://fortune.com/2026/02/24/anthropic-china-deepseek-theft-claude-distillation-copyright-national-security/
- The Hacker News: https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html
Execution Summary
| Item | Practical guideline |
|---|---|
| Core topic | 16 Million Queries: How China's AI Labs Used Claude as a Textbook |
| Best fit | Prioritize for AI Ethics & Policy workflows |
| Primary action | Map data flows and identify personal data touchpoints before deployment |
| Risk check | Cross-check compliance against GDPR, CCPA, or sector-specific regulations that apply |
| Next step | Schedule a legal review checkpoint at each major system milestone |
Data Basis
- Scope: Anthropic official disclosure (2026-02-23), cross-verified against 6+ major outlets including TechCrunch, CNBC, Bloomberg, Fortune, and The Hacker News
- Evaluation axes: attack scale (query count, account count), targeted capabilities, infrastructure method, and detection methodology
- Verification standard: only claims consistent across Anthropic primary source and multiple outlets are stated as fact; unverified claims use hedged language
Key Claims and Sources
Claim:Three Chinese AI firms generated over 16 million exchanges with Claude using 24,000+ fraudulent accounts
Source:Anthropic official disclosureClaim:A single proxy network managed over 20,000 fake accounts simultaneously in a hydra cluster architecture
Source:Anthropic official disclosureClaim:OpenAI submitted a letter to US Congress in the same week warning of industrial-scale distillation campaigns by Chinese AI firms
Source:CNBC
External References
Have a question about this post?
Ask anonymously in our Ask section.