AI Giants Report Coordinated ‘Distillation Attacks’ Targeting Frontier Models
Leading artificial intelligence laboratories, including Google DeepMind, OpenAI, and Anthropic, have reported sophisticated, large-scale “distillation attacks” targeting their most advanced AI models. These attacks, allegedly orchestrated by several entities including Chinese AI firms DeepSeek, Moonshot AI, and Minimax, aim to illicitly extract proprietary AI capabilities, raising significant national security concerns.
Understanding AI Distillation: A Double-Edged Sword
AI distillation is a legitimate and widely used technique where a smaller, less capable AI model is trained on the outputs of a larger, more powerful model. This process allows companies to create more efficient and cost-effective versions of their AI for broader consumer use. For instance, Google DeepMind has successfully distilled capabilities into its Gemini 3.1 Pro model. However, the same technique can be weaponized.
Illicit distillation allows competitors to acquire advanced AI functionalities in a fraction of the time and cost it would take to develop them independently. This bypasses the immense research and development efforts, including extensive safety training and the implementation of safeguards, that go into creating frontier AI models.
National Security Risks: Stripped Safeguards and Proliferated Dangers
Anthropic, in its detailed report, highlighted the critical national security risks associated with these illicit attacks. “Illicitly distilled models lack necessary safeguards, creating significant national security risks,” the company stated. AI labs like Anthropic invest heavily in building systems to prevent AI from being used for developing bioweapons or carrying out malicious cyber activities. Models created through illicit distillation are unlikely to retain these crucial protections, potentially enabling dangerous capabilities to proliferate without any safety measures.
The implications are particularly concerning as AI capabilities advance towards what Anthropic terms ASL-4, where models become capable of recursive self-improvement. If unchecked, distilled models could be weaponized by state and non-state actors for offensive cyber operations, disinformation campaigns, mass surveillance, or even the design of novel biological threats and zero-day exploits. The risk is amplified if these distilled models are open-sourced, spreading dangerous capabilities globally beyond any single government’s control.
The Attackers and Their Methods
Anthropic identified specific entities involved in these large-scale campaigns: DeepSeek, Moonshot AI, and Minimax. According to Anthropic’s findings:
- DeepSeek: Allegedly conducted over 150,000 exchanges, employing techniques to analyze reasoning capabilities across diverse attacks. Evidence suggests coordinated efforts, including synchronized traffic and identical patterns across numerous fraudulent accounts, pointing to load balancing for increased throughput and detection avoidance. A notable technique involved prompting Claude to articulate its internal reasoning process, effectively generating chain-of-thought training data at scale.
- Moonshot AI: Reportedly used hundreds of fraudulent accounts across multiple access pathways, targeting agentic reasoning, tool use, coding, data analysis, computer vision, and agent development. The company allegedly matched request metadata to public profiles of its senior staff. Later phases involved a more targeted approach to reconstruct Claude’s reasoning traces.
- Minimax: Engaged in approximately 13 million exchanges, identified through request metadata and infrastructure indicators. Minimax’s campaign was detected while active, providing Anthropic visibility into the entire lifecycle of the distillation attack, from data generation to model launch. When Anthropic released a new model during Minimax’s active campaign, the attackers reportedly pivoted within 24 hours, redirecting nearly half their traffic to extract capabilities from the new system.
These attacks often involve sophisticated prompt engineering, such as instructing the AI to act as an expert with specific analytical goals and transparent reasoning, repeated thousands of times across coordinated accounts to extract narrow capabilities.
A Coordinated Revelation and Political Timing
The reports from Google, OpenAI, and Anthropic emerged within a short timeframe. On February 12th, Google DeepMind announced an increase in model extraction attempts, labeling them a violation of their terms of service. On the same day, OpenAI warned U.S. lawmakers that Chinese AI startup DeepSeek was targeting ChatGPT and other leading AI companies for model replication.
A week later, Anthropic released its findings detailing the specific campaigns by DeepSeek, Moonshot AI, and Minimax. This coordinated release has led to speculation about its timing, particularly in relation to a U.S. policy shift. On January 14th, the Trump administration reportedly eased restrictions on the export of advanced AI chips to China under specific conditions, a move that has faced congressional opposition due to concerns it could erode the U.S. AI advantage.
This confluence of events has fueled debate, with some analysts suggesting the AI labs’ announcements could be a form of lobbying to influence ongoing policy discussions regarding export controls and AI development. The argument posits that by highlighting the threat of illicit distillation, these companies aim to persuade policymakers to maintain or tighten restrictions, thereby preserving their competitive edge.
Public Reaction and Counterarguments
The revelations have sparked a divided public reaction. Many critics have accused Anthropic of hypocrisy, pointing out that AI models themselves are trained on vast amounts of publicly available data, including copyrighted material scraped from the internet. The argument is that if AI companies can use the internet’s data, they should not prevent other AIs from learning from their outputs.
Counterarguments suggest that the scale of data extraction might be overstated for political purposes, or that the attacks were highly targeted and surgical rather than brute-force. Some experts question whether 16 million exchanges, out of billions processed daily, is sufficient to replicate frontier capabilities. However, others argue that if such a small sample size is enough, it points to a fundamental vulnerability in the public API itself, making detection and prevention extremely difficult.
Furthermore, there are claims and past incidents suggesting a pattern of intellectual property theft from China, including a recent case of a Google AI engineer arrested for selling trade secrets. This historical context lends credence to the concerns raised by U.S. AI labs.
Why This Matters: The Future of AI Access
The implications of these distillation attacks extend to the future accessibility of advanced AI. The demonstrated ability for sophisticated actors to extract capabilities from public APIs, even with security measures in place, could accelerate a trend towards a more restricted AI ecosystem.
Companies may increasingly choose to keep their most advanced, frontier models private, accessible only through highly controlled enterprise or government channels. This would create a two-tiered AI system: a public tier with models several generations behind the cutting edge, and a private, classified tier for vetted entities like defense contractors, financial institutions, and pharmaceutical companies. Such a move, potentially driven by national security imperatives and the desire to prevent catastrophic misuse, could lead to a significant concentration of AI power.
The debate underscores a fundamental tension between open innovation and the need for robust security in the rapidly evolving field of artificial intelligence. As AI capabilities grow, the challenges of controlling their proliferation and preventing misuse become increasingly complex, shaping the future landscape of technology and global security.
Source: Google, OpenAI & Anthropic All Reported the Same Threat (YouTube)
