Anthropic says Chinese AI labs used 24,000 fake accounts to pull more than 16 million Claude exchanges, and Washington's Fable 5 fight shows why model access is now being treated like an export control problem.
The uncomfortable part of Anthropic's February 2026 disclosure isn't that distillation exists. Everyone in AI knows it exists. The uncomfortable part is that DeepSeek, Moonshot AI and MiniMax allegedly got far enough to generate more than 16 million Claude exchanges before Anthropic publicly described the campaigns and the defenses it had built after finding them.
According to Anthropic, the three Chinese companies used about 24,000 fraudulent accounts and commercial proxy services to work around restrictions on Chinese access to Claude. The company said it tied the activity to the firms through IP address patterns, request metadata and infrastructure fingerprints. You don't need to accept every word of a vendor's attribution as gospel to see the problem. If the numbers are right, the wall was already breached before the guard wrote the report.
DeepSeek's alleged extraction was aimed at Claude's reasoning and rubric-based grading. Anthropic also said DeepSeek used more than 150,000 exchanges to produce censorship-safe responses to politically sensitive questions about dissidents and party leadership. Moonshot AI targeted agentic reasoning, tool use and computer vision across 3.4 million exchanges. MiniMax, according to the same disclosure, ran the largest campaign, more than 13 million exchanges focused on agentic coding.
These weren't random chatbot prompts. They were specific capability grabs.
Distillation can be perfectly ordinary. A weaker model learns from the outputs of a stronger one, and the smaller system can improve without repeating the full cost of frontier training. But when that technique is run through fake accounts at industrial scale, it stops looking like research hygiene and starts looking like a shortcut around the very chip controls Washington keeps tightening. OpenAI made a similar accusation against DeepSeek in a memo to House lawmakers in February, according to reports at the time.
Here's the thing: catching an operation after 16 million exchanges is not the same as stopping it. Anthropic's disclosure showed better detection than most companies would ever talk about publicly, but the data had already been generated. If those exchanges were saved and used for training, there is no realistic way to claw them back. The labs kept the lesson material.
That is why the June 2026 fight over Anthropic's Fable 5 and Mythos 5 models matters. Business Insider reported this week that legal tech startup Legion sued the US government after a federal directive restricted access to Anthropic's advanced models for foreign nationals, including Canadian workers the company relied on. Earlier reporting said Anthropic initially disabled the models more broadly while trying to comply with the order, then restored some Fable 5 access with stricter nationality controls.
The government's concern was not theoretical. Wired reported that Fable 5 was suspended on June 12 over security concerns involving jailbreaks that could enable access to the more powerful Mythos model. AP reported that Sen. Mark Warner discussed a government test in which Mythos found vulnerabilities in classified systems, though the account described a controlled security exercise rather than an unauthorized break-in. Those distinctions matter. A red-team result is not a cyberattack. But it is exactly the kind of result that makes officials nervous when the model is available through a commercial interface.
The weak point is access
Export controls on Nvidia chips still hurt Chinese labs. DeepSeek founder Liang Wenfeng has been quoted before saying the company's problem was not money but access to advanced chips. That pressure is real. But if a competitor can buy or fake its way into millions of interactions with an American frontier model, chip controls are only part of the story.
The hard part is that model access is much messier than hardware access. A chip has a shipment record, a customs checkpoint and a physical destination. An API call can come through a proxy, a reseller, a stolen account or a worker in a country the provider is allowed to serve. Terms of service are useful in court and weak at the edge of a determined technical campaign.
Frankly, this is where the industry has been too comfortable. Frontier labs sell global access because revenue and developer adoption matter. Governments then ask those same companies to behave as if every powerful model is a controlled technology stack. Both demands cannot sit neatly together once models can write code, use tools and help find software flaws.
There is an obvious irony in the Fable 5 restrictions. As TechCrunch noted, blocking access to a leading American model can push customers toward open or cheaper alternatives from Chinese labs, including DeepSeek and Moonshot. A security measure meant to preserve US advantage can create market space for the competitors it is supposed to contain.
Anthropic says it is improving detection, account verification and behavioral fingerprinting. It should. So should OpenAI, Google and every other frontier lab selling model access through APIs. But the defensive math is ugly. The attacker only needs enough clean output for the next training run. The defender has to catch the pattern before the data has value.
That is the real lesson from Anthropic's distillation problem. Washington can restrict chips, and now it is willing to restrict model access. But if the public internet remains the delivery channel for frontier capability, the next extraction campaign will not need to defeat the whole American AI stack. It will only need to look like ordinary usage long enough.
Also read: An AI law firm just beat two lawyers in court for £400 and the legal industry should be paying attention • Dubai Holding is in talks to buy into Hscale as Gulf capital moves to lock up Europe's AI infrastructure before the buildout peaks • Figma turns its design canvas into a coding environment at Config 2026
