Training a frontier artificial intelligence (AI) model costs billions of dollars and years of research. Reproducing a large portion of its behavior can cost a fraction of that, if you have access to enough of its output. This gap is what makes the distillation model, a technique that trains a smaller AI system on the responses of a stronger system, the economic problem. Anthropic Highlights of the week.
Anthropic accused operators belonging to Alibaba and its own AI lab to conduct the largest known distillation campaign against Claude Models to date, CNBC I mentioned. The alleged operation ran from April 22 to June 5 and generated more than 28.8 million interactions with Cloud through nearly 25,000 fraudulent accounts.
The scale puts the alleged campaign in a different category than what came before. In February, Anthropic named three Chinese AI labs:Deep Sick, Moonshot AI and Mini Max– More than 16 million Cloud interactions were generated through nearly 24,000 fraudulent accounts in February. Blog post. Alibaba’s alleged campaign is dwarfed by the campaign’s total in just six weeks.
How 25,000 fake accounts extracted Claude’s basic intelligence
The method of distillation is simple. The campaign sends large amounts of carefully crafted prompts to the target model and captures their responses. These responses become training data. The competing model learns to think and respond in ways that mimic the original model, without paying the costs of the research on which it is based. It’s less like hacking the system and more like sitting next to the best students in the class and copying every answer they write on an industrial scale.
Detection is difficult. The distillation query looks identical to a legitimate query. A developer asks Claude for help debugging a function, and a campaign that systematically mines Claude’s coding behavior sends the same type of request. The only indication is the pattern: huge volume, repetitive structures, and claims targeting the same narrow abilities, coming from hundreds of sequentially formatted accounts. “As organizations increasingly integrate MBAs into their core operations, the logic of ownership and specialized training for these models has emerged as high-value targets,” Google’s Threat Intelligence Group warned in a February blog post, PYMNTS. I mentioned.
There is a security dimension that goes beyond the commercial dimension. When a tester distills a parametric model without permission, the copy does not inherit the safety barriers built into the original. Dangerous abilities are transmitted through outputs. The months I spent making the form reject malicious requests don’t do that. Distillation itself is a legitimate and widely used technique. Companies routinely use it to compress their large models into smaller, faster versions that work at lower cost. The line Anthropic draws is between using it in your own models, which is standard practice, and using it in a competing model without permission.
Anthropic wants Congress to make stealing models illegal
In a letter to senators, Anthropic’s Head of Politics Sarah heck It said the attacks were carried out “in an illicit, systematic and industrial-scale manner to exploit US AI capabilities across border laboratories and repackage them as their own without incurring training, research and development costs.” Business Insider reported.
House Republicans seek sanctions on Chinese companies that copy U.S.-made AI models, PYMNTS I mentioned. Sen. Bill Hagerty and Sen. Andy Kim are moving to add an amendment to defense legislation that would blacklist or penalize entities that conduct such campaigns, according to CNBC. The White House Office of Science and Technology Policy issued a note In April, there was a warning about the industrial-scale foreign distillation of American AI models.
The structural problem goes beyond any single campaign. A distillation query is indistinguishable from a legitimate query. The only way to fully close the gap is to restrict who can access the form. This directly contradicts the business logic of selling AI as a service. If adversarial distillation becomes routine, AI labs may find themselves spending as much on access controls and identity verification as on training, treating every API call as a potential intelligence transfer rather than a revenue event.
