In February 2026, Anthropic disclosed something that sent a shockwave through the AI industry: three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — had created 24,000 fraudulent accounts and executed over 16 million exchanges with Claude to systematically extract its capabilities. The goal was not to use Claude. It was to become Claude — or close enough to undercut it.
Within weeks, OpenAI confirmed similar campaigns against its own models. Google reported the same. Three companies that had spent years competing to build the world's most capable AI systems were now, for the first time, competing together to protect them.
The vehicle for this unprecedented cooperation is the Frontier Model Forum, an industry nonprofit founded in 2023 by OpenAI, Anthropic, Google, and Microsoft. Originally established to coordinate on AI safety research, the Forum has been quietly repurposed in 2026 into something far more operational: an intelligence-sharing alliance against industrial-scale model theft.
For enterprise leaders, this is not a story about geopolitics between AI labs and Chinese startups. It is a story about the security of the AI capabilities your organization is building on top of — and the collateral damage that the countermeasures against distillation will impose on every legitimate enterprise API consumer.
The Anatomy of Industrial-Scale Distillation
Distillation, in its legitimate form, is a well-understood machine learning technique. A smaller, cheaper model is trained on the outputs of a larger, more capable model. The student learns to mimic the teacher. It is how many production AI systems are built — you train a massive model, then distill it into something that can run at inference speed and cost that makes business sense.
What Anthropic, OpenAI, and Google uncovered was distillation weaponized at industrial scale, conducted covertly, through fraudulent accounts, commercial proxy services, and coordinated multi-account operations designed to evade detection.
The numbers tell the story of three distinct campaigns, each targeting different capabilities:
DeepSeek conducted over 150,000 exchanges targeting Claude's reasoning capabilities — specifically its chain-of-thought traces, rubric-based grading tasks, and censorship-safe content generation. DeepSeek's campaign was surgical: it focused on extracting the internal reasoning patterns that make Claude's thinking process distinctive, then used those traces as training data for its own reasoning models.
Moonshot AI ran a broader campaign of 3.4 million exchanges, targeting Claude's agentic reasoning, tool use, coding capabilities, and computer vision. This was capability extraction at breadth — not just how Claude thinks, but how it acts, writes code, and interprets visual information.
MiniMax executed the largest campaign at over 13 million exchanges, focused on agentic coding and tool use. The scale was staggering: when Anthropic released a new version of Claude, MiniMax redirected nearly 50 percent of its extraction traffic within 24 hours to capture the updated capabilities before countermeasures could be deployed.
The technical sophistication of these campaigns matters for enterprise audiences. These were not crude scraping operations. The attackers designed prompts specifically to extract chain-of-thought reasoning traces — the internal step-by-step logic that frontier models use to solve complex problems. They used critiquing techniques, submitting candidate reasoning sequences and requesting feedback to reverse-engineer problem-solving approaches. They employed autograding extraction, pulling detailed evaluation methodologies that reveal how the model identifies errors and assesses quality.
Each of these techniques generates training data that is far more valuable than raw text. A single chain-of-thought trace contains the reasoning architecture of a model worth billions of dollars in training compute. Multiply that by 16 million exchanges, and you have a dataset capable of bootstrapping a competitive model at a fraction of the original cost.
The Frontier Model Forum's Quiet War
The response from the three labs marks the most significant industry coordination in AI history — and the most awkward.
OpenAI, Anthropic, and Google do not like each other. OpenAI's executive Naomi Dresser publicly accused Anthropic of building its narrative "on fear, restriction, and the idea that a small group of elites should control AI." Anthropic has accused OpenAI of reckless deployment practices. Google competes with both for enterprise customers, talent, and market share.
Yet in April 2026, these three companies began sharing intelligence on distillation attacks through the Frontier Model Forum with a specificity and urgency that would be remarkable between allied nations, let alone commercial rivals.
The Forum published an issue brief on adversarial distillation in February 2026, establishing the technical framework for the threat. But the real operational work is happening in private: shared classifiers that detect when API users are attempting to extract chain-of-thought reasoning traces, coordinated behavioral fingerprinting systems that identify suspicious usage patterns across platforms, and joint reporting of technical indicators to each other and to US authorities.
The countermeasures being deployed fall into several categories:
Detection classifiers that identify when prompts are designed to expose internal reasoning traces rather than solve legitimate problems. These classifiers analyze prompt patterns, response utilization, and query sequences to distinguish extraction campaigns from normal usage.
Behavioral fingerprinting that tracks usage patterns across accounts. Industrial distillation requires high-volume, repetitive queries focused on specific capability domains — a pattern that is statistically distinguishable from legitimate enterprise or research use.
Account verification hardening, particularly for educational and research accounts that historically offered the cheapest API access. The "free tier to extraction pipeline" path is being closed.
API-level safeguards designed to reduce the training utility of outputs for unauthorized model development, without degrading the usefulness of responses for legitimate users. This is the hardest technical challenge — making outputs useful for the person asking but useless for someone trying to train a competitor.
Why Enterprise Leaders Should Care
If your organization consumes AI through APIs — and in 2026, most enterprises do — the distillation war affects you in three concrete ways.
First, your API access is about to get more scrutinized. The countermeasures being built to catch adversarial distillation campaigns will catch legitimate high-volume users in the same net. If your engineering team runs large-scale evaluation suites against Claude or GPT, if your data science team systematically probes model capabilities across domains, if your automated pipelines generate thousands of structured queries per hour — you look like a distillation attack.
Expect more aggressive rate limiting, identity-aware throttling, and behavioral anomaly detection on every major AI API platform. Enterprises running production workloads at scale should proactively engage their AI providers' enterprise sales teams to establish usage baselines and avoid false-positive account restrictions. The alternative is discovering on a Monday morning that your production pipeline has been throttled because an automated classifier flagged it as suspicious.
Second, your own models may be targets. If your organization has fine-tuned proprietary models — on your data, for your use cases, embedding your competitive advantages — those models are distillation targets too. Every API endpoint you expose is a side-channel. Every model response leaks training signal.
The Frontier Model Forum's issue brief identifies the core vulnerability: distillation success depends on "access to model outputs and available computational resources." If your model is accessible via API, its capabilities can be extracted. The same techniques that DeepSeek used against Claude — chain-of-thought extraction, autograding, capability-targeted prompting — work against any model behind any API.
Enterprise AI teams should audit their own model APIs with the same adversarial lens. Who has access? What usage patterns would indicate extraction? Are you logging and analyzing query patterns for anomalies? Most enterprise AI deployments have no distillation monitoring whatsoever. After February 2026, that is no longer a defensible position.
Third, the geopolitical dimension affects your supply chain. The distillation campaigns are not random acts of corporate espionage. They are part of a broader pattern in which Chinese AI companies are building competitive capabilities at dramatically lower cost by leveraging Western research and model outputs.
DeepSeek is capturing market share in the Global South at 2 to 4 times the rate of Western competitors, according to a January 2026 Microsoft report. In Africa, DeepSeek's usage is estimated at 2 to 4 times higher than in other regions. In Belarus, DeepSeek holds 56 percent market share. In Cuba, 49 percent. In Russia, 43 percent.
For enterprises operating globally, this creates a bifurcated AI landscape. Your customers, partners, and operations in emerging markets are increasingly likely to interact with AI systems that were built, in part, by extracting capabilities from the very models you pay full price to access. The competitive moat you thought you were building by deploying frontier AI may be narrower than you assumed.
The Policy Dimension
The US government is not standing idle. The Trump administration's AI Action Plan, unveiled in March 2026, explicitly addresses adversarial distillation as a national security threat. A key element is the establishment of an AI Information Sharing and Analysis Center (AI-ISAC) within the Department of Homeland Security, modeled on similar centers in the financial and critical infrastructure sectors.
The AI-ISAC would formalize the intelligence-sharing that the Frontier Model Forum has begun on an ad hoc basis, adding government resources and authorities to the effort. For enterprises, this means distillation detection and reporting may eventually become a compliance obligation, not just a best practice.
Anthropic has argued that distillation by restricted foreign entities violates US export controls and end-user licensing agreements, particularly when extracted capabilities can be "weaponized for military, intelligence, and surveillance systems." If that legal theory gains traction — and the current administration's posture suggests it will — enterprises that fail to implement distillation monitoring for their own models could face regulatory exposure.
The House Committee has already branded DeepSeek a national security threat. The policy trajectory is clear: model security is becoming a regulated domain.
What To Do Now
For CISOs and enterprise AI leaders, the immediate action items are straightforward:
Audit your API consumption patterns. Understand what your organization looks like to the AI providers whose countermeasures are tightening. Establish relationships with provider enterprise teams. Document legitimate high-volume use cases before they get flagged.
Assess your own model exposure. If you serve proprietary models via API — internally or externally — implement behavioral monitoring for extraction patterns. Log query sequences, not just individual requests. Look for the signatures: repetitive capability-targeted queries, chain-of-thought extraction prompts, rapid response-cycling after model updates.
Evaluate your model supply chain. Know where your AI capabilities come from. If you are using open-weight models, understand their provenance. Models that benefited from distilled frontier capabilities may carry legal and compliance risks as export control enforcement tightens.
Build distillation into your threat model. Your security team already monitors for data exfiltration, credential theft, and network intrusion. Model distillation is the AI-native equivalent — and it is happening at industrial scale to the most sophisticated AI companies on earth. If Anthropic could not prevent 16 million extraction queries, your defenses warrant scrutiny.
The Uncomfortable Truth
The Frontier Model Forum's anti-distillation alliance represents a genuine inflection point in the AI industry. For the first time, the companies building frontier AI capabilities are treating model security as a shared problem requiring coordinated defense — the same approach that the financial industry took with fraud, that the defense industry took with classified information, and that the cybersecurity industry took with threat intelligence.
But the uncomfortable truth is that distillation works because frontier models are, by design, maximally helpful. The same capability that makes Claude or GPT useful for enterprise customers — the ability to explain its reasoning, demonstrate its problem-solving process, and generate detailed outputs — is exactly what makes it useful for extraction.
The fundamental tension between model utility and model security has no clean resolution. Every countermeasure that makes distillation harder also makes legitimate use slightly more constrained. The tighter the API controls, the higher the friction for enterprises that depend on these capabilities.
The labs know this. The countermeasures will be calibrated to minimize legitimate impact while maximizing extraction cost. But calibration is imperfect, and the adversaries adapt.
For enterprise leaders, the practical implication is to plan for a future where AI API access is more monitored, more controlled, and more expensive than it is today. The era of unlimited, unmonitored API access to frontier capabilities is ending — not because the labs want to restrict their customers, but because 24,000 fraudulent accounts and 16 million stolen queries proved that unrestricted access is unsustainable.
The AI cold war between US and Chinese AI labs is real, it is intensifying, and your enterprise is standing in the middle of it. Act accordingly.
Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.
