Can China just steal America's AI brain that's costing trillions to develop?

By Christine Ji and William Gavin

 American companies are spending enormous sums to develop high-performing AI models. Distillation attacks are attempting to maliciously extract them - and nobody is doing much to stop it. 

 The AI race between China and the U.S. is heating up. 

 In January, Moonshot AI, a China-based startup seeking a $10 billion valuation, released Kimi K2.5 - an open-source large language model with coding abilities neck-to-neck with Claude Opus 4.5, which at the time was Anthropic's most advanced model. 

 Users of the new Moonshot model quickly noticed something fishy: Kimi K2.5 referred to itself as Claude. 

 "Kimi-K2.5 believes it's an AI assistant named Claude," one user noted on social-media platform X. "Identity crisis, or training set?" 

 That Kimi-K2.5 called itself Claude is "very likely" a sign that the model was distilled from Claude outputs, according to Nathan Lambert, post-training lead at the Allen Institute for AI. 

 Indeed, the world's most high-stakes clandestine cat-and-mouse game is currently taking place in the race for artificial-intelligence supremacy. 

 Earlier this week, Anthropic, a San Francisco-based AI startup, published a blog post documenting instances of distillation attacks on its models from three of China's "AI tigers," alleging that the labs trained their AI using Anthropic's large language models. The Chinese labs - DeepSeek, Moonshot AI and MiniMax (HK:100) - collectively used 24,000 fraudulent accounts to learn from Anthropic's Claude, according to the U.S. company. 

 Representatives for DeepSeek, MiniMax, Moonshot AI and Anthropic did not immediately respond to MarketWatch's request for comment. 

 The distillation attacks - attempts to maliciously extract the intellectual property of a high-performing AI model - come at a pivotal moment for Anthropic and the AI industry at large. Anthropic is fresh off of a new funding round that puts the startup's valuation at $380 billion. It's also dealing with the aftermath of a tense standoff with the U.S. Defense Department over how the government agency can can use its models. 

 Anthropic isn't the only frontier lab documenting distillation attacks. 

 Earlier this month, both OpenAI and Alphabet's (GOOG) (GOOGL) Google DeepMind identified an increase in model-extraction attempts. 

 The controversy comes as it has become clear that AI is now a critical pillar of the U.S. economy and its military practices - a strategic asset for the nation on the world stage. 

 The reported incidents flagged by Anthropic are "only the tip of the iceberg of actual usage for this type of data generation," said Lambert. But it requires a lot of nuance to differentiate between a distillation attack and a company using an AI model for legitimate purposes, he added. 

 Anthropic does not offer commercial access to Claude in China due to national-security reasons, according to the company. But that policy can't stop Chinese companies from accessing Claude outside of China. U.S. companies are projecting to spend trillions of dollars on AI innovation, and if Chinese labs can siphon off the technology to build comparable models for a fraction of the cost, they could render America's hardware and R&D advantages marginal. 

 "The national-security dimension, the risk of frontier AI capabilities ending up in military or systems, is worth taking seriously," Lukasz Olejnik, independent technology consultant and visiting senior research fellow at the Department of War Studies at King's College London, told MarketWatch. 

 However, the ethics of distillation are somewhat murky given that many LLMs were trained on third-party data and copyrighted materials, often without explicit permission, Olejnik noted. And the practice of distillation is used in many nonmalicious contexts. 

 Valid practice or violation? 

 Distillation has been around in some shape or form for a long time, according to Christopher Caen, CEO of Mill Pond Research. "It's another version of scraping, which has been a problem since day one," Caen said, referencing how Anthropic's Claude and other LLMs have been trained on large amounts of copyrighted material from across the internet. 

 Distillation involves training a weaker model to mimic the probability distributions of a more powerful model, often through analyzing millions of API responses to reverse engineer the "logic" behind the model's intelligence. The underlying technique of training a model on the outputs of another is very common for AI labs to use for internal optimization, the Allen Institute's Lambert told MarketWatch. 

 "Many academics and research institutes technically violate the terms of service in a strict interpretation," Lambert said. Anthropic itself has used distillation to create its smaller, faster models such as Claude 3 Haiku and Claude 3.5 Sonnet. 

 According to Anthropic, the three Chinese labs generated more than 16 million exchanges with Claude through unauthorized third-party API resellers. The lion's share, 13 million, was attributed to MiniMax, which says its model serves more than 212 million users and over 130,000 enterprise clients and developers. 

 Read: Did everyone forget about DeepSeek? What Wall Street is getting wrong about Chinese AI 

 Anthropic claimed another 3.4 million exchanges stemmed from Moonshot, which is backed by Chinese tech giants Tencent (HK:700) and Alibaba (BABA) (HK:9988). More than 150,000 exchanges were traced back to DeepSeek, which briefly threw U.S. AI firms into a panic last year when it debuted its R1 reasoning model. 

 Theo Browne, founder and CEO of the AI startup T3 Chat, told MarketWatch that 16 million exchanges is "really not much," noting that his business hits that volume of usage most months. But as AI training moves beyond simple question-and-answer and toward more complex agentic workflows, companies are using large language models to generate synthetic data to train on, according to Browne and Lambert. 

 "It wouldn't be surprising if most of them used American models for parts of their synthetic data pipelines," Browne said. 

 The key difference between the actions of a company like Browne's or university researchers and those of Minimax or DeepSeek can be chalked up to a few things. Chief among them is geopolitics, according to Kyle Chan, a researcher at the Brookings Institution think tank who studies Chinese tech firms and industrial policy. 

 "If they're 'cheating' off of the American models, then that means that China is able to get some kind of advantage or a leg up" on the competition, Chan said. "And that could challenge or threaten U.S. leadership in this space." 

 Olejnik, at King's College London, said that while distillation is "routinely used to build smaller, faster and cheaper versions of existing systems," Anthropic and other labs are likely flagging a phenomenon where "thousands of fake accounts circumvented access control for systematic extraction of model capabilities that took years and billions of dollars to develop." 

 Chan said that while Chinese labs clearly use distillation as a tool to hone their models, it's likely not the only reason for their advancements. He added that some U.S. AI leaders have called technical reports released by the labs impressive, which signals that they have developed some "fundamental capabilities." 

 "It's hard to say how much distillation matters for the Chinese AI models," Chan said. "You need to have a certain level of capability in order to ... even be able to leverage that kind of data." 

 More: How quantum computing could become the next frontier in national security 

 Distillation also has potential ramifications beyond simply allowing AI labs or businesses that are not as well funded to develop comparable models. 

 In its blog post, Anthropic warned that foreign labs can use their distilled models to enable "authoritarian governments" the ability to deploy frontier AI for mass surveillance and cyberattacks. It can also make advanced AI more accessible to groups that would otherwise be incapable of committing major crimes, experts have said. 

 "AI will probably enable relatively low-skilled cybercriminals to target firms at a higher pace and scale globally this year," Dragonfly, a risk-analysis and security-intelligence service owned by MarketWatch's parent company, Dow Jones, said in a report this week. 

 Amazon Threat Intelligence (AMZN) said in a Feb. 20 report that a bad actor had used multiple AI services to compromise over 600 firewalls across dozens of countries. 

 And on Wednesday, cybersecurity firm Gambit Security revealed that roughly 150 gigabytes of data were stolen from 10 Mexican government bodies and a single financial institution by a hacker using Claude and OpenAI's ChatGPT. It took an individual actor just a month after their initial breach to carry out the assault, according to Gambit. They relied on more than 1,000 prompts to Claude Code backed up by data analysis run by ChatGPT. 

 "AI didn't just assist, it functioned as the operational team: writing exploits, building tools, automating exfiltration," Gambit said. "Claude executed the attack under the guidance of the attacker, and OpenAI analyzed data in support of accelerating Claude's attack-execution efforts." 

 The real battle is over the engine 

 What's stopping any AI lab - not just DeepSeek, MiniMax and Moonshot - from doing the same kind of distillation? "Absolutely nothing," according to Mill Pond Research's Caen. 

 Stopping such practices will be incredibly hard without legislation, Lambert of the Allen Institute said, which he posited could be a goal of Anthropic drawing attention to the matter. In its blog post, Anthropic said the industry would need to work with policymakers to combat widespread distillation. 

(MORE TO FOLLOW) Dow Jones Newswires

02-28-26 0800ET

Copyright © 2026 Dow Jones & Company, Inc.