Analysis reveals that Anthropic's model distillation capabilities highlight limitations of US export controls alone in restricting China's AI capability development.

Anthropic disclosed in February 2026 that Chinese AI labs used approximately 24,000 fraudulent accounts and commercial proxy services to bypass access restrictions and extract more than 16 million Claude exchanges. According to the company's attribution, based on IP address patterns, request metadata and infrastructure fingerprints, the three firms targeted were DeepSeek, Moonshot AI and MiniMax. The uncomfortable reality is not that distillation occurs—everyone in the AI industry knows it does—but that these companies were able to generate millions of exchanges before Anthropic publicly described the campaigns and the defenses it had developed after discovering them.

The extraction campaigns were precise capability grabs rather than random chatbot prompts. DeepSeek focused on Claude's reasoning capabilities and rubric-based grading, using more than 150,000 exchanges to produce censorship-safe responses to politically sensitive questions about dissidents and party leadership. Moonshot AI targeted agentic reasoning, tool use and computer vision across 3.4 million exchanges. MiniMax ran the largest operation, generating more than 13 million exchanges concentrated on agentic coding.

Distillation itself is ordinary research practice: a weaker model learns from a stronger one's outputs, allowing smaller systems to improve without repeating frontier training costs. At industrial scale through fake accounts, however, it becomes a shortcut around the chip controls Washington continues tightening. OpenAI made a similar accusation against DeepSeek in a memo to House lawmakers in February 2026, according to reports.

The detection problem is structural. Catching an operation after 16 million exchanges is not the same as stopping it. Once exchanges are generated and used for training, there is no realistic way to recover them. The labs kept the lesson material. Anthropic demonstrated better detection than most companies discuss publicly, but the defensive math is fundamentally unequal: the attacker needs only enough clean output for the next training run; the defender must catch the pattern before the data has value.

This vulnerability became concrete in June 2026 when Anthropic faced restrictions on its Fable 5 and Mythos 5 models following a federal directive limiting foreign national access, including Canadian workers Anthropic relied on. Business Insider reported that legal tech startup Legion sued the US government over the order. Wired reported that Fable 5 was suspended on June 12 over security concerns involving jailbreaks enabling access to the more powerful Mythos model. AP reported that Sen. Mark Warner discussed a government test in which Mythos found vulnerabilities in classified systems, though the account described a controlled security exercise rather than unauthorized access. These distinctions matter: a red-team result is not a cyberattack, but it is precisely the kind of outcome that makes officials nervous when the model is commercially available.

Chip controls remain consequential. DeepSeek founder Liang Wenfeng has acknowledged that the company's constraint was access to advanced chips rather than capital. Yet if a competitor can buy or fraudulently access millions of interactions with an American frontier model, chip restrictions form only part of the defense. Model access is fundamentally messier than hardware control. A chip has a shipment record, customs checkpoint and physical destination. An API call can arrive through a proxy, reseller, stolen account or a worker in an allowed jurisdiction. Terms of service are useful in court and weak against determined technical campaigns.

The industry has been too comfortable with this tension. Frontier labs sell global access because revenue and developer adoption matter. Governments simultaneously ask those companies to treat powerful models as controlled technology stacks. These demands cannot coexist once models can write code, use tools and identify software vulnerabilities.

The Fable 5 restrictions contain an irony that threatens their stated purpose. As TechCrunch noted, restricting access to a leading American model can redirect customers toward open or cheaper alternatives from Chinese labs, including DeepSeek and Moonshot. A security measure intended to preserve US advantage can create market space for the competitors it aims to contain.

Anthropic indicates it is improving detection, account verification and behavioral fingerprinting. All frontier labs—OpenAI, Google and others selling model access through APIs—should do the same. But the asymmetry remains. Washington can restrict chips and now restrict model access, yet if the public internet remains the delivery channel for frontier capability, the next extraction campaign will not need to defeat the entire American AI stack. It will only need to look like ordinary usage long enough.