Chinese AI Firms Exploit Anthropic’s Claude Model in Massive Data Extraction Scheme
In a recent disclosure, Anthropic, a leading artificial intelligence (AI) research company, has uncovered extensive unauthorized activities by three Chinese AI firms—DeepSeek, Moonshot AI, and MiniMax. These companies orchestrated large-scale operations to extract capabilities from Anthropic’s advanced language model, Claude, aiming to enhance their own AI systems illicitly.
Unveiling the Unauthorized Data Extraction
Anthropic’s investigation revealed that these firms conducted over 16 million interactions with Claude through approximately 24,000 fraudulent accounts. This massive data extraction violated Anthropic’s terms of service and circumvented regional access restrictions, as the use of Claude’s services is prohibited in China due to legal, regulatory, and security concerns.
Understanding the Distillation Technique
The method employed by these companies is known as distillation. In this process, a less capable AI model is trained using the outputs generated by a more advanced system. While distillation is a legitimate practice for developing smaller, cost-effective versions of proprietary models, it becomes illegal when competitors exploit it to replicate another company’s AI capabilities without authorization. Such actions allow them to bypass the substantial time and financial investments required for independent development.
National Security Implications
Anthropic has raised alarms about the potential national security risks posed by these illicitly distilled models. Models developed through unauthorized distillation often lack essential safeguards, leading to the proliferation of AI systems with stripped-down protections. This vulnerability can be exploited by foreign entities to facilitate malicious activities, including cyberattacks, disinformation campaigns, and mass surveillance. Authoritarian regimes could leverage these unprotected capabilities to bolster military, intelligence, and surveillance operations.
Detailed Analysis of the Distillation Attacks
The campaigns orchestrated by DeepSeek, Moonshot AI, and MiniMax were meticulously designed to extract specific capabilities from Claude:
– DeepSeek: Focused on Claude’s reasoning abilities and rubric-based grading tasks. The company sought assistance in generating censorship-safe alternatives to politically sensitive queries, such as those concerning dissidents, party leaders, or authoritarianism. This effort spanned over 150,000 exchanges.
– Moonshot AI: Targeted Claude’s agentic reasoning, tool use, coding capabilities, development of computer-use agents, and computer vision. Their campaign encompassed more than 3.4 million exchanges.
– MiniMax: Aimed at extracting Claude’s agentic coding and tool use capabilities, resulting in over 13 million exchanges.
Anthropic noted that the volume, structure, and focus of these prompts deviated significantly from typical usage patterns, indicating a deliberate effort to extract specific capabilities rather than legitimate use.
Exploitation of Proxy Services
The unauthorized access was facilitated through commercial proxy services that resell access to Claude and other advanced AI models on a large scale. These services utilize hydra cluster architectures, comprising extensive networks of fraudulent accounts to distribute traffic across their APIs. This setup allows for the generation of vast numbers of carefully crafted prompts designed to extract specific capabilities from the model.
Anthropic highlighted the resilience of these networks, stating, The breadth of these networks means that there are no single points of failure. When one account is banned, a new one takes its place. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder.
Anthropic’s Countermeasures
In response to these threats, Anthropic has implemented several measures to safeguard its AI models:
– Development of Classifiers and Behavioral Fingerprinting Systems: These tools are designed to identify suspicious distillation attack patterns within API traffic.
– Enhanced Verification Processes: Strengthened verification protocols have been introduced for educational accounts, security research programs, and startup organizations to prevent unauthorized access.
– Implementation of Additional Safeguards: New protections have been put in place to reduce the effectiveness of model outputs for illicit distillation purposes.
Broader Context and Industry Implications
This revelation comes shortly after Google’s Threat Intelligence Group (GTIG) disclosed similar distillation and model extraction attacks targeting Gemini’s reasoning capabilities through more than 100,000 prompts. These incidents underscore a growing trend of AI model exploitation by foreign entities, raising significant concerns about intellectual property theft and the potential misuse of AI technologies.
Conclusion
The unauthorized extraction of AI capabilities by DeepSeek, Moonshot AI, and MiniMax highlights the pressing need for robust security measures and international cooperation to protect AI innovations. As AI technologies continue to advance and become integral to various sectors, safeguarding these systems against exploitation is paramount to maintaining technological integrity and national security.
