Full Report
U.S. artificial-intelligence startup Anthropic said three Chinese AI companies set up more than 24,000 fraudulent accounts with its Claude AI model to help their own systems catch up. The three companies—DeepSeek, Moonshot AI and MiniMax—prompted Claude more than 16 million times, siphoning information from Anthropic’s system to train and improve their own products, Anthropic said in a…
Analysis Summary
# Incident Report: AI Model Data Exfiltration (Claude Siphoning)
## Executive Summary
Three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) established over 24,000 fraudulent accounts to repeatedly query Anthropic's Claude AI model, executing more than 16 million prompts. The primary objective was the "distillation" of proprietary information from Anthropic's system to significantly accelerate the training and improvement of their own competitive AI products.
## Incident Details
- Discovery Date: Recent (Reported via blog post on Monday, February 24, 2026)
- Incident Date: Ongoing or recent period leading up to the report.
- Affected Organization: Anthropic (U.S. AI startup)
- Sector: Artificial Intelligence / Technology
- Geography: U.S. (Victim), China (Perpetrators)
## Timeline of Events
### Initial Access
- Date/Time: Not specified. Occurred over a period sufficient to execute 16 million prompts.
- Vector: Creation of fraudulent user accounts.
- Details: Setup of over 24,000 suspicious accounts using the Claude AI model interface.
### Lateral Movement
- N/A. This was a direct data extraction/querying attack against the AI service, not an intrusion into internal network infrastructure.
### Data Exfiltration/Impact
- **Technique:** Model Distillation.
- **Details:** Over 16 million prompts were sent to Claude. The outputs generated were systematically collected and used as training data to improve the capabilities of the attackers' own models (DeepSeek, Moonshot AI, MiniMax).
### Detection & Response
- **Detection:** Detected and disclosed by Anthropic in a formal blog post.
- **Response actions taken:** Anthropic disclosed the activity, publicly naming the implicated companies. (Note: Specific containment actions against the accounts are implied but not detailed in the summary text.)
## Attack Methodology
- **Initial Access:** Account creation (Falsified/Fraudulent user onboarding).
- **Persistence:** N/A (Continuous high-volume querying, not sustained system access).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Utilizing high volumes of accounts/queries to mimic legitimate, albeit intense, user load.
- **Credential Access:** N/A.
- **Discovery:** N/A (Direct interaction with the exposed API/interface).
- **Lateral Movement:** N/A.
- **Collection:** Massive output collection via repeated prompting.
- **Exfiltration:** Implicitly, the collection of model outputs constitutes the exfiltration of proprietary learned patterns/information.
- **Impact:** Model distillation/unauthorized competitive advantage creation.
## Impact Assessment
- **Financial:** Not quantified, but substantial competitive advantage gained by adversaries; potential for lost revenue/market share for Anthropic.
- **Data Breach:** Intellectual property loss in the form of refined model behavior/outputs (millions of data points).
- **Operational:** Potential burden on Anthropic's compute resources due to 16 million illegitimate queries.
- **Reputational:** Public accusation against major Chinese AI players, highlighting vulnerabilities in AI usage monitoring.
## Indicators of Compromise
- **Network indicators - defanged:** High volume of requests originating from patterns associated with 24,000+ unique accounts querying the Claude API/interface.
- **File indicators:** None specified.
- **Behavioral indicators:** Extreme deviation from typical user interaction patterns (16 million interactions likely automated/programmatic).
## Response Actions
- **Containment measures:** Account termination (implied, standard procedure for fraudulent use).
- **Eradication steps:** Analysis of the specific entities and prompt sequences used.
- **Recovery actions:** Making the findings public; likely implementing stricter CAPTCHA or usage monitoring to prevent recurrence.
## Lessons Learned
- Automated, large-scale access via seemingly legitimate user interfaces poses a significant threat to proprietary LLMs.
- The technique of "model distillation" via querying is a confirmed, organized method for competitors to rapidly close the capability gap.
- AI providers must develop robust behavioral analysis systems specifically designed to detect high-volume, systematic output siphoning, often requiring verification beyond standard account creation checks.
## Recommendations
- Implement advanced rate-limiting and behavioral anomaly detection tailored to identify input/output patterns indicative of model distillation attempts.
- Introduce more rigorous identity verification or session analysis for users generating exceptionally high volumes of complex queries.
- Review and tighten Terms of Service to explicitly prohibit large-scale programmatic data scraping/distillation via standard user interfaces.