OpenAI, Anthropic, and Google Just United Against China’s AI Distillation War

The three fiercest competitors in AI just did something unprecedented: they started sharing secrets. On April 6, Bloomberg reported that OpenAI, Anthropic, and Google are now actively collaborating through the Frontier Model Forum to combat industrial-scale AI model distillation by Chinese labs. When companies that spend billions trying to outship each other suddenly pool threat intelligence, the problem is existential. And the numbers back that up — 16 million fraudulent queries, 24,000 fake accounts, and billions of dollars in estimated annual losses. AI model distillation has gone from a research technique to a geopolitical weapon, and the response just escalated.

What AI Model Distillation Actually Is — and Why It’s a Problem

Model distillation is a legitimate machine learning technique. You take a large, expensive “teacher” model and use its outputs to train a smaller, cheaper “student” model that approximates the teacher’s performance. Google pioneered the concept. Every major lab uses it internally.

The problem starts when someone else’s model becomes your teacher — without permission.

Here’s how adversarial distillation works in practice: an attacker creates thousands of accounts on a platform like Claude or GPT. They feed the model carefully crafted prompts designed to extract its reasoning patterns, safety behaviors, and domain expertise. The responses become training data for a competing model. The attacker gets years of research and billions in compute investment for the cost of API calls.

It’s not theoretical. Anthropic documented exactly this happening in February 2026, naming three Chinese firms — DeepSeek, Moonshot AI, and MiniMax — as running industrial-scale distillation campaigns against Claude.

The Scale: 16 Million Queries, 24,000 Fake Accounts

Anthropic’s February disclosure put concrete numbers on the problem. The three Chinese labs collectively generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts. The breakdown reveals different strategic priorities:

MiniMax drove the most volume — over 13 million exchanges. Their queries targeted broad capability extraction, suggesting an effort to replicate Claude’s general reasoning across domains.

Moonshot AI generated 3.4 million exchanges focused on agentic reasoning, tool use, coding, data analysis, and computer vision. They were systematically mapping Claude’s most commercially valuable capabilities — the exact features enterprise customers pay premium prices for.

DeepSeek took a more surgical approach with 150,000 exchanges targeting foundational logic and alignment. They specifically probed censorship-safe responses and policy-sensitive queries, which suggests they were trying to reverse-engineer Claude’s safety tuning — the behavioral layer that took Anthropic years of constitutional AI research to develop.

The Hydra Architecture

What makes this sophisticated isn’t the volume — it’s the evasion. Anthropic described “hydra clusters,” proxy architectures managing 20,000+ accounts simultaneously. Each cluster rotated through accounts to distribute API traffic, mixed distillation queries with legitimate-looking requests, and used geographic IP distribution to dodge rate limiting and abuse detection. This isn’t grad students running scripts. It’s organized infrastructure built specifically for model extraction at scale.

Why Competitors Are Now Sharing Intelligence

The April 6 Bloomberg report marks a significant escalation in the response. OpenAI, Anthropic, and Google are now sharing attack data through the Frontier Model Forum, the industry nonprofit the three companies founded with Microsoft in 2023.

This matters for several reasons:

Shared threat signatures. Distillation attacks that work against Claude probably work against GPT and Gemini too. By pooling detection data, the three labs can identify attacker infrastructure — IP ranges, account creation patterns, query signatures — across all platforms simultaneously. An attacker banned from Claude can’t simply pivot to GPT undetected.

Unified terms of service enforcement. When one lab identifies a distillation operation, the others can preemptively block the same actors. This turns a game of whack-a-mole into a coordinated defense.

Political leverage. A joint industry position carries more weight with policymakers than individual complaints. The collaboration signals to Washington that this is a systemic national security issue, not a commercial grievance.

As someone running enterprise AI infrastructure at a telecom, I’ve watched this dynamic play out in cybersecurity for decades. Threat intelligence sharing between competitors is standard practice in banking and defense. The fact that it’s now happening in AI tells you how serious the model theft problem has become.

The Economics: Why This Threatens the Entire AI Business Model

U.S. officials estimate adversarial distillation costs Silicon Valley labs billions of dollars annually. But the financial impact goes deeper than lost API revenue.

The R&D arbitrage problem. Anthropic has spent billions developing Claude’s reasoning capabilities. Their revenue just hit $30 billion annualized, but the compute costs to train frontier models run into the hundreds of millions per training run. When a competitor can approximate 80% of that capability for the cost of API queries, it fundamentally breaks the economics of frontier model development.

The pricing pressure. Distilled models undercut originals on price because they carry none of the original R&D cost. If Chinese labs can offer Claude-quality reasoning at a fraction of the price, Anthropic’s enterprise customers face a choice between paying premium prices for the original or switching to a cheaper imitation. That pressure cascades across the entire industry.

The safety stripping risk. DeepSeek’s focus on extracting Claude’s safety behaviors is particularly concerning. A distilled model can replicate capabilities while stripping safety guardrails. The result: powerful AI systems without the alignment work that responsible labs invest in. This isn’t just a business problem — it’s precisely the kind of AI safety risk that regulators are trying to prevent.

What the Frontier Model Forum Response Looks Like

The Frontier Model Forum was founded in 2023 by OpenAI, Anthropic, Google, and Microsoft as a nonprofit focused on AI safety research. Its repurposing as an anti-distillation coordination body represents a practical evolution of its mission.

Based on reporting from Bloomberg and BanklessTimes, the collaboration involves:

• Real-time attack data sharing — flagging distillation attempts as they happen across platforms
• Joint detection methodology — developing shared tools to distinguish distillation queries from legitimate use
• Coordinated account enforcement — synchronized bans across all member platforms
• Policy advocacy — presenting unified evidence to U.S. officials on the scope of the problem

This mirrors the approach that financial institutions use through organizations like FS-ISAC for cybersecurity threat sharing. The playbook is proven. The question is whether it’s enough.

The Bigger Picture: AI’s IP Cold War

This isn’t happening in a vacuum. The distillation fight sits inside a broader contest over who controls the economics of frontier AI.

The U.S. has restricted chip exports to China, limiting access to the NVIDIA GPUs needed to train large models. China has responded by getting creative — distillation lets labs build competitive models without frontier-scale compute. If you can’t buy the hardware, steal the outputs.

Meanwhile, U.S. labs are spending at unprecedented scale. Anthropic just signed a 3.5 gigawatt TPU deal with Google and Broadcom, committing to infrastructure that only makes economic sense if their models can command premium pricing. Distillation directly threatens that calculation.

The Frontier Model Forum response is the industry saying: we’ll compete on models, but we’ll cooperate on protecting the investment that makes those models possible. It’s a rational response to a problem that could undermine the entire economics of AI development.

For enterprise buyers evaluating AI vendors, this has practical implications. Models from labs that participate in anti-distillation protections are more likely to maintain their capability edge over time. That’s a factor worth weighing alongside benchmarks and pricing when choosing your AI platform.

What Happens Next

Three things to watch:

Technical countermeasures. Expect API-level changes — watermarking outputs, detecting query patterns that indicate distillation, and more aggressive rate limiting on suspicious accounts. These may affect legitimate researchers, creating friction that labs will need to manage.

Regulatory action. The joint industry data gives U.S. policymakers ammunition. Expect this to become part of the broader AI policy conversation around model security and IP protection.

Chinese lab responses. DeepSeek, Moonshot, and MiniMax haven’t publicly acknowledged the allegations. Whether they shift to different extraction techniques, develop truly independent capabilities, or push back legally will shape the next chapter.

The AI model distillation war is now a three-front battle: technical detection, legal enforcement, and geopolitical negotiation. The Frontier Model Forum collaboration means the biggest players have decided this fight is too important to go it alone.

FAQ