← Back to Library

Three Labs Just Stole Claude's Brain. Here's What It Broke (And Why You Should Care)

Nate B Jones · Nate B Jones · · 30 min read
Commentary by Brian Edwards

Three Labs Just Stole Claude's Brain. Here's What It Broke (And Why You Should Care)")

Nate B Jones

Chinese AI labs just got caught running 16 million automated conversations with Claude across 24,000 fake accounts. Deepseek, Moonshot, and Miniaax extracted Claude's capabilities at industrial scale using hydra networks of fraudulent accounts and proxy services to evade geographic restrictions. Miniaax pivoted within 24 hours of a new model release to capture the latest capabilities before anyone could stop them.

If this sounds like it came out of a spy movie, it probably should. But everyone calling this a Cold War problem is missing something critical.

The Real Story Nobody's Talking About

The most valuable intelligence ever created by an American company is stored as math at OpenAI, Google, and Anthropic. It's weightless, copyable, and extractable through a chat window. The gap between what's inside frontier labs and what everyone else can access creates what analysts call a pressure gradient—the same force that makes water flow downhill.

When one side has capabilities worth potentially trillions of dollars and the other side can extract them for thousands of dollars, the information moves always. The gradient is so extreme that distillation isn't really properly framed as espionage. Even if it meets that bar, it should be framed as piracy.

"This is not really a China problem, not fundamentally, not structurally. This is a Napster problem."

The music industry learned in 1999 and the film industry learned in 2003 that piracy doesn't stop—it slows down. The question that matters is what is the speed of that slowdown versus the capability gain in frontier models when model capabilities are doubling every 90 days.

What Nobody Is Saying

But here's the part that should keep you up at night. Distilled models—built from stolen outputs, competitive on benchmarks, possibly cheaper to deploy—are systematically worse than frontier models in ways that no eval suite does a good job of measuring today. And that gap is widest on exactly the use cases where AI value is headed: sustained, autonomous, agentic work.

The models built by copying look fine for chat. They fall apart when you need them to think for eight hours straight, route around obstacles, and use tools and combinations nobody anticipated.

Anthropic disclosed that Deepseek operation targeted Claude's reasoning capability across 150,000 exchanges, generating chain of thought training data at scale. Their prompts asked Claude to imagine and articulate the internal reasoning behind a completed response and write it out step by step—effectively manufacturing the reasoning traces needed to train a competitor model.

But one of their most revealing techniques had nothing to do with military applications. They used Claude to generate censorship-safe alternatives to politically sensitive queries about dissident leaders and authoritarianism. Training data designed to help Deepseek's own models steer conversations away from topics the Chinese government doesn't want discussed.

Anthropic traced accounts to specific researchers through payment methods and request metadata.

The Compression Problem

Distillation does not produce a copy of the original model. It produces a compression—and that compression, like a lossy MP3, has characteristics that matter enormously for anyone building real systems on top of these models.

Think about it geometrically. A frontier model like Opus 4.6 is trained on a vast diverse corpus over months of compute. The result is a model that occupies what analysts call a high-dimensional capability space. It can reason about code, navigate ambiguous instructions, use tools and novel combinations, maintain coherence over long workflows, recover from errors, and adapt its approach when a plan fails.

A distilled model trained on a subset of the frontier model's outputs learns to reproduce specific behaviors. The result is a model that performs well on those specific tasks but occupies a narrower manifold. It's optimized for the tasks the distiller targeted and falls off more steeply when you step outside that distribution.

Miniaax ran over 13 million exchanges focused specifically on agentic coding and tool orchestration. They trained their model on those outputs. The resulting model scores well on coding benchmarks, maybe even comparable to Claude on specific evals because the benchmarks test exactly the kind of task the distiller optimized for. So an enterprise buyer running a standard eval suite might conclude the models are roughly equivalent—and they would be wrong.

Where The Difference Shows Up

The difference shows up as a narrowed ability to work around obstacles toward a longer-term objective reliably and autonomously. A frontier model like Opus 4.6 encounters an unexpected error midway through a complex coding task and knows how to reroute. It tries a different library, restructures its approach, asks for clarification if the context is genuinely ambiguous.

A narrower model encounters the same error and either fails, loops, or produces a technically valid but strategically incorrect workaround. It doesn't have the representational depth to understand why the original approach was chosen and what the real constraints are.

The difference also shows up as a narrowed ability to use tools for a varied array of purposes. Frontier models have been trained on enough diverse tool use scenarios that they can use a file system, a database, a web browser, and a code executor in novel combinations to achieve goals they weren't explicitly trained on. By contrast, distilled models use tools in the patterns they were trained on and struggle to improvise when a task requires an unfamiliar combination.

This difference really matters because the frontier of AI value is moving rapidly toward agentic work—sustained autonomous workflows that run for hours or even days, coordinate across tools and systems, and require exactly the kind of generality that distillation compresses away.

The Evaluation Gap

The performance shadow between frontier and distilled models on short, well-defined tasks is relatively narrow. The performance shadow on extended agentic work is large and getting bigger—and no benchmark does a good job of capturing that today because the evals that would measure sustained autonomous generality don't really exist yet.

If you're evaluating a model for a chat application—a simple task like generating text or translating a paragraph—a distilled model might be 90% as good as the frontier for 15% of the cost, and you'd take that trade all day. But if you're evaluating a model for a week-long autonomous coding sprint across six repositories where the model needs to understand organizational context, route work correctly, recover from errors it's never seen, and use tools and combinations that weren't in the training data—this is a real example—the distilled model might be 40% as effective.

And what's worse, if you're testing for that kind of capability, most eval suites fall short. The failure modes won't even show up because there are no existing eval suites designed to tackle that kind of work in a reliable, replicable way.

Counterarguments Worth Considering

Anthropic's disclosure leans heavily into national security language—export controls, the Chinese Communist Party, foreign adversaries closing the competitive gap. This framing serves their policy interests. They've consistently supported export controls and want to demonstrate that those controls are working, that apparently rapid progress of Chinese labs depends on stolen American capabilities rather than independent innovation.

Critics might note that Anthropic is simultaneously negotiating tensions about exactly how their technology should be used in military contexts while arguing these capabilities are too dangerous to let Chinese labs access. The reality is messier than the press release would have you believe.

And here's where the framing gets too convenient. The incentive to steal frontier model capabilities would exist even if China and the United States were close allies. It would exist even if there were no military applications at all. It exists because of the most basic force in information economics: the cost of generating intelligence is astronomically higher than the cost of copying that intelligence.

Bottom Line

The strongest part of this argument is the core insight: distillation isn't an espionage problem—it's an economic problem driven by the fundamental asymmetry between creating and copying intelligence. The biggest vulnerability is that nobody's built eval suites to measure sustained agentic performance, so buyers genuinely can't tell the difference between frontier and distilled models on the work that actually matters most. Watch for vendors who sidestep this question when you ask about long-horizon autonomous tasks—that gap is where value or risk lives.

Transcript excerpt on Nate B Jones

Anthropic just caught three Chinese labs stealing Claude's brain. And the real story is that everybody wants to do that. Three Chinese AI labs just got caught running 16 million automated conversations with Claude across 24,000 fake accounts to steal Claude's capabilities. Deepseek, Moonshot, Miniaax, industrial scale extraction with hydra networks of fraudulent accounts, proxy services to evade geographic restrictions, and in Miniaax's case, a pivot within 24 hours of a new model release to capture the latest capabilities before anyone could stop them.

If this sounds like it came out of a spy movie, it probably should. Everyone's calling this Cold War, and they're wrong. If you stop at the Cold War framing, you will miss the single most important implication for your career, your company, and every AI tool that you're using right now. What nobody is saying is that this is not really a China problem, not fundamentally, not structurally.

This is a Napster problem. The most valuable intelligence ever created by an American company is stored as math. It's stored at OpenAI. It's stored at Google.

It's stored at Enthropic as math. weightless, copyable, extractable through a chat window. And the gap between what's inside the frontier labs and what everyone else can access creates what I would call a pressure gradient. The same force that makes water flow downhill.

When one side has capabilities worth potentially trillions of dollars and the other side can extract them for thousands of dollars, the information moves always. The gradient is so extreme that distillation isn't really properly framed as espionage. Even if it meets that bar, it should be framed as piracy. And piracy, as the music industry learned in 1999 and the film industry learned in 2003, doesn't stop.

It slows down. The question that matters is what is the speed of that slowdown versus the capability gain in Frontier models? And when model capabilities are doubling every 90 days or so, that matters. But that's not even the part that should keep you up at night.

The part that should keep you up at night is this. Distilled models, the ones built from stolen outputs, the ones that look competitive on benchmarks, the ones your company might be buying or rolling out for free right now, are systematically worse than frontier models in ways that no eval suite does a good job of measuring today. And ...

Watch on YouTube →