AI Firms Seek US Help Against China Model Distillation

Artificial Intelligence & Machine Learning , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime AI Firms Seek US Help Against China Model Distillation Anthropic Says Legal Gaps Leave Frontier Labs Vulnerable to LLM Copying Emilia David • June 25, 2026     Credit Eligible Get Permission US-based AI companies are urging the US government to crack down on alleged illicit model distillation by Chinese AI developers. (Image: Shutterstock) U.S.-based artificial intelligence companies have accused Chinese firms of illicitly distilling their large language models to create competitive products, and they're asking the U.S. government for help. See Also: Know Thy Enemy: Threats to Cyber Resilience Current methods for protecting AI models owned by U.S. companies offer limited remedies, forcing companies to police these threats themselves and allowing bad actors to continue conducting distillation attacks. Frontier AI companies including OpenAI and Anthropic have each warned the government that Chinese companies are using American-made models to train their own. Anthropic went a step further by asking the government to exert export controls against Chinese companies for distillation and to create protections through stiffer regulation. Bloomberg reported Anthropic sent a letter on June 10 to the ranking members of the Senate Committee on Housing, Banking and Urban Affairs, Sen. Elizabeth Warren, D-Mass., and Tim Scott, R-S.C., detailing what the company called illicit distillation by Chinese company Alibaba to train its Qwen model. Anthropic's accusation is the latest in a string of complaints from American AI companies that Chinese frontier labs unlawfully use their models to teach LLMs still in development. In early 2025, OpenAI and Microsoft accused DeepSeek of distillation for its blockbuster DeepSeek R-1 model, after an investigation by Microsoft researchers found individuals possibly connected to DeepSeek "exfiltrated" large amounts of data. In February, Anthropic disclosed that it believes DeepSeek, Moonshot AI, which developed Kimi K2, and MiniMax, had suspiciously large exchanges with Anthropic models. Distillation lets companies train models on other models' outputs, so that it learns from a "teacher model" without needing to access the large training dataset that the bigger model used. It's a fairly common practice in the AI sector and is often seen as a cost-effective and compute-effective approach for smaller companies and enterprises to develop their own models. Most of the time, AI model firms don't object to distillation because they do it themselves. But there's an unspoken rule, which Anthropic wants codified, that model distillation projects should only be undertaken with the knowledge and permission of the model provider. The U.S. government responded through a National Security and Technology Memorandum issued on April 23. The memo, while a good first step, lacks teeth, the Institute for AI Policy and Strategy (IAPS) said in a recent paper. The memo doesn't address the impact of semiconductor exports and distillation attacks, an issue Anthropic also pointed to in its June 10 letter and leaves out specific mechanisms the government will take to hold foreign companies accountable. "To adequately address these gaps, the administration should develop further policy to account for the risks associated with distillation attacks," IAPS said in its paper. Much of the current defense against distillation attacks come from the frontier labs themselves. Many voluntarily release research into what they believe are extraordinarily large amounts of conversations with their models, since a high volume of conversations could mean a user is trying to get responses that can be used as training data. But defending against attacks also comes with a danger: If Anthropic notices strange patterns with its model and shares that information with competitors such as OpenAI, it leaves both companies open to scrutiny and accusations of collusion. Anthropic and IAPS both recommended the government pass legislation that provides a legal framework for the United States to penalize distillation attacks. The regulation, Anthropic argued, should also clarify antitrust rules to allow frontier labs to share information about distillation attacks more effectively. Anthropic said the lack of enforcement emboldened Alibaba, and that without penalties, Alibaba may continue to distill models for its benefit. The companies best positioned to help curb the problem, though, are currently legally constrained to share as much information as possible.