OpenAI, Anthropic, Google Unite to Fight AI Model Copying From China

Three of the fiercest rivals in American artificial intelligence, OpenAI, Anthropic and Google, began sharing threat intelligence through a joint industry body to combat what they described as industrial-scale copying of their proprietary models, with Chinese companies named as the primary source of coordinated extraction campaigns.

The coordination is happening through the Frontier Model Forum, an industry nonprofit that OpenAI, Anthropic, Google and Microsoft co-founded in 2023. The companies are using that structure to exchange technical indicators of abuse, flag extraction campaigns and develop joint legal and policy responses. It represents an unusual degree of cross-competitor cooperation in an industry that typically guards information about its vulnerabilities with extreme secrecy.

At the center of the effort is a technique called adversarial distillation. In standard practice, distillation is a widely used deep learning method in which a large "teacher" model transfers learned patterns to a smaller, more efficient "student" model. The adversarial version transforms that process into something closer to systematic extraction: networks of fake user accounts flood a target model with carefully designed queries, harvest the outputs and use them to train competing models that approximate the original's capabilities at a fraction of the development cost. The result is a rival product built not on independent research, but on the commercial output of the lab being copied.

The documented scale has been striking. In a February 22, 2026 disclosure, Anthropic accused three Chinese companies, DeepSeek, Moonshot AI and MiniMax, of running coordinated campaigns against its Claude models using more than 24,000 fake accounts to generate over 16 million conversations. Anthropic described the operation as "industrial-scale distillation attacks," with MiniMax alone accounting for roughly 13 million queries, pivoting tactics repeatedly as Anthropic updated its defenses. Moonshot AI drove 3.4 million exchanges targeting coding and computer-vision tasks, while DeepSeek focused 150,000 prompts specifically on chain-of-thought and reward-model data, the architectural components most valuable for replicating reasoning capabilities.

OpenAI had already sent a memo to the U.S. House Select Committee on China on February 12, 2026, warning of "activity indicative of ongoing attempts by DeepSeek to distill frontier models of OpenAI and other US frontier labs, including through new, obfuscated methods." The memo described how DeepSeek employees developed techniques to route queries through third-party networks to evade access controls, accusing the company of "free-riding on the capabilities developed by OpenAI and other US frontier labs." DeepSeek has not commented publicly on those allegations.

The concern extends beyond lost revenue. Both Anthropic and OpenAI have warned that illicitly distilled models strip out the safety guardrails built into the originals, potentially enabling applications in cyberattacks, bioweapons research and offensive military operations. Distillation drew its first broad public scrutiny in 2025 after DeepSeek released its R1 reasoning model at an unusually low claimed cost, prompting Microsoft and OpenAI to investigate whether the startup had improperly exfiltrated training data from U.S. models to build it.

Officials familiar with the Frontier Model Forum coordination said the effort was designed both to protect commercial value and to reduce national security risks from large-scale, unauthorized replication of frontier models. Companies involved declined to discuss operational specifics, citing the risk of alerting adversaries.

Legal scholars and trade policy experts cautioned that technical countermeasures and private information-sharing alone are unlikely to hold. Effective defense, they argued, will require governments to clarify intellectual property rules for AI models, establish cross-border enforcement mechanisms and potentially expand export controls and trade remedies to cover model extraction. The Institute for AI Policy and Strategy has already called on the Commerce Department's Bureau of Industry and Security to consider Entity List designations against firms conducting distillation attacks.

The Frontier Model Forum coordination signals that U.S. AI labs have concluded this is a problem requiring collective action. Whether governments respond with enforceable policy will determine the limits of what the industry can accomplish on its own.