top of page

Anthropic Got Caught Doing the Thing It Keeps Warning Everyone About


Audio cover
Anthropic Got Caught

In March, Anthropic quietly shipped tracking code inside Claude Code that checked whether a user's machine was set to a Chinese time zone and whether it was talking to domains linked to certain Chinese AI companies. It sat there undisclosed until a developer found it, Alibaba banned Claude Code over it, and Anthropic pulled the code last week, calling it an "experiment" it would replace with "better defenses."

Set aside for a second whether the tracking itself was the right call. The more interesting fact is what it was built to catch, because it points directly at the fight I've been writing about from the other side for months — and this week that fight went from architecture debate to actual espionage.


What Distillation Actually Is

Distillation isn't new and isn't inherently shady. It's a training technique: you run a huge number of queries against a large, expensive model, collect its responses, and use them to train a smaller, cheaper model to approximate the big one's behavior. Labs do it to their own models all the time — OpenAI shipped a tool in 2024 to make distilling its own models easier, and Elon Musk testified in court in May that xAI uses the technique too. It's normal. What's not normal, according to Anthropic, is the scale some Chinese labs are allegedly running it at. In a June 10 letter to the Senate Banking Committee, Anthropic accused Alibaba's Qwen team of using roughly 25,000 fraudulent accounts to generate more than 28.8 million exchanges with Claude in six weeks — an industrial harvesting operation dressed up as normal usage. In February, Anthropic made similar accusations against DeepSeek, Moonshot, and MiniMax.


Anthropic says it has banned nearly 700,000 accounts tied to Chinese usage overall, on top of requiring government ID verification for some users and blocking anyone more than 50% Chinese-owned, anywhere in the world.

The White House got involved directly. An April memo from OSTP's Michael Kratsios accused Chinese firms of running "deliberate, industrial-scale campaigns" to distill U.S. frontier models, and Senator Tim Scott has since held hearings framing this as a national security question, not a licensing dispute.


The Argument Underneath the Argument

Here's what Anthropic actually said in its own blog post laying this out: distillation and export-control workarounds have let Chinese labs "trail closely" behind U.S. models — and if the distillation specifically can be shut down, the U.S. might "lock in a 12-24 month lead." Read that sentence again. That's not a company saying its technology is untouchable. That's a company saying its lead is a rented one, and the eviction notice depends on whether it can stop people from copying the homework.


I wrote a few weeks ago about a different piece of this same puzzle — an open-source U.S. model called Ornith-1.0 that beat Claude on real coding benchmarks by learning to design its own execution logic instead of following a human-written playbook. The point of that piece wasn't the benchmark scores. It was that for two straight years, the real AI arms race hadn't been happening in the boardrooms fighting over export licenses — it had been happening in open-weight releases, where Chinese models had quietly become the majority of everything downloaded and modified worldwide. Ornith was a genuine U.S. answer on the open side of that fight.


This week gave us the closed side of the same fight, and it looks a lot less confident. Cybersecurity firm Semgrep found that Zhipu AI's open-weight GLM 5.2 model beat Claude Code and roughly matched Claude's flagship Opus 4.8 on real vulnerability-detection benchmarks — a free, exportable model going toe-to-toe with a model the U.S. government restricts from leaving the country. Securin's CEO put it about as plainly as it can be put: "They're very close, and they cost you nothing."


Why the Surveillance Is the Tell

When a company is confident its product is simply better, it competes on the product. When a company starts building covert tracking into its own software to catch people copying it, verifying IDs, and lobbying the White House for export-control-style protection, that's a company competing on access instead of merit — because the merit gap is closing faster than the lead can be defended.


None of this makes the underlying complaint fake. Distillation without permission genuinely is a terms-of-service violation, and 25,000 fraudulent accounts running 28.8 million queries in six weeks is not a gray area — that's an industrial operation, not a curious developer. Anthropic and OpenAI have a legitimate grievance. But a grievance and a strategy aren't the same thing, and the strategy on display this week — hidden trackers, banned accounts, government ID checks, a White House memo — is a defensive crouch, not a moat.


It's also probably not going to work. Chinese users who've spent two decades finding ways around the Great Firewall are, unsurprisingly, good at finding ways around a Western company's regional login checks. The Washington Post found Claude and ChatGPT pro subscriptions being resold in China for as little as $12 a month through Taobao proxy networks, a small fraction of the $100-plus U.S. price. Every account Anthropic bans, a new one reportedly takes its place within hours.


Where This Actually Goes

The uncomfortable version of the story is that the open-source gap I wrote about with Ornith and the closed-lab panic on display this week are the same phenomenon, viewed from two different rooftops. When a technology's frontier can be approximated by watching it answer enough questions, the moat was never the model — it was the head start. Head starts compress. That's not a scandal, it's just what happens when the thing you're protecting is fundamentally copyable by anyone patient enough to ask it a few million questions.


The real signal to watch isn't the tracking code, or even the Senate letter. It's whether the labs actually racing each other — Anthropic, OpenAI, and their Chinese counterparts — end up spending more engineering time on defenses against being copied than on the next model that's actually hard to copy. Whoever answers that question first is the one who understood which war they were actually fighting.


Rich Washburn is a technologist and strategist working at the intersection of AI, infrastructure, and capital. He is Managing Partner and Chief AI Officer at Eliakim Capital and CIO of Data Power Supply.

Comments


Animated coffee.gif
cup2 trans.fw.png

© 2018 Rich Washburn

bottom of page