China's rapid progress in artificial intelligence appears less like a breakthrough in engineering and more like a coordinated campaign of systematic theft. When DeepSeek released its R1 model in January 2025, U.S. policymakers initially believed the Chinese company had discovered a fundamentally superior approach to AI development, training a competitive reasoning model for roughly $6 million compared to the hundreds of millions spent by American labs. But new disclosures from leading U.S. AI developers reveal a far more troubling picture: DeepSeek and other Chinese AI laboratories achieved their apparent efficiency gains by systematically extracting and stealing the capabilities of American frontier models through a technique called knowledge distillation .

What Exactly Is Knowledge Distillation, and Why Does It Matter?

Knowledge distillation is a process where one AI model learns from another by studying its outputs. Think of it like a student copying answers from a teacher's solution manual rather than solving problems independently. In legitimate contexts, distillation is a standard technique for making AI models smaller and faster. But when done without permission, it becomes industrial espionage .

The scale of the theft uncovered in February 2025 shocked the AI industry. Anthropic, the company behind Claude, disclosed that three Chinese AI laboratories, DeepSeek, Moonshot AI, and MiniMax, had orchestrated a coordinated attack using more than 24,000 fraudulent accounts to generate over 16 million exchanges with Claude. These weren't random queries; they were systematically designed to extract Claude's reasoning capabilities, chain-of-thought processes, and agentic behaviors, which are the most valuable and difficult-to-develop components of modern AI systems .

OpenAI reported similar findings to the House Select Committee on China, revealing that DeepSeek employees had developed methods to circumvent access restrictions and systematically harvest model outputs. Google's Threat Intelligence Group documented comparable extraction attempts against Gemini, observing that distillation attacks had increased significantly over the preceding year .

How Did This Theft Operation Actually Work?

• Fraudulent Account Creation: Chinese AI labs created thousands of fake accounts to access U.S. AI services without triggering security alerts or usage limits that might flag suspicious activity.
• Systematic Query Design: Rather than random requests, the accounts submitted carefully crafted prompts designed to extract specific reasoning patterns and internal decision-making processes from American models.
• Large-Scale Data Harvesting: Over 16 million exchanges were generated with Claude alone, creating a massive dataset of high-quality reasoning outputs that could be used to train competing models.
• API Exfiltration: Microsoft security researchers observed individuals allegedly affiliated with DeepSeek exfiltrating large volumes of data through OpenAI's application programming interface (API), the technical interface that allows programs to communicate with each other.

This wasn't a spontaneous effort by a few rogue employees. The coordination across multiple Chinese AI companies, the sophistication of the attack methods, and the sheer volume of data extracted suggest an organized, well-resourced campaign .

Why This Undermines the "Sputnik Moment" Narrative?

When DeepSeek R1 launched, many observers in Washington and Silicon Valley interpreted it as a Sputnik moment, a reference to the Soviet Union's 1957 satellite launch that shocked American policymakers and sparked a technological arms race. The narrative suggested that China had simply outengineered the United States through superior efficiency and innovation. But the evidence tells a different story .

"It's been clear for a while now that part of the reason for the rapid progress of Chinese AI models has been theft via distillation of U.S. frontier models," stated Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of CrowdStrike.

Dmitri Alperovitch, Chairman of the Silverado Policy Accelerator and Co-founder of CrowdStrike

The timeline supports this assessment. As early as 2024, security researchers had observed suspicious activity. When DeepSeek R1 launched in January 2025, White House AI and crypto czar David Sacks stated publicly that there was "substantial evidence" that DeepSeek had distilled from OpenAI's models. The February 2025 disclosures simply documented the practice at an industrial scale that had been occurring for months .

What Are the Broader Implications for AI Competition?

This revelation fundamentally changes how policymakers should think about AI competitiveness. If Chinese companies can achieve competitive results by stealing American research rather than conducting their own, it suggests that the real competition isn't about engineering talent or computational resources, but about protecting intellectual property and preventing unauthorized access to frontier models .

The scale of the theft also raises questions about the adequacy of current security measures. U.S. AI companies have implemented access controls and usage limits, but these proved insufficient against a coordinated, well-funded adversary willing to create tens of thousands of fraudulent accounts. The fact that over 16 million exchanges were extracted from Claude before detection indicates that the attack operated for an extended period without triggering sufficient alarms .

For American policymakers, the implications are stark. The apparent efficiency of Chinese AI development may have been subsidized by theft of American intellectual property. This raises questions about whether current export controls, investment restrictions, and security requirements for AI companies are adequate to protect the nation's technological advantage in one of the most strategically important domains of the 21st century.