In early 2026, OpenAI, Anthropic, and Google took a step that would have been unthinkable two years earlier: they began sharing proprietary threat intelligence with each other through the Frontier Model Forum. The reason? A coordinated campaign by several AI labs — reportedly based in China — to systematically harvest the intelligence of Western frontier AI models through a technique called unauthorized model distillation. The scale of the operation was staggering: millions of automated API queries designed to extract the knowledge and reasoning patterns of models like Claude, GPT-4, and Gemini into smaller, cheaper models that could be deployed independently.
What Model Distillation Actually Is
Model distillation is a legitimate and widely-used machine learning technique. A smaller “student” model is trained to replicate the outputs of a larger “teacher” model, learning to produce similar responses at a fraction of the computational cost. Google uses it to create Gemma from Gemini. Microsoft uses it for Phi models. It’s how the AI industry makes large model capabilities accessible in smaller, deployable packages.
The problem arises when distillation is performed without authorization — using API access to a proprietary model as the teacher without the model owner’s consent. By sending millions of carefully designed queries to Claude or GPT-4 and recording the responses, an attacker can build a training dataset that captures a significant portion of the model’s reasoning capability. The resulting distilled model doesn’t contain the original model’s weights — so it doesn’t violate traditional software copyright in an obvious way — but it reproduces the model’s behavior in ways that required hundreds of millions of dollars and years of research to develop.
The Scale of the Problem
Reports suggest that certain organizations generated millions of automated exchanges with systems like Claude and GPT-4, systematically covering different domains — coding, mathematics, science, reasoning, creative writing — to build comprehensive training datasets. The queries were designed to elicit the models’ most sophisticated reasoning behaviors: chain-of-thought explanations, step-by-step problem solving, nuanced analysis of complex scenarios.
The cost to the attackers was minimal — API access fees of perhaps a few hundred thousand dollars. The value extracted was potentially billions of dollars worth of research and development. It’s one of the most asymmetric forms of intellectual property theft in history.
The Response: Frontier Model Forum
The Frontier Model Forum, originally established for AI safety coordination, has become the vehicle for the industry’s response. Member companies are now sharing data on suspicious API usage patterns, coordinating detection of automated distillation attempts, developing technical countermeasures including query fingerprinting and output perturbation that degrade distillation quality without affecting legitimate users, and working with governments on legal frameworks that explicitly address unauthorized model distillation.
Technical countermeasures are the most immediately actionable. These include detecting statistical patterns in API queries that indicate automated distillation rather than genuine usage, adding subtle perturbations to model outputs that are imperceptible to individual users but degrade the quality of models trained on those outputs, limiting the information density of responses to automated queries, and rate limiting and behavioral analysis to identify and throttle distillation campaigns.
The Geopolitical Dimension
The model theft issue sits at the intersection of AI competition and US-China technology rivalry. If Chinese AI labs can replicate Western frontier model capabilities at minimal cost through distillation, it undermines the competitive advantage created by billions of dollars of Western investment in AI research. It also potentially circumvents export controls on advanced AI chips — if you can build competitive models using distillation rather than massive compute, chip restrictions become less effective as a strategic tool.
The intelligence harvesting campaign has accelerated calls for treating frontier AI models as strategic assets requiring national security-level protection. Whether that’s the right framework or an overreaction is debatable — but the fact that the conversation is happening at all reflects how central AI has become to national competitiveness.
The AI industry is learning a lesson that other industries learned decades ago: when you build something valuable enough, someone will try to steal it. The question now is whether technical countermeasures and international norms can evolve fast enough to protect the enormous investments being made in frontier AI development.