Back to blog
    Anthropic Just Exposed the Biggest Problem in AI: You Don't Own Your Models
    model-ownershipdistillationvendor-lock-inai-strategydeepseekanthropic

    Anthropic Just Exposed the Biggest Problem in AI: You Don't Own Your Models

    Anthropic caught DeepSeek, Moonshot, and MiniMax using 24,000 accounts to distill Claude. The real lesson isn't about Chinese AI labs — it's about what happens when you build on AI you don't own.

    EErtas Team·

    On February 23, 2026, Anthropic published a blog post that made headlines across the tech industry. The company had detected what it called "industrial-scale distillation attacks" on Claude by three Chinese AI labs: DeepSeek, Moonshot AI, and MiniMax.

    The numbers were staggering. Over 24,000 fraudulent accounts. More than 16 million exchanges with Claude. Three separate campaigns, each targeting different capabilities, running simultaneously across Anthropic's platform.

    Most coverage framed this as a story about Chinese companies stealing from an American AI lab. That framing is incomplete. The deeper story is about a structural problem that affects every business building with AI today — including yours.

    What Actually Happened

    Here are the facts as Anthropic reported them.

    DeepSeek generated over 150,000 exchanges with Claude. Their queries targeted reasoning tasks, rubric-based grading suitable for training reinforcement learning reward models, and censorship-safe rewrites of politically sensitive content. The pattern was systematic — designed to extract specific capabilities that could be fed directly into their own training pipeline.

    Moonshot AI (the company behind Kimi) was more aggressive, accounting for over 3.4 million exchanges. Their focus: agentic reasoning, tool use, coding, data analysis, computer-use agents, and computer vision. Essentially, they were mining Claude for the capabilities that make AI agents useful.

    MiniMax drove the most volume — over 13 million exchanges. At that scale, the line between "heavy usage" and "systematic extraction" starts to blur, which is exactly the problem.

    All three companies routed their activity through networks of accounts designed to avoid detection. Anthropic's security team identified the campaigns through behavioural analysis, linking accounts by usage patterns, query structures, and access timing.

    What Distillation Actually Is

    Before going further, it's worth understanding what model distillation is — because it's not inherently malicious.

    Distillation is a standard machine learning technique. You take a large "teacher" model and use its outputs to train a smaller "student" model. The student learns to approximate the teacher's behaviour at a fraction of the compute cost. It was first described in a 2015 paper by Geoffrey Hinton, and every major AI lab uses it internally.

    OpenAI distills its own models to create cheaper variants. Anthropic does the same. Meta published Llama 3 specifically to enable the open-source community to build on it — including through distillation. The technique is foundational to how the AI industry operates.

    The controversy isn't the technique. It's the source.

    The Nuance the Media Is Missing

    Here's where the coverage gets interesting — and where most outlets stop short.

    These companies paid for their accounts. They used the API. They received outputs. They followed the technical process that millions of other customers follow every day. The difference is what they did with those outputs: they used them as training data for their own models.

    What's worth noting is how Anthropic's own terms frame this. On one hand, Anthropic assigns output ownership to customers — their terms state: "we assign to you all of our right, title, and interest — if any — in Outputs." You pay for the API call. You own what comes back. On the other hand, Anthropic's Usage Policy explicitly prohibits "utilization of inputs and outputs to train an AI model" without prior authorisation. Not just competing models — any AI model.

    Anthropic's blog post about the incident was measured in its language. They acknowledged that distillation is "a widely used and legitimate training method," and that frontier labs "routinely distill their own models." The violation, as Anthropic framed it, was contractual — a Terms of Service breach — not criminal theft, despite how many headlines characterised it.

    But the line between "use" and "distillation" is blurrier than the headlines suggest. Consider the progression:

    • A SaaS company integrates Claude to power a customer support feature in their app. That's using the API for its intended purpose. Clearly permitted.
    • That same company logs all Claude responses to analyse patterns and improve their product. Still standard practice. Still permitted.
    • That same company realises they could fine-tune a small model on those logged outputs to reduce latency and cut costs. Now they're technically in breach of the Usage Policy.

    In all three cases, the company is doing the same thing: using API outputs for their business objective. They're not building a competing AI lab. They're not extracting frontier capabilities. They're just a SaaS team trying to serve their users better.

    And this isn't a hypothetical edge case. Thousands of teams right now are using frontier API outputs to synthesise training datasets — not to compete with Anthropic or OpenAI, but to build lightweight models for one narrow task in their product. A classifier. An extractor. A formatter.

    The ToS makes no distinction between DeepSeek systematically distilling Claude at industrial scale and a five-person startup fine-tuning a 7B model on logged API responses. Both technically require prior authorisation. But only one made headlines.

    This tension reveals something the industry hasn't fully resolved: when you sell API access and assign output ownership, but restrict how those owned outputs can be used for AI training, you're creating a relationship with inherent friction. Every business that depends on AI APIs should understand where that friction sits — because the boundary between "using" and "training on" outputs only gets blurrier as AI-powered products mature.

    The Real Lesson: This Is What Vendor Dependency Looks Like at Scale

    Strip away the geopolitics and the legal questions. What actually happened here?

    Three companies — collectively valued at billions of dollars, with thousands of engineers — determined that the fastest path to AI capabilities they needed was to extract those capabilities from someone else's platform.

    They didn't lack talent. They didn't lack compute. They didn't lack ambition. What they lacked was ownership of the specific capabilities they wanted. So they went and rented them — at industrial scale — from Anthropic's API.

    That's vendor dependency. It's just that most businesses experience it at a smaller scale.

    When your AI-powered support bot depends entirely on OpenAI's API, you're in the same structural position as DeepSeek — just with fewer accounts. You don't own the model. You don't control the capabilities. You can't take the intelligence you've built and move it somewhere else.

    And here's what makes it worse: unlike DeepSeek, you probably don't have a plan for what happens when access gets revoked.

    Why This Matters for Your Business

    You might be thinking: "We're not distilling models. We're just using the API. This doesn't apply to us."

    It does. Here's why.

    The same dependency risk exists at every scale. If your product depends on Claude or GPT-4, you're one policy change away from disruption. Anthropic banned 24,000 accounts overnight. OpenAI deprecated GPT-4o with roughly two weeks notice. The Assistants API — which thousands of developers built production systems on — is being sunset. These aren't hypotheticals. They're recent history.

    Your competitive position is borrowed, not built. If you're building AI features on top of a cloud API, your differentiation is your prompt engineering and your workflow — not your model. That means any competitor who signs up for the same API can approximate what you offer. You're in the same GPT wrapper trap that's already commoditising AI agencies.

    Your costs are controlled by someone else. Per-token pricing means your AI expenses are variable and unpredictable. A usage spike from a client promotion can wipe out your margins in a week. And when the provider decides to raise prices — or deprecate the model you've optimised for — you absorb the cost of adaptation with no negotiation.

    Your data flows through someone else's infrastructure. Every API call sends your data — your customers' data — to a third-party system. For regulated industries, this creates compliance risk that grows with every new regulation. For everyone else, it means you're training someone else's models with your usage patterns, even if the provider says they don't use your data for training.

    If your business depends on AI you don't own, you're already at risk. Fine-tune your own models with Ertas — no ML expertise required. Join the waitlist →

    The Model Ownership Alternative

    The Anthropic/DeepSeek story has a straightforward solution hiding in plain sight: own your models.

    Not "own" in the sense of having an API key. Own in the sense of possessing the actual model weights, trained on your data, running on your infrastructure, under your control.

    Here's what that looks like in practice:

    Start with an open-source base model. Llama 3, Qwen 2.5, Mistral — these are production-quality models with permissive licences. Meta explicitly allows distillation of Llama with proper attribution. You're not violating anyone's ToS. You're not dependent on anyone's API. You have the weights on your own hardware.

    Fine-tune on your domain data. Take that base model and fine-tune it on your specific use case. Your customer support logs. Your product documentation. Your sales conversations. Your compliance requirements. The resulting model doesn't just approximate generic intelligence — it develops capabilities unique to your business.

    Export and deploy anywhere. Export to GGUF format and run on Ollama, llama.cpp, LM Studio, or any compatible inference engine. Your model runs on your hardware. No API calls. No per-token costs. No vendor that can deprecate your model or change the rules.

    The economics are compelling. Agencies running 15 clients on API calls typically spend AU$4,200/month. The same workload on per-client fine-tuned LoRA adapters costs under AU$15/month — a 99.6% reduction. Indie developers scaling from 100 to 40,000 users watch their API bill go from $12/month to $3,000/month. With a fine-tuned local model, the cost stays essentially flat.

    But the economics are actually the secondary benefit. The primary benefit is this: nobody can take your model away.

    No provider can deprecate it. No ToS change can invalidate it. No account ban can shut it down. No pricing change can make it unaffordable. It's yours.

    What "Owning Your AI" Actually Looks Like

    Model ownership isn't all-or-nothing. You don't have to rip out every API call tomorrow. The practical path looks more like this:

    Phase 1: Identify your highest-volume, most predictable AI tasks. These are your fine-tuning candidates. Tasks where the input/output format is consistent, you have training data available, and you're paying significant per-token costs. Customer support classification, content generation in a specific format, data extraction from structured documents.

    Phase 2: Fine-tune a model for one task. Use your existing API logs as training data. Fine-tune a 7B or 14B parameter model. Compare quality against your current API-based solution. For domain-specific tasks, fine-tuned models consistently hit 90-95% accuracy — often matching or exceeding what prompt-engineered frontier models deliver.

    Phase 3: Deploy in parallel. Run your fine-tuned model alongside the API for a testing period. Route a percentage of traffic to the local model. Validate quality. Measure cost savings. Build confidence.

    Phase 4: Expand. Once one task is running on your own model, repeat the process for the next. Over 90 days, you can migrate your most critical AI workloads from rented to owned.

    The tools to do this already exist. Open-source models are production-quality. LoRA fine-tuning is efficient enough to run on consumer-grade GPUs. GGUF export means your model is portable across inference engines.

    The barrier has never been technical feasibility. It's been accessibility — the gap between "theoretically possible" and "practically achievable" for teams without ML expertise.

    That's the gap Ertas is designed to close. A visual interface for the entire pipeline: upload your dataset, fine-tune the model, compare results side-by-side, export to GGUF. No Python. No YAML configs. No CLI. Setup in about two minutes.

    The Real Takeaway

    The Anthropic/DeepSeek story will be debated for months. The geopolitics, the legal questions, the national security implications — these are real and important conversations.

    But for builders, founders, agency owners, and product teams, the takeaway is simpler:

    If you're building on AI you don't control, you're building on someone else's terms. Those terms can change at any time. The only path to true AI independence is model ownership — models trained on your data, running on your infrastructure, owned by you.

    DeepSeek had to create 24,000 fake accounts because they didn't own the capabilities they needed. You have a better option: build those capabilities yourself, on open-source foundations, with your own data.

    The technology exists. The economics work. The only question is how long you wait to start.

    Stop renting your AI. Pre-subscribe to Ertas at early-bird pricing and own your models from day one. Builder tier locks in at $14.50/mo for life. See pricing →

    Ship AI that runs on your users' devices.

    Early bird pricing starts at $14.50/mo — locked in for life. Plans for builders and agencies.

    View early bird pricingor join the waitlist →

    Keep reading

    What Happens When Your AI Provider Cuts You Off? A Survival Guide
    AI Strategy

    What Happens When Your AI Provider Cuts You Off? A Survival Guide

    Anthropic banned 24,000 accounts overnight. OpenAI deprecated GPT-4o with 2 weeks notice. Your AI provider can change the rules at any time. Here's your survival guide for vendor dependency.

    The AI Independence Checklist: 7 Signs You're Too Dependent on a Single Provider
    AI Strategy

    The AI Independence Checklist: 7 Signs You're Too Dependent on a Single Provider

    A self-assessment checklist for AI vendor dependency. Score yourself on 7 warning signs — from single-provider concentration to prompt engineering as duct tape — and get actionable next steps for each risk level.

    What AI Model Ownership Actually Means (and Why It Matters More Than the API Price)
    AI Strategy

    What AI Model Ownership Actually Means (and Why It Matters More Than the API Price)

    Ownership in AI isn't about having an API key. It's about possessing model weights, controlling behavior, and eliminating the dependency that comes with renting intelligence from someone else.