Adversarial Distillation

The consequences of adversarial distillation are already visible in how the CCP is wielding AI to threaten U.S. national security. The party’s security apparatus has adopted models from DeepSeek and other developers for military modernization and mass surveillance.⁹ The People’s Liberation Army (PLA) Unit 61716, the outfit responsible for psychological warfare against Taiwan, has been documented working with a Chinese firm on a DeepSeek-powered AI system.¹⁰ More capable Chinese AI that can replicate the cyber capabilities of U.S. models like Anthropic’s Claude Mythos and OpenAI’s GPT-5.5 will make intrusions by groups such as Volt Typhoon, which pre-positioned in U.S. critical infrastructure, and Salt Typhoon, which breached major U.S. telecommunications carriers, faster, harder to detect, and easier to scale—putting millions of Americans at direct risk.¹¹

The window to act for the U.S. government and industry is narrowing. Each new generation of U.S. models that Chinese developers distill allows them to lock in gains to the Chinese AI ecosystem, just as a critical threshold approaches whereby AI-enabled research engineering could accelerate the pace of AI development.¹² MiniMax, one of the Chinese companies alleged by Anthropic to have carried out an adversarial distillation campaign, already claims that its new M2.7 model was the first to assist in its own training.¹³ As AI systems begin to accelerate their own development, the United States cannot afford to allow its own hard-won progress to enable China’s national security apparatus.

The U.S. government recognizes this threat and has begun to take steps to address it. National Security and Technology Memorandum 4 (NSTM-4), issued on April 23, 2026, by the Office of Science and Technology Policy, found that “foreign entities, principally based in China, are engaged in deliberate, industrial-scale campaigns to distill U.S. frontier AI systems,” and it previewed steps the administration will take to help the U.S. private sector defend itself and hold the offending foreign entities accountable.¹⁴ The proposed Deterring American AI Model Theft Act of 2026 (H.R. 8283), which unanimously passed the House Foreign Affairs Committee on April 22, 2026, affirmed that “the unauthorized acquisition of model capabilities . . . by entities of concern through model extraction attacks represents a threat to the national security and foreign policy interests of the United States,” and the legislation would direct actions to identify, punish, and deter adversarial distillation.¹⁵

This paper explains how adversarial distillation works and which supply chains enable it, assesses why current defenses are insufficient, and recommends measures to detect and deter these campaigns.

II. How Adversarial Distillation Works

Distillation can work across segments of the model training pipeline. For each segment, distillation prompts the target model to produce outputs used to train the secondary model. Model training has two phases:¹⁶

• Pre-training. The model ingests enormous datasets, including much of the public internet, learning to predict what comes next in any sequence of text. This process conditions the model to internalize the patterns, facts, and relationships embedded in the data, building a broad foundation of knowledge and capabilities.
• Post-training. The model is refined through several techniques, the most relevant being supervised fine-tuning (SFT) and reinforcement learning with verifiable rewards (RLVR). In SFT, the model is trained to imitate particularly high-quality solutions to problems. In RLVR, the model is given difficult problems and rewarded for solving them through reasoning chains that can incorporate tools such as web search and coding environments. Successful solutions teach the model which strategies work for solving problems of a particular kind.

These two phases are mutually reinforcing. A stronger, pre-trained baseline model unlocks more advanced post-training, and the capabilities gained through post-training can be distilled back into future pre-training, raising the baseline further. A model after SFT can solve a greater subset of the problems presented during RLVR, which means it learns from more advanced examples and develops more sophisticated strategies. Each cycle compounds on the last. This is the flywheel that makes adversarial distillation so effective. Rather than having to iteratively climb the ladder themselves, adversaries can extract the outputs of U.S. models to make larger gains per step.

Methods of Adversarial Distillation

Adversarial distillation targets four distinct components within the model training pipeline: synthetic data generation, chain-of-thought extraction, data cleaning, and reward modeling. Each method strategically uses the outputs of a more capable U.S. model to enhance the training of a less capable Chinese model.

Synthetic Data Generation. New generations of AI models depend on new data to become more capable, but internet-sourced data is finite and proprietary datasets are gated. As a result, developers increasingly prompt their own models to generate synthetic data—diverse ranges of scenarios, tasks, and actions—that are then used to train the next generation. With adversarial distillation, malicious actors prompt more capable U.S. models to generate high-quality synthetic data, then use it across their training pipeline.¹⁷

Chain-of-Thought Extraction. When AI models reason through problems, they produce step-by-step chains of thought that can be extracted and used as pre-training or SFT data. Recognizing this risk, many U.S. developers hide their models’ chains of thought so that adversaries cannot use them. However, U.S. systems remain vulnerable to prompt injections that trick them into revealing chains of thought. With adversarial distillation, malicious actors prompt U.S. models to generate high-quality chains of thought, and pre-train or SFT their models on it to extract capabilities.¹⁸

Data Cleaning. Developers also require high-quality data, and models can be used to filter out duplicates, errors, and low-quality content from training sets, whether that means removing junk data before pre-training or subtle reasoning errors in SFT. With adversarial distillation, malicious actors use more capable U.S. models to filter and refine the data that they use across their training pipeline.¹⁹

Reward Modeling. Developers can use one model to evaluate whether the outputs of another model being trained are correct, constructing the reward signal that lets it learn successful vs. unsuccessful strategies. Verifying that “1 + 2 = 3” does not require a capable reward model. However, judging the success of converting an entire codebase to another coding language while preserving every interconnected feature requires a highly capable one. With adversarial distillation, malicious actors leverage more capable U.S. models to grade outputs and shape the RLVR of their own.²⁰

Figure 1 | The Adversarial Distillation Cycle

Evidence of Adversarial Distillation

Public reporting from Anthropic, Google, and OpenAI highlights three characteristics of these campaigns beyond the methods used: their scale, sophistication, and adaptiveness. Together they reveal the importance of adversarial distillation to AI development in China.

Scale. The total tokens—the basic units of data that large language models process—alleged to have been extracted in adversarial distillation campaigns would meaningfully strengthen Chinese AI development. Anthropic reports that DeepSeek, Moonshot, and MiniMax together generated over 16 million exchanges with Claude, which Nathan Lambert of the Allen Institute for AI estimates to represent 150 billion to 400 billion tokens.²¹ Google’s Threat Intelligence Group documents over 100,000 prompts in a single chain-of-thought extraction campaign, equivalent to 1 billion to 2.5 billion additional tokens by Lambert’s methodology.²² These partial figures reported by Anthropic, Google, and OpenAI represent only the campaigns that were detected and disclosed—the actual volume of adversarial distillation across U.S. providers is likely far larger.

Even divided among the three Chinese entities named by Anthropic, the volume of extracted tokens would exceed by orders of magnitude DeepSeek-R1’s entire SFT dataset, estimated by Epoch AI to have consisted of just 6.4 billion tokens.²³ These tokens are likely disproportionately valuable, as adversarial distillation can target reasoning and domain-specific capabilities in areas such as software engineering that cannot be replicated from public data.

Sophistication. Adversarial distillation campaigns are engineered to evade detection. These campaigns reportedly operate through “hydra cluster” architectures, distributed networks of fraudulent accounts spread across application programming interfaces (APIs) and third-party platforms where any single disabled account is immediately replaced by another.²⁴ In one case, a single proxy network operated more than 20,000 fraudulent accounts in parallel. More striking, although the three campaigns Anthropic identified were from different Chinese companies that extracted different capabilities, they appeared to follow a similar playbook. This degree of complexity suggests sustained, possibly coordinated efforts.²⁵

Adaptiveness. The companies alleged to have conducted adversarial distillation campaigns appear to track and flexibly respond to new U.S. AI models and defenses. When Anthropic released a new model during an active distillation campaign led by MiniMax, the Chinese company pivoted within 24 hours, redirecting nearly half its traffic to capture capabilities from the latest U.S. model. OpenAI similarly observed evasion methods evolve in response to new platform protections, describing the broader Chinese adversarial distillation apparatus as a “maturing ecosystem” rather than a static one.²⁶ This agility suggests a sustained capability among Chinese actors to monitor and adapt to changes in the U.S. AI ecosystem.

Taken together, these campaigns represent significant investments by technically proficient, well-capitalized firms competing in one of China’s most cutthroat markets. If adversarial distillation were not paying off for these firms, it would be a remarkable strategic error.

Three further lines of evidence support this inference. First, statements by Chinese AI engineers and researchers suggest the ecosystem views adversarial distillation as essential to its progress. Wang Xiang, a researcher at Fudan University, has implied that Chinese developers depend on adversarial distillation, saying that “Chinese AI companies must break free from their reliance on shortcuts.”²⁷ Zhang Chi, a former ByteDance engineer, appeared in an interview to confirm the widespread use of adversarial distillation.²⁸ Second, Epoch AI has made limited measurements of publicly available distilled models, finding the technique meaningfully improved a model’s performance on specific benchmarks.²⁹ Third, the relative underdevelopment of China’s industry for sourcing expert contracted data and reinforcement learning environments—analogous to U.S. firms such as Scale AI and Mechanize—suggests Chinese AI developers may depend on adversarial distillation for capability enhancing data rather than the domestic industry.³⁰

Policymakers cannot wait for complete information to act—existing evidence is sufficient to consider adversarial distillation a significant strategic threat.

Open Challenges in Measuring Adversarial Distillation

While the evidence necessary for policy action is substantial, there remain several challenges to precisely measure the scale and impact of adversarial distillation for China’s AI capabilities. Directly quantifying gains would require experimental replication—training a baseline Chinese model twice under identical conditions, with and without distilled data. The necessary inputs—the Chinese developer baseline model, its proprietary training data, and the distilled data fragmented across U.S. model hosts—are each independently unavailable to analysts. Even if they were obtainable, isolating the contribution of distillation would require training runs costing hundreds of millions of dollars today and projected by Epoch AI to exceed $1 billion by 2027.³¹

Any experiment calibrated to today’s distillation landscape may not generalize, as methods and effects evolve. Early chain-of-thought extraction has been joined by synthetic data generation, data cleaning, and reward modeling. The effect of using U.S. models as reward models for post-training problems requiring 10,000 tokens to solve likely differs substantially from problems requiring 10 million.

Inferring the impact of distillation from observed differences between U.S. and Chinese models is similarly difficult. These gaps cannot be cleanly attributed to distillation because internal resource allocation produces identical signatures. Chinese models appear closer to matching U.S. capabilities on Science, Technology, Engineering, and Mathematics (STEM) reasoning benchmarks such as SWE-Bench Verified, while lagging on abstract benchmarks such as ARC-AGI. This pattern is consistent with distillation, as STEM capabilities may be easier to extract. But it is equally consistent with Chinese developers prioritizing economically useful STEM capabilities given finite resources. Without access to the inputs described above, the two explanations cannot be distinguished.³²

However, three kinds of supplementary evidence could add more precision. First, controlled experiments on distillation-driven capability gains, building on Epoch AI’s initial work, could establish reference points across methods and model scales even if they do not generalize perfectly to large-scale training runs.³³ Second, expanded open-source intelligence on discussions among Chinese developers would build on the statements cited above to map how the Chinese AI ecosystem itself understands adversarial distillation’s role in its progress. Third, investigative mapping of the intermediary supply chain described below, such as work done by Zilan Qian of the Oxford China Policy Lab, could document the scale, pricing, operational security, and geography to surface activity beyond the visibility of U.S. model hosts.³⁴

III. The Adversarial Distillation Supply Chain

Adversarial distillation using the methods outlined above operates through a supply chain of six actors: U.S. AI developers, cloud service providers, commercial token mixers, self-hosted token mixers, transfer stations, and the Chinese AI developers conducting these campaigns. This section analyzes the first five actors, whose infrastructure is the surface where adversarial distillation can be detected or deterred. The motivations and state linkages of the Chinese developers themselves are addressed elsewhere in this paper and other research.³⁵

Each actor has different visibility into adversarial distillation activity on their infrastructure, incentives to act on or obfuscate these signals, and technical capacities to do either. These signals can be broken down into four categories:

• Prompt Signals. What the requester is asking for—whether prompts are designed to elicit synthetic data, reasoning traces, data cleaning, or output evaluation at scale, as well as what the model ultimately outputs.
• Identity Signals. What entity is making the request—API key, account identity (email, credit card, billing address), account age, payment method, and whether credentials are owned by the requester or redistributed through intermediaries.
• Network Signals. Where the request originates from—internet protocol (IP) address, corporate vs. residential origin, geographic consistency with the registered account, and whether traffic is routed through anonymizing infrastructure.
• Behavioral Signals. How the requester behaves over time—request volume, templated patterns across many accounts, and rapid pivots to new models upon release.

These signals can be used to separate adversarial distillation from legitimate distillation. Understanding the interaction between actors in the adversarial distillation supply chain and these signals sheds light on effective policy responses.

1. U.S. Developers

Developers—including Anthropic, Google DeepMind, Meta, OpenAI, and xAI—create AI models and run the APIs that serve them. When users access a model through the developer’s API, the developer has near-total visibility into all four signal categories. Detailed public reports from Anthropic, Google, and OpenAI confirm adversarial distillation campaigns and attribute them to particular Chinese entities with high confidence.

U.S. developers have strong incentives to prevent adversarial distillation. Their corporate strategies depend on producing more capable proprietary systems than their competitors. The cost of enabling a competitor outweighs marginal revenue from API usage by these campaigns.

However, developers only have visibility into their infrastructure. When adversaries distribute campaigns across multiple model hosts—such as by querying GPT-5.5 via the OpenAI API, Microsoft Azure, and Amazon Web Services (AWS)—each company sees only a fragment of the broader effort. Legal constraints and data privacy requirements further restrict developers from sharing live signals with one another, a problem explored in greater detail below.

2. U.S. Cloud Service Providers

Cloud service providers—Amazon Web Services, Google Cloud, and Microsoft Azure—also serve AI models, offering them to their customers as managed services. When users access Claude through AWS Bedrock, for instance, the request goes to AWS, not Anthropic. This means cloud service providers have near-total visibility into all four signal categories for models served on their infrastructure, while in this case developers may have little or no visibility.

Several cloud service providers have close commercial relationships with developers, such as between OpenAI and Microsoft. But unlike developers, their corporate strategies do not depend on any particular model maintaining a capability lead—they can form partnerships with any developer and benefit from offering the widest range of leading models. Indeed, this is why their platforms also offer managed services for open weight models from DeepSeek, MiniMax, and Moonshot, the same entities accused of adversarial distillation.³⁶

The deeper problem is contractual. A core value proposition for cloud service providers is data privacy. AWS, for example, guarantees that “users’ inputs and model outputs are not shared with any model providers.”³⁷ This commitment may prevent developers from detecting many of the signals of adversarial distillation occurring through cloud service providers. Even where cloud service providers do collect detailed signals, privacy commitments may limit how that information can be used internally, and organizational fragmentation across security, trust and safety, and commercial teams can make it difficult to assemble a complete picture. Complex commercial arrangements between cloud service providers and developers can also create uncertainty over which actor is responsible for preventing campaigns.

3. Commercial Token Mixers

Commercial token mixers, such as Eden AI, OpenRouter, and ShareAI, are routing services that provide a single API endpoint through which users can access AI models from multiple providers. Application developers rely on these services to simplify integration across providers through a single API, route each query to whichever model offers the best price or performance for a given task, and maintain redundancy when individual providers experience outages or rate limits. These services do not host models themselves and create two distinct problems for detecting adversarial distillation campaigns. First, they can present their own credentials and network origin to model hosts, obscuring the end user’s identity from model hosts. Second, they fragment requests across multiple model hosts, ensuring no single developer or cloud service provider sees the full volume or pattern of a campaign. This fragmentation is why they are called token mixers.³⁸

Commercial token mixers have weaker incentives to detect and prevent adversarial distillation. Their business model centers on processing as many requests as possible, and they have no formal relationships with developers that would create countervailing pressure to act. These conditions position commercial token mixers to serve as unintentional enablers of adversarial distillation. Traffic from a Chinese entity routed through OpenRouter appears to model hosts like any other OpenRouter request, and the commercial token mixer holds the bridging data that would enable identification but has no obligation to share it. Commercial token mixers do not currently provide model hosts with technical means to prevent distillation by noncooperating users. Where policy compliance features exist—OpenRouter, for example, exposes a parameter that filters routing to models whose authors permit distillation—they are opt-in by the user and rely on the user’s voluntary compliance.³⁹ They do not constrain a determined adversary.

4. Self-Hosted Token Mixers

Self-hosted token mixers, such as LiteLLM, are open-source tools that replicate the routing functionality of commercial token mixers but are deployed locally by the user. With these services, the host of the token mixer and the user—in this case the entity conducting the adversarial distillation campaign—are one and the same. The attribution problem is absolute—the adversary controls the infrastructure and there is no third party holding bridging data. Self-hosted token mixers do not automatically obfuscate identity or network signals, but adversaries can combine them with purchased credentials, transfer stations, and anonymizing networks such as Tor to defeat those signal categories. These services cannot be regulated at the software level. Removing one instance does not prevent another from being stood up from the same codebase.⁴⁰

5. Transfer Stations

Transfer stations are commercially mature intermediaries that resell unauthorized access to U.S. model APIs, routing traffic through proxy infrastructure to circumvent geographic restrictions, evade detection, and obscure the true origin of requests. They serve a broad customer base of Chinese developers, researchers, and other users seeking access to blocked U.S. models, which sustains the infrastructure that adversarial distillation campaigns exploit.⁴¹

This ecosystem operates across three layers. At the software layer, two widely adopted Chinese-developed open-source projects—One-API and New-API—provide turnkey credential management, load balancing, billing, and multiprovider API aggregation; their developer documentation explicitly describes them as “key redistribution” systems.⁴² At the infrastructure layer, virtual private servers—concentrated particularly in Hong Kong and Singapore—reroute traffic to obscure its true origin. At the commercial layer, storefronts on platforms such as Xianyu and Taobao sell access directly; the top Claude API reseller has accumulated over 50,000 transactions.⁴³ Internet-wide scanning by the authors using Shodan supports this concentration, showing disproportionate One-API and New-API deployments in Hong Kong and Singapore compared with usage patterns for comparable open-source tools, suggesting these jurisdictions are major hubs for transfer stations.⁴⁴

At least some transfer station traffic flows through Chinese state-linked telecom carriers. The House Select Committee on Strategic Competition between the United States and the Chinese Communist Party has found that major operators, including CloseAI and BianXie AI, route traffic over networks run by China Telecom and China Unicom, whose U.S. operating authority the Federal Communications Commission revoked in 2021 and 2022 on national security grounds.⁴⁵ China’s 2017 National Intelligence Law and 2017 National Cybersecurity Law require all organizations, including carriers, to cooperate with the security services.⁴⁶ Prompts and outputs flowing through transfer stations therefore reach entities answerable to the CCP, extending the threat of adversarial distillation to intelligence collection.

Transfer station operators’ visibility into their customers’ activity varies by their role in the supply chain. Application-layer proxies that forward API requests on behalf of users can in principle see prompt content, identity, and network origin. Those that only resell credentials or provide network routing may see little. In all cases, their incentive is to obscure rather than act on this information—obfuscation is their business. The relay platform CloseAI openly markets itself as “Asia’s largest enterprise-level AI transfer platform” and claims clients including Alibaba, Baidu, and Tencent, while listing a “ban cost” (封号成本) line item alongside standard operating expenses, reflecting a business model engineered to absorb enforcement pressure.⁴⁷

Together, transfer stations can defeat most signals of adversarial distillation. Purchased credentials replace the user’s true identity. Routing traffic through globally distributed infrastructure—cloud providers, residential proxies, and rapidly rotating servers—makes targeted blocking impractical, since the same infrastructure carries legitimate enterprise traffic and operators replace blocked nodes faster than blacklists can be updated. Because transfer stations carry ordinary queries—such as for coding, translation, or drafting—alongside an adversarial distillation campaign, the resulting traffic produces behavioral patterns that model hosts cannot reliably distinguish from normal use. These entities formed the “hydra cluster” described by Anthropic, blending distillation traffic with unrelated customer requests.⁴⁸ However, transfer stations cannot obscure the prompts themselves, as requests still reach the model to generate a response. Developers and cloud service providers therefore retain visibility into prompt content even when they cannot trace it to a broader campaign.

Some of these activities are likely criminal under U.S. law. The use of fraudulent credentials to access U.S. platforms may constitute wire fraud and may violate the Computer Fraud and Abuse Act as unauthorized access or exceeding authorized access.⁴⁹ The commercial sale of fraudulent credentials may itself be criminal in many jurisdictions, while payments related to these offenses could be considered money laundering. Microsoft’s December 2024 civil action against the operators of a transfer station called “oai reverse proxy” (Storm-2139), which resold stolen Azure OpenAI credentials for generating nonconsensual deepfake imagery, illustrates the geographic spread and limits of enforcement that characterize transfer station infrastructure more broadly.⁵⁰ The named defendants were based in Hong Kong, Vietnam, Iran, and the United Kingdom, and the service routed stolen Azure OpenAI API credentials through Cloudflare tunnels.⁵¹ However, transfer stations often operate in jurisdictions with uneven regulatory enforcement and can reconstitute themselves under new corporate identities.

Figure 2 | The Adversarial Distillation Supply Chain

IV. Conclusion and Recommendations

Developers and cloud service providers have built layered defenses against adversarial distillation—identity screening at account onboarding, behavioral and network monitoring for suspicious patterns, prompt-level classifiers, and abuse monitoring against accumulated logs—that have enabled the detection of major campaigns. But the scale of those campaigns suggests that current defenses alone are insufficient. Three limitations explain why. First, legal uncertainty over antitrust and the Stored Communications Act slows coordination among U.S. firms that robust defense requires.⁵² Second, intermediaries enable adversaries to defeat each signal category independently—prompts designed to bypass classifiers, identity constructed with purchased credentials, network origin rerouted through transfer stations, and behavioral signatures dispersed in legitimate traffic—while individual operators dissolve and reconstitute faster than account-level enforcement can keep pace. Third, adversaries adapt while policy inertia leaves predictable windows they can study and exploit.

The underlying problem is structural. No single actor in the U.S. AI ecosystem—whether a developer, cloud service provider, or government agency—has sufficient visibility, authority, or incentive to counter adversarial distillation alone. Developers and cloud service providers have visibility but face contractual and legal constraints on coordination. Intermediaries enable obfuscation. The U.S. government has coercive and diplomatic tools but lacks the granular visibility only companies possess.

Effective policy must therefore work across two dimensions simultaneously. It must improve detection by ensuring that U.S.-based actors that share common interests, even with imperfect incentives, can share the signals they need. And it must strengthen deterrence by raising costs on the foreign actors that enable and engage in adversarial distillation. In parallel, the United States must continue to sustain and strengthen controls on China’s access to advanced semiconductors and semiconductor manufacturing equipment, which constrain the computing power available to absorb distilled outputs into ever more capable Chinese models and deploy those models at scale. Such efforts would operationalize the commitments made by the U.S. government in NSTM-4 and go further.⁵³ The recommendations below are organized accordingly.

Detection

The Department of Justice (DOJ) and Federal Trade Commission (FTC) should issue joint guidance clarifying that sharing noncontent signals of adversarial distillation between U.S. firms does not raise antitrust concerns and falls within existing Stored Communications Act exceptions.

This would allow developers, cloud service providers, and other actors to share information with one another more regularly, rather than being burdened by internal legal processes.⁵⁴ The two legal questions are different in kind. The 2014 DOJ-FTC cybersecurity policy statement concluded that “properly designed sharing of cyber threat information should not raise antitrust concerns,” reasoning that the information being shared was technical, limited, and did not involve competitively sensitive information such as pricing.⁵⁵ This was codified in the Cybersecurity Information Sharing Act of 2015, which provided exemptions from antitrust liability when companies shared cyber threat indicators or defensive measures with other companies.⁵⁶ A similar policy could be developed for adversarial distillation.

The Stored Communications Act poses a different question. As a federal statute restricting providers from disclosing customer content and records, with exceptions—including for the “protection of the rights or property of the provider”—its application to industry-wide signal sharing is unsettled.⁵⁷ Joint guidance can clarify the scope of existing exceptions, not expand them.

Signals of adversarial distillation do not fall neatly into existing cyber threat sharing frameworks or exceptions to the Stored Communications Act, as such campaigns involve the abuse of commercial services rather than the use of malware or network intrusions. Narrow DOJ-FTC guidance should clarify, separate from any statutory exemption, that properly designed sharing of adversarial distillation signals should not raise antitrust concerns, under the same legal reasoning as the 2014 statement. Parallel guidance should clarify that noncontent signals of adversarial distillation—such as account indicators, network origins, behavioral patterns, and hashed prompts, described below—fall within existing Stored Communications Act exceptions, permitting companies to exchange them. Consistent with established cyber threat sharing practice, the protection should not extend to personally identifiable information about legitimate users or commercially sensitive information not directly related to the threat.

U.S.-based AI developers, cloud service providers, and commercial token mixers should establish a collective forum for the rapid dissemination of signals of adversarial distillation, and the National Institute of Standards and Technology’s (NIST) Center for AI Standards and Innovation (CAISI) should develop best practices for the broader U.S. AI ecosystem.

Defending the U.S. AI ecosystem against adversarial distillation requires a tiered architecture—an industry-led forum for the rapid, operational signal-sharing among the major U.S. actors that hold the relevant data and public best-practices guidance for the long tail of smaller U.S. actors that lack robust detection infrastructure and that can be more readily exploited.

The industry forum should develop shared protocols and databases for identifying adversarial distillation in real time. Its core mechanism could draw on the model established by the Global Internet Forum to Counter Terrorism (GIFCT), which enabled members to share digital signatures, known as hashes, of terrorist content for rapid removal.⁵⁸ A forum dedicated to combating adversarial distillation could likewise hash and disseminate suspicious signals on a shared database, without disclosing prompt content that could fall afoul of the Stored Communications Act. Similar or matching hashes uncovered by different members would indicate a campaign was underway, while preserving the privacy of ordinary users. This forum should also coordinate shared investments and analysis for improving defenses, such as by commissioning white-hat penetration testing of member platforms.

The Frontier Model Forum (FMF) is a plausible foundation for this effort, but both the FMF and broader industry would need to take steps to make it effective.⁵⁹ While it has already begun to enable information sharing among its members, the forum should actively expand its membership to ensure comprehensive signal coverage across the U.S. AI ecosystem.⁶⁰ xAI, a leading U.S. AI developer, is not currently a member; a forum that excludes any major U.S. developer will leave gaps in visibility and reduce the effort’s credibility. The forum should also extend participation to U.S.-based commercial token mixers such as OpenRouter for the specific purpose of combating adversarial distillation. These companies depend on continued access to U.S. models, creating concrete incentives to cooperate even absent bilateral commercial relationships.

This forum should complement rather than substitute for the AI Information Sharing and Analysis Center (AI-ISAC) proposed in the July 2025 AI Action Plan.⁶¹ While AI-ISAC should serve as the broader hub for government-industry threat intelligence coordination across AI security issues, the operator-to-operator, real-time, high-volume signal sharing required to detect adversarial distillation specifically is better addressed through an industry-led forum.

In parallel, CAISI should convene U.S. industry to develop best practices designed to support the broader ecosystem of specialized U.S. AI developers, such as World Labs and Chai Discovery, who may be targeted but lack adequate defenses.⁶² This could include guidance on enterprise customer verification, rate-limiting and anomaly detection patterns, and integration of developers’ anti-distillation tools into downstream products. As the primary U.S. government point of contact with the private sector to facilitate testing, collaborative research, and best practices related to commercial AI systems, CAISI is best positioned to lead this effort, though it should refrain from detailing detection methods that could provide a roadmap for adversaries.⁶³

The National Security Agency (NSA) should, as appropriate, provide U.S. AI developers and cloud service providers with support in identifying threat actor identities, infrastructure, and obfuscation methods.

Even with improved industry coordination, the fragmented nature of the adversarial distillation supply chain means companies may still lack the intelligence context needed to attribute campaigns to specific Chinese threat actors, map the full infrastructure of transfer station networks, or identify coordination patterns that span multiple providers and jurisdictions. The U.S. intelligence community is positioned to fill these gaps and fulfill the commitment in NSTM-4 for the U.S. government to share information with U.S. AI companies.

Without revealing sources and methods, the NSA should share actionable information with U.S. AI developers and cloud service providers, such as the affiliations and state linkages behind anonymized credentials, the infrastructure and commercial networks that transfer stations operate through, and patterns of coordination. The NSA’s Cybersecurity Collaboration Center, which facilitates threat intelligence sharing with the defense industrial base largely in the unclassified domain, offers a proven model for structuring support. This approach is well-suited to the AI sector, where few companies currently have the cleared personnel or secure facilities needed to handle classified intelligence. For intelligence that cannot be adequately sanitized for unclassified sharing, the government should sponsor security clearances for a small number of trust and safety and threat intelligence personnel at major U.S. AI developers and cloud service providers. Any such program should operate under existing oversight frameworks to maintain appropriate boundaries between intelligence and commercial activity.

Deterrence

The Departments of Commerce, State, the Treasury, Justice, and Homeland Security should launch a coordinated campaign of export controls, diplomacy, and law enforcement to disrupt the transnational intermediary infrastructure that enables adversarial distillation.

The intermediary ecosystem depends on infrastructure, platforms, and financial networks concentrated in a small number of jurisdictions, particularly in Asia. Disrupting it requires a coordinated effort that reaches into the jurisdictions where it operates.

The Department of Commerce’s Bureau of Industry and Security (BIS) should add to the Entity List foreign commercial token mixers and transfer station operators that route or facilitate adversarial distillation traffic against U.S. AI models. Designation should carry a license requirement for all items subject to the Export Administration Regulations (EAR), with a presumption of denial.⁶⁴ BIS should prioritize operators whose infrastructure has been documented in adversarial distillation campaigns, including those that sell fraudulent credentials and proxy access. Foreign commercial token mixers that lack adequate know-your-customer controls and that have been identified as conduits should be designated on the same basis. To mitigate the problem of intermediaries dissolving and reconstituting under new corporate identities, BIS should pair designations with standing guidance to U.S. model hosts for enhanced due diligence on any new intermediary that exhibits similar characteristics to a designated entity—including overlapping infrastructure, personnel, payment channels, or routing patterns.

A legal limitation affects the current reach of these designations, however. BIS does not currently consider the provision of cloud computing services or API-based inference as falling within the EAR’s definition of “controlled items.” Entity List designation would create screening obligations and reputational risk for intermediaries but may not prohibit U.S. model hosts from processing their API requests. Closing this gap requires legislative action, addressed below.

Other agencies should pursue parallel actions to disrupt the broader intermediary infrastructure. The Departments of Justice and Homeland Security should pursue law enforcement cooperation with jurisdictions where transfer stations are concentrated. To the extent these intermediaries engage in selling, facilitating the use of, and processing payments for fraudulent credentials, the activities are criminal under U.S. law and may violate local criminal statutes governing fraud and unauthorized computer access. These agencies should pursue mutual legal assistance requests targeting specific operators and provide support for identifying and dismantling intermediary infrastructure. The Department of State should deliver a démarche to jurisdictions that host commercial token mixers and transfer station operators to enforce existing U.S. and local authorities against these networks and offer technical assistance to build capacity to detect and disrupt these networks independently. The Department of the Treasury should issue a Financial Crimes Enforcement Network (FinCEN) advisory to financial institutions, flagging the transfer station infrastructure as a financial crime risk.

The president should issue an executive order under the International Emergency Economic Powers Act (IEEPA) declaring a national emergency with respect to the threat posed by adversarial distillation of U.S. AI models by foreign adversaries.

An IEEPA-based executive order would provide immediate and independent authority to prohibit U.S. persons from providing AI inference services to designated foreign actors, overcoming the limitations of the Entity List.⁶⁵ The order should be narrowly scoped to address adversarial distillation, using the definition in this paper to insulate legitimate research and other uses. The order should authorize two categories of action against designated foreign persons: a targeted services prohibition barring U.S. infrastructure-as-a-service and inference providers from furnishing services to designated entities, without those entities becoming Specially Designated Nationals (SDNs); and full blocking sanctions against SDNs and their subsidiaries under the Department of the Treasury Office of Foreign Assets Control’s 50 percent rule. While restrictions related to this order would be bounded by jurisdictional limits to U.S. persons and persons within U.S. territory, the Remote Access Security Act would, once implemented, extend to remote access of U.S.-controlled hardware regardless of location.

These authorities should be deployed in a graduated fashion. Initial SDN designations should target the intermediary operators involved in documented campaigns, paired with targeted services prohibitions applied to Chinese AI developers. If Chinese AI developers do not cease adversarial distillation, full blocking sanctions on the developers themselves should follow, extending pressure across the broader intermediary ecosystem through the U.S. financial system’s compliance cascade. This escalation ladder parallels the phased framework developed by Joe Khawam and Tim Schnabel of the Law Reform Institute, whose analysis of the underlying authorities informs the architecture above.⁶⁶

After issuance of the order, the Department of State should deliver a démarche to authorities in Beijing and provide direct notice to Chinese AI developers identified in public reporting, specifying the conduct that would trigger designation under the new authority and the conditions under which initial designations would escalate to full blocking sanctions.

Congress should enact the Deterring American AI Model Theft Act of 2026 (H.R. 8283) and the Remote Access Security Act (H.R. 2683) to provide durable statutory authorities for the actions recommended above.

H.R. 8283 would codify and provide additional direction for several of the actions described above. It would require the interagency committee that decides Entity List additions to formally determine whether identified entities should be added, authorize blocking sanctions, and direct the Department of State to conduct recurring assessments of adversarial distillation campaigns and the entities conducting them. The bill would also create a public list of identified entities maintained by the Department of State based on those assessments, raising reputational costs and creating a durable evidentiary record that supports the designations recommended above.

The Remote Access Security Act would close the gap described above by granting BIS explicit authority to regulate remote access to controlled items through cloud services and inference APIs.⁶⁷ Without this authority, the Entity List and IEEPA designations recommended above would create screening obligations and reputational risk but could not fully prohibit U.S. model hosts from processing API requests from designated entities.

About the Authors

Daniel Remler is a senior fellow with the Technology and National Security Program at the Center for a New American Security (CNAS). His research focuses on the implications of artificial intelligence (AI) and emerging technologies for U.S. national security, foreign policy, and strategic competition, including risks from advanced AI systems. Prior to joining CNAS, Remler served as a policy advisor in the Office of the Special Envoy for Critical and Emerging Technology at the U.S. Department of State, where he led AI policy and cowrote the department’s first technology diplomacy strategy. He previously worked as a journalist with The Economist, where he covered American politics and public policy. Remler holds an MPA from the Harvard Kennedy School and a BA in economics and history from the University of California, Berkeley.

Ben Hayum is a research assistant with the Technology and National Security Program at CNAS. Before CNAS, Hayum was a PhD student in computer science researching AI security and interpretability. He worked for Americans for Responsible Innovation as an AI policy intern, providing machine learning expertise to inform policy on risks from advanced AI. He founded the Wisconsin AI Safety Initiative, a student organization with alumni working at METR, Cooperative AI Foundation, Center for AI Safety, and Congress. Hayum holds a master’s degree in computer science from the University of Wisconsin-Madison’s College of Computing and Artificial Intelligence and a bachelor’s degree in data science and neurobiology.

About the Technology and National Security Program

The CNAS Technology and National Security Program produces cutting-edge policy research to secure America’s edge in emerging technologies while managing potential risks to security and democratic values. The program produces bold, actionable recommendations to drive U.S. and allied leadership in responsible technology innovation, adoption, and governance. The Technology and National Security Program focuses on three high-impact technology areas: AI, biotechnology, and quantum information sciences. It also conducts cross-cutting research to strengthen U.S. technology statecraft to promote secure, resilient, and rights-respecting digital infrastructure and ecosystems abroad. A focus of the program is convening the technology and policy communities to bridge gaps and develop solutions.

Acknowledgments

The authors thank Theo Bearman, Seth Center, Vivek Chilukuri, Janet Egan, Kai-Shen Huang, Saif Khan, Joe Khawam, Moon Young Kim, Paul Scharre, and Tim Schnabel for their valuable feedback and suggestions on earlier drafts of this report. The authors are also grateful to experts in government, industry, and civil society who agreed to be interviewed as part of this research project. The report would not have been possible without the editorial and design contributions of CNAS colleagues Maura McCarthy, Melody Cook, Caroline Steel, and Emma Swislow. This report was made possible with the generous support of Coefficient Giving.

As a research and policy institution committed to the highest standards of organizational, intellectual, and personal integrity, CNAS maintains strict intellectual independence and sole editorial direction and control over its ideas, projects, publications, events, and other research activities. CNAS does not take institutional positions on policy issues, and the content of CNAS publications reflects the views of their authors alone. In keeping with its mission and values, CNAS does not engage in lobbying activity and complies fully with all applicable federal, state, and local laws. CNAS will not engage in any representational activities or advocacy on behalf of any entities or interests and, to the extent that the Center accepts funding from non-U.S. sources, its activities will be limited to bona fide scholastic, academic, and research-related activities, consistent with applicable federal law. The Center publicly acknowledges on its website annually all donors who contribute.