The White House, on April 24, 2026, formally accused the Chinese government of orchestrating industrial-scale theft of American AI intellectual property — deploying thousands of proxy accounts to systematically extract training signal from frontier U.S. models. The primary targets named: OpenAI, Anthropic, and Google DeepMind. Twenty-four hours later, DeepSeek released V4.
China’s foreign ministry called the allegations “groundless” and “a political smear.” The timing and the mechanism suggest something more structured than a smear: three years of documented extraction warnings from U.S. AI labs, a specific attack technique that bypasses every hardware export control on the books, and a Chinese model that consistently delivers frontier-level capability at sub-frontier cost.
What the White House Specifically Alleged
The accusation centers on a well-documented attack surface: the commercial API. According to the White House statement, Chinese government-linked actors operated networks of thousands of proxy accounts — fictitious identities, rotating IP addresses, and enterprise API credentials purchased through third-party resellers — to run high-volume query campaigns against U.S. frontier AI systems.
The objective was not to steal model weights or training data directly. It was to extract behavioral intelligence through outputs. By firing carefully structured prompts at scale and logging every response, operators can reconstruct a model’s reasoning patterns, knowledge distribution, and capability profile — raw material for training a competing system at a fraction of the original cost.
The White House characterized the operation as state-coordinated, not opportunistic. Networks of thousands of accounts imply infrastructure, funding, and centralized direction that goes beyond individual researchers testing competitor products — the explanation Chinese officials typically offer for distillation-adjacent behavior.
How Model Extraction Attacks Work
Model extraction — also called distillation attacks — exploits a structural property of commercial AI deployment: the model is accessible without being visible. An attacker never needs the weights, the architecture, or the training data. API access and a query budget are sufficient.
The attack proceeds in three stages:
- Query generation: Automated systems fire tens of thousands of diverse, structured prompts at the target model — covering multi-step reasoning, code generation, factual recall, and adversarial edge cases.
- Output harvesting: Every response is logged. The resulting dataset of prompt-response pairs captures the model’s behavior distribution without accessing a single internal parameter.
- Distillation training: A student model trains on the harvested dataset, learning to approximate the teacher model’s outputs — including capabilities the student’s base training alone would not have produced.
This is not a theoretical vulnerability. DeepSeek’s R1, released in January 2025, was flagged by OpenAI for incorporating outputs from OpenAI models in its training pipeline — a finding that triggered account terminations and a formal policy update explicitly prohibiting using model outputs to train competing systems. Anthropic subsequently identified systematic output harvesting as a terms-of-service violation and filed formal complaints with the Commerce Department. The White House accusation formalized what U.S. labs had been documenting through abuse reports for at least 24 months.
The U.S. Labs Named — and What They’ve Said
Three frontier AI developers have explicitly identified model extraction as an active, ongoing threat from Chinese-linked entities:
OpenAI has terminated multiple account clusters linked to systematic query campaigns, including a reported February 2025 enforcement action tied to actors with connections to Chinese state research institutions. The company’s terms of service were updated in direct response to documented extraction behavior, adding an explicit prohibition on using model outputs to train competing systems.
Anthropic has been the most direct in naming DeepSeek specifically. In Commerce Department briefings in late 2025, Anthropic described what it termed “systematic capability transfer” — using DeepSeek’s rapid benchmark progression on tasks tied to Claude‘s known strengths as supporting evidence. Anthropic’s own security posture has come under scrutiny following a source code exposure, making the IP theft framing particularly sensitive for the company.
Google DeepMind has been publicly circumspect, but its usage anomaly systems have flagged high-volume account clusters consistent with extraction patterns on the Gemini API. Google has not publicly confirmed Chinese government involvement in any specific incident.
The aggregate picture: three of the four organizations operating frontier AI models in the United States believe they are actively being used as training infrastructure for foreign competitors. At current API pricing, querying a frontier model extensively costs orders of magnitude less than the compute required to train equivalent capabilities from scratch — a cost differential that grows larger as U.S. models improve.
The DeepSeek V4 Timing: Coincidence or Signal
On April 25, 2026 — one day after the White House accusation — DeepSeek released V4. The model immediately benchmarked above GPT-4.5 on several standard reasoning evaluations and launched at per-token pricing below any comparable U.S. model. Epoch AI researchers have questioned whether DeepSeek’s published training cost figures reflect full compute expenditure or account for pre-training runs that benefited from distillation data. If extraction attacks contributed even a portion of DeepSeek’s effective training signal on reasoning-intensive tasks, the cost arithmetic shifts substantially in favor of the extraction-plus-train approach over building from scratch.
MegaOne AI tracks 139+ AI tools across 17 categories; DeepSeek V4 represents the company’s third major capability jump in 14 months. Each release has arrived at a moment of heightened U.S.-China AI tension, and each has benchmarked close to — or ahead of — the specific U.S. models that American officials had most recently flagged as extraction targets. That pattern may be coincidence. It is not uninformative.
China’s Denial and Its Limits
Beijing’s response followed its established framework. The foreign ministry spokesperson dismissed the White House allegations as “groundless” and framed them as part of a U.S. campaign to suppress Chinese technological development through national security pretext.
China has a defensible technical argument: distillation — using one model’s outputs to inform another’s training — is standard practice throughout the global AI industry, including among U.S. developers. Meta’s LLaMA models were trained with data involving outputs from more capable systems. The distinction the White House is drawing is between incidental technique transfer and state-coordinated, large-scale extraction operations explicitly targeting U.S. commercial systems.
Whether that distinction holds legally is genuinely unsettled. AI model outputs are not clearly protected as trade secrets under current U.S. law. The White House accusation functions as much as a diplomatic and regulatory escalation as a legal filing — establishing political cover for API access restrictions and output watermarking requirements that don’t yet exist at the required scale.
Can Export Controls Stop API-Based Distillation?
Not with current tools. Not cleanly.
Existing U.S. export controls focus on hardware — the tiered GPU restrictions that have limited China’s ability to build large training clusters from American silicon. Those controls have measurable impact: Chinese-adjacent compute investments are surfacing in third countries — Finland, the UAE, Saudi Arabia — precisely because direct acquisition of top-tier NVIDIA hardware is legally blocked.
But extraction attacks don’t require H100s. They require API access and the inference compute to process responses — a significantly lower hardware threshold. DeepSeek V4, running on older-generation chips, can still execute millions of queries against a GPT-5 or Claude 4 endpoint if its accounts pass know-your-customer checks. The bottleneck is not compute. It’s identity verification.
Three policy mechanisms are under active U.S. discussion:
- Mandatory API geo-blocking: Requiring U.S. labs to restrict access from Chinese IP ranges and Chinese-registered entities. Easily circumvented via the same third-country proxy infrastructure the White House alleges is already in use.
- Behavioral anomaly detection: Flagging accounts that exhibit systematic extraction patterns — high query volume, unusual prompt diversity, atypical output logging behavior. Technically feasible; carries significant false-positive risk for legitimate enterprise developers and researchers.
- Output watermarking: Cryptographically tagging model outputs so that training data derived from them is detectable in downstream models. Technically promising — and actively studied by several U.S. labs — but not deployed at production scale by any major provider.
None of these fully closes the extraction attack surface. The fundamental problem: distillation exploits the same interface that generates commercial revenue. Restricting API access meaningfully enough to prevent theft also restricts the business model that funds frontier AI development in the first place.
The Regulatory Inflection Point
The White House accusation signals a shift in U.S. AI strategy: from hardware-focused containment toward treating API access, model outputs, and training data as components of national security infrastructure.
This framing has consequences beyond China policy. The consolidation dynamics already reshaping U.S. AI will accelerate if a security framing favors large, politically connected labs over open-source developers and smaller API providers. Mandatory output controls or API licensing requirements would impose compliance burdens that benefit incumbents and disadvantage challengers — a structural outcome that looks like security policy but functions like market protection.
The growing movement demanding greater public accountability over frontier AI systems intersects uncomfortably with this dynamic: if frontier model access is securitized and restricted, the primary beneficiaries are the same large labs that critics argue are already insufficiently accountable.
OpenAI and Anthropic have obvious incentives to support a regulatory framework that treats their outputs as protectable IP — even where current law doesn’t support that position. The White House accusation, whatever its full evidentiary basis, advances that legal and policy argument by several years.
DeepSeek V4 is already deployed. Whatever extraction occurred, it is already embedded in weights and inference pipelines. The policy contest now is about whether sufficient friction can be introduced — in identity verification, behavioral monitoring, output tracing — to meaningfully slow the next cycle before V5 arrives.
