The U.S. government alleged that China is engaged in a deliberate, industrial-scale campaign to distill U.S. frontier artificial intelligence (AI) systems, according to a White House memo published Thursday.

“Leveraging tens of thousands of proxy accounts to evade detection and using jailbreaking techniques to expose proprietary information, these coordinated campaigns systematically extract capabilities from American AI models, exploiting American expertise and innovation,” wrote Michael J. Kratsios, assistant to the president for science and technology and director of the White House Office of Science and Technology Policy.

Distillation—referring to knowledge distillation—is a machine learning technique that transfers knowledge from a large, pre-trained model, to a smaller student model. In a whitepaper, IBM explains that the “goal of knowledge distillation is to train a more compact model to mimic a larger, more complex model.”

In the memo, Kratsios specifically called out China among other foreign actors for engaging in distillation campaigns. The accusation comes just over a year after Chinese AI startup DeepSeek released its chatbot, which many experts said was created through distillation to compete with OpenAI’s ChatGPT.

Executives from OpenAI and Anthropic—two of the U.S. frontier model leaders—have both since disclosed to the U.S. House of Representatives Foreign Affairs Committee that they have detected adversarial distillation activity on their platforms that originated from China.

Kratsios explained in the memo that by continuing to engage in industrial-scale distillation, foreign actors could release products that appear to perform comparably on select benchmarks at a fraction of the cost—undermining the U.S. market.

“These distillation campaigns also allow those actors to deliberately strip security protocols from the resulting models and undo mechanisms that ensure those AI models are ideologically neutral and truth-seeking,” Kratsios wrote.

Kratsios published the memo just one week after the U.S. House of Representatives Foreign Affairs Committee released an investigatory report on how China is using legal and illegal means to build its semiconductor production and develop AI. It found that even though U.S. frontier labs tightened their access control after DeepSeek’s creators engaged in distillation, Chinese users and firms maintained their access via proxies, resellers, and overseas intermediaries.

These threat actors revealed a “sophisticated access infrastructure designed to obfuscate request sources, distribute traffic across thousands of fraudulent accounts, and maintain connectivity despite provider restrictions,” the report explained. “The core of this infrastructure is a software layer of open-source ‘relay’ tools that intercept and reroute API requests.”

These requests get sent to repositories that advertise format conversion among OpenAI, Claude, and Gemini. Two of the public code repositories that the committee investigated have been copied and modified about 11,000 times on GitHub. Operators then build based off the data in these repositories to provide services to major customers, including Alibaba, Baidu, Peking University, Tencent, and Tsinghau University.

“Unauthorized or otherwise fraudulent access is also available to the consumer market,” the report explained. “On Taobao, vendors openly sell mirror-site subscriptions and resold accounts. Claude appears to be the top target of unauthorized users seeking access to American AI models, with top listings showing 50,000 transactions and 7,000 repeat purchases at a fraction of Anthropic’s official price.”

This activity not only violates these frontier model developer’s platform terms of service, it also provides the benefits of “American AI systems through deception and using those outputs to research, develop, and train competing models to the benefit of China and at the expense of America’s national security and economic prosperity,” the report said. “The conduct is systematic, state-adjacent, and strategically directed.”

The committee’s report added that the pattern of behavior, along with recent cases of trade secret theft, shows that the U.S. deterrence approach is not effective. It recommended a range of responses, including introducing new legislation in the U.S. Congress to increase civil and criminal penalties for the behavior.

“So long as the likely consequence for many actors remains delay, negotiation, or a manageable compliance penalty, exporters, brokers, freight intermediaries, and service providers will continue to treat serious violations as a tolerable cost of doing business,” the report said.

Xiao Qian, deputy director of the Centre of International Security and Strategy, wrote in a South China Morning Post op-ed that the committee report captures a “hardening view in Washington” that China’s AI rise is tied to both market access and security concerns.

“Whether fully substantiated or not, such beliefs are increasingly shaping the policy lens through which technology competition between the two countries is understood in the U.S.—less as a matter of innovation, and more as one of national security,” Qian explained.

Meanwhile, the Trump administration is exploring measures to hold foreign actors accountable for industrial-scale distillation campaigns. Kratsios wrote that the White House is also planning to ramp up efforts with the private sector, including:

• Sharing information with U.S. AI companies about attempts by foreign actors to conduct unauthorized, industrial-scale distillation.
  
  
• Enabling the private sector to better coordinate against such attacks.
  
  
• Working with private industry to develop best practices to identify, mitigate, and remediate industrial-scale distillation activities and build defenses against them.

The White House did not return Security Management’s request for comment on more details about this threat or its engagement with the private sector.

Kratsios released the memo during a major week for the race to lead the AI race. On Tuesday, Anthropic announced it was investigating claims that unauthorized users gained access to Mythos—its cybersecurity tool that the company is limiting access to because it could become a significant hacking capability if it wound up in the wrong hands.

So far, Anthropic has only shared access to Mythos with 40 organizations in the United Kingdom and the United States that provide technology used in critical global infrastructure.

"Neither Beijing nor Moscow has made a major public statement on Mythos,” The New York Times reports. “Inside China, researchers and the broader AI community have been watching closely, according to analysts studying the country’s tech community. Many of the country’s banks, energy companies, and government agencies run on the same software in which Mythos found vulnerabilities—but for now, they have no seat at the table.”

Then on Thursday, OpenAI released its newest model—GPT-5.5—which the company claims has many of the same capabilities of Anthropic’s latest model and will be available to all Plus, Pro, Business, and Enterprise users in ChatGPT and Codex with some safeguards.

“Beyond benchmarks, early testers said GPT-5.5 shows a stronger ability to understand the shape of a system: why something is failing, where the fix needs to land, and what else in the codebase would be affected,” according to the OpenAI announcement.

The activity is occurring as the White House prepares for U.S. President Donald Trump to meet with Chinese President Xi Jinping in China at the beginning of May—the first time that a U.S. president will visit China in nearly 10 years. An agenda for the summit has not been released yet, but AI is likely to be one of the topics discussed during the high-profile meeting.

 

MOST POPULAR ARTICLES

1. What is Agentic AI?

2. Staffing Continues to Complicate K-12 Entrance Security

3. Risk vs. Reward: What Security Leaders Need to Know When Using Agentic AI