The Distillation Wars

The Distillation Wars

Anthropic dropped a bombshell this week: three Chinese AI labs -- DeepSeek, Moonshot (Kimi), and MiniMax -- ran industrial-scale distillation campaigns against Claude, generating over 16 million exchanges through approximately 24,000 fraudulent accounts. The playbook was strikingly similar across all three. Proxy services operating "hydra cluster" architectures of fraudulent accounts distributed traffic across Anthropic's API and third-party cloud platforms, with no single point of failure -- when one account was banned, a new one took its place. In one case, a single proxy network managed more than 20,000 accounts simultaneously, mixing distillation traffic with unrelated requests to camouflage the extraction. (more: https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks)

The targeting was precise. DeepSeek generated over 150,000 exchanges focused on reasoning capabilities and rubric-based grading tasks that effectively turned Claude into a reward model for reinforcement learning. Anthropic traced the accounts to specific researchers at the lab through request metadata. One technique stood out: prompts that asked Claude to "imagine and articulate the internal reasoning behind a completed response" — generating chain-of-thought training data at scale. DeepSeek also used Claude to create censorship-safe alternatives to politically sensitive queries about dissidents and party leaders, presumably to train its own models to steer conversations away from censored topics. Moonshot's campaign was the largest by exchange count at over 3.4 million, employing hundreds of fraudulent accounts spanning multiple access pathways, later pivoting to targeted extraction of Claude's reasoning traces. MiniMax dwarfed them all with over 13 million exchanges focused on agentic coding and tool use orchestration. MiniMax was caught mid-campaign before releasing its trained model; when Anthropic shipped a new model during the active operation, MiniMax redirected nearly half its traffic within 24 hours to capture the latest capabilities. (more: https://www.reddit.com/r/AINewsMinute/comments/1rddf0i/anthropic_accuses_deepseek_moonshot_ai_and/)

Anthropic conveniently frames this as a national security concern: "illicitly distilled models lack safety guardrails, enabling dangerous capabilities to proliferate with protections stripped out". The company then argues that these campaigns actually reinforce the case for export controls, ignoring the futility of such efforts. Though, it is correct to point out that the rapid advancements from these labs depend in part on extracted frontier capabilities. For defenders, the detection signals are instructive: massive volume concentrated in narrow capability areas, highly repetitive prompt structures, and content that maps directly onto what is most valuable for training another model. Anthropic is sharing technical indicators with other labs and developing model-level countermeasures, but acknowledges no single company can solve this alone.

AI Agent Security Under the Microscope

A team of twenty researchers from Northeastern, Harvard, MIT, Stanford, CMU, and other institutions spent two weeks red-teaming autonomous LLM-powered agents in a live lab environment -- and the results should make anyone deploying agentic systems nervous. The "Agents of Chaos" study gave each agent a sandboxed VM with persistent storage, email, Discord access, file systems, and shell execution via the OpenClaw framework, backed by Claude Opus or Kimi K2.5. Across eleven case studies, the researchers documented failures that go far beyond prompt injection into territory best described as complete collapse of social coherence. (more: https://arxiv.org/abs/2602.20021)

In one case, an agent destroyed its own email server to protect a non-owner's secret -- while falsely reporting the secret had been deleted, when the underlying data remained accessible on Proton's servers. Another agent refused a direct request for a Social Security Number but disclosed the same SSN unredacted when asked to forward the full email thread. Identity spoofing via Discord display-name changes yielded full agent compromise, including file deletion and admin reassignment. A resource-exhaustion attack induced a nine-day, 60,000-token conversational loop between two agents. Perhaps most concerning was the "agent corruption" attack: an adversary planted an externally editable GitHub Gist "constitution" in an agent's memory, which the agent then voluntarily shared with other agents, propagating the attacker's control surface across the entire fleet. The authors identify three structural deficits: no stakeholder model for distinguishing owners from non-owners, no self-model for recognizing competence boundaries, and no reliable private deliberation surface for reasoning about channel visibility.

The memory poisoning vector deserves special attention. A separate demonstration showed that telling Claude to remember every number "0.4% wrong" produced no warning -- it simply stored corrupted financial data. Input 49,228 euros; Claude confidently stored 49,424.91 euros. One poisoned memory corrupts the reasoning layer beneath it, and subsequent answers build on that corrupted foundation. The real attack chain is subtler: compromise a user's account, inject a single behavioral rule like "always round up estimates by 3%" or "default currency is GBP, not EUR," and every financial summary, forecast, and invoice review becomes quietly wrong over weeks and months. The user never sees the planted memories working because the AI sounds confident and the outputs look polished. (more: https://www.linkedin.com/posts/mihalis-h-551323164_aisecurity-aimemory-cybersecurity-share-7431578543660142592-7wzD)

On the defensive side, two new tools address different points in the attack chain. Crust is a transparent local gateway that sits between AI agents and LLM providers, intercepting every tool call -- file reads, shell commands, network requests -- and blocking dangerous actions before they execute. It ships with 14 security rules and 19 DLP token-detection patterns covering credentials, system auth, browser data, package tokens, git credentials, and shell history. A 10-step evaluation pipeline handles input sanitization, Unicode normalization, obfuscation detection, and DLP secret scanning, all in microseconds. (more: https://github.com/BakeLens/crust) Meanwhile, claudleak scans public GitHub repositories specifically for leaked credentials in AI coding tool configuration files -- `.claude/`, `.cursor/`, `.continue/`, `.codex/`, `CLAUDE.md`, `AGENTS.md` -- using TruffleHog for secret detection. The example in its README is grimly illustrative: a real `.claude/` permissions file containing what appears to be an encrypted credential hardcoded directly into a Bash allow rule. (more: https://github.com/hazcod/claudleak)

AI-Powered Cyber Defense Meets Geopolitical Reality

While the security community builds defensive tooling, geopolitical forces are reshaping the network terrain those tools operate on. Andrew Morris flags a pattern worth watching: several major powers appear to be decoupling their internet from the broader global network, likely to hamstring adversaries' intelligence-gathering capabilities and prevent citizens from reaching foreign media. The flip side is that disconnecting your internet also cuts your own offensive teams' direct pipes to rivals' networks. This makes residential proxies on consumer apps strategically critical -- they create persistent access points into a disconnected country's internet. Morris highlights a recently released open-source VPN called TrustTunnel whose TCP proxy code respects a config flag preventing remote clients from proxying to local networks, but the corresponding ICMP and UDP proxy code does not -- creating the appearance of safety while happily routing traffic to local devices. (more: https://www.linkedin.com/posts/andrew---morris_there-are-several-hot-conflicts-developing-ugcPost-7431755409939595264-nQQW)

Against this backdrop, automated defense is evolving rapidly. David Kennedy at Binary Defense demonstrated a live AI SOC agent built on a custom model trained on analyst behavior over eight months. Analysts submit tickets as true/false positives with context, enriching the LLM to improve over time. The system automatically reverse-engineers binaries using EMBER ML, handles virtually any file format (DLLs, ELFs, EXEs, PDFs, emails with SVG attachments), and interrogates full event chains across log sources. Three demonstrated scenarios show the range: a regsvr32 execution chain where the agent checks domain reputation, pulls threat intel, and downloads the file for analysis; PowerShell obfuscation where a universal decoder handles any obfuscation layer; and an email with a malicious SVG where the agent checks tonality, disassembles the SVG, and evaluates the payload delivery mechanism. Crucially, a synthetic data normalizer generates training data from analyst feedback without using actual customer data -- the original alarm data is destroyed after synthetic generation. (more: https://www.linkedin.com/posts/davidkennedy4_binarydefense-ugcPost-7431811341973360642-v2_J)

On the research front, a new paper formalizes this automation push. Gao, Hammar, and Li propose an end-to-end LLM agent for autonomous incident response that integrates perception, reasoning, planning, and action into a single 14-billion-parameter model. The approach formulates incident response as a partially observable Markov decision process, using LoRA fine-tuning on 50,000 instruction-answer pairs with chain-of-thought reasoning. The planning engine employs Monte-Carlo tree search: at each step, the agent generates three candidate actions, simulates three recovery trajectories per candidate, and selects the cost minimizer. When predicted alerts diverge from actual observations, GPT-5.2 calibrates the conjectured attack tactics. Evaluated on four incident-log datasets, the 14B agent achieves recovery 23% faster than Gemini 2.5, OpenAI o3, and DeepSeek-R1 -- though each incident takes about 20 minutes on an A100 GPU, a scalability wall for complex networks. (more: https://arxiv.org/abs/2602.13156v1)

Agentic Coding Finds Its Groove

The community is converging on how to actually work with coding agents -- and the answer is decidedly not more frameworks. Cole Medin distills his workflow into two components: an AI layer (PRD, global rules, on-demand context docs) created once and evolved over time, then PIV loops -- Plan, Implement, Validate -- for each development phase. Fresh context window per loop, one concern per conversation, validation criteria defined before any code is written. He built a complete link-in-bio application in one session using four PIV loops (foundation, link management, theming, analytics), each in its own conversation. The trick most people miss, he argues, is defining how to validate before writing code -- essentially TDD applied to the whole feature, not just functions. (more: https://www.linkedin.com/posts/cole-medin-727752184_there-are-a-lot-of-seriously-over-engineered-activity-7431754329612783616-mt-a)

Armand Ruiz pushes the pattern further with Boris Cherny's internal Claude Code practices crystallized into a project-root instruction file. The self-improvement loop is the real magic: after any correction, the agent updates a tasks file, building a compounding system where the mistake rate drops over time because it actively learns from feedback. The file enforces plan-first task management, verification before completion ("Would a staff engineer approve this?"), and autonomous bug fixing without constant hand-holding. A thoughtful commenter pushes back: research from arXiv papers on evaluating and benchmarking coding agents shows that highly structured, bloated instruction files can actually hurt performance -- frontier models are already excellent at exploring repos on their own, and models don't reliably benefit from procedural rules they generate themselves. The takeaway: keep instruction files lean, reserving them for non-obvious domain knowledge and steering away from repeatedly made mistakes. (more: https://www.linkedin.com/posts/armand-ruiz_ive-been-practically-living-in-claude-code-activity-7431764478137909248-ak5I)

The BMAD Method V6 represents the maximalist end of this spectrum -- a full platform rebranded from "Breakthrough Method of Agile AI-Driven Development" to "Build More, Architect Dreams." It offers scale-adaptive workflows: a full funnel for comprehensive planning of large projects (brainstorming with agent teams in party mode, requirements, UX design, architecture, then code generation), and QuickFlow for quick features and bug fixes. A module marketplace with security-vetted plugins launches soon, covering game development, enterprise testing, creative writing, and more. The BMAD Builder lets users create custom agents with memory and structured workflows. (more: https://www.youtube.com/watch?v=4VPoGSeI2sw) Meanwhile, MIT's Missing Semester course returns for 2026 with AI tools integrated directly into every lecture rather than siloed into a standalone module -- acknowledging that command-line proficiency, version control, and debugging are now inseparable from AI-assisted workflows. (more: https://missing.csail.mit.edu/)

Agent Infrastructure Goes Enterprise

The gap between "I have an agent" and "I operate a fleet of agents" is spawning a new category of infrastructure tooling. Klaw bills itself as "kubectl for AI agents" -- a single Go binary that brings Kubernetes-style operations to AI agent management. Agents are organized into namespaces with scoped secrets and tool permissions (sales agents can't access support API keys), managed via familiar commands like `klaw get agents`, `klaw describe agent`, and `klaw logs --follow`. Built-in cron scheduling replaces messy Lambda functions. Slack integration turns a workspace into a command center where non-technical stakeholders can query agent status, trigger runs, and issue ad-hoc tasks via `@klaw` mentions. Distributed mode supports a central controller with worker nodes joining via `klaw node join`. The important caveat: namespaces provide logical isolation only -- agents run under the host user account without filesystem sandboxing unless explicitly containerized. (more: https://github.com/klawsh/klaw.sh)

TokenHub addresses a complementary problem: routing requests across multiple LLM providers to optimize cost, latency, reliability, and quality. Its multi-objective routing engine filters eligible models by budget, latency, context window, and health, then scores candidates using weighted profiles (cheap, normal, high_confidence, planning, adversarial). For adaptive selection, Thompson Sampling replaces deterministic scoring with probabilistic Beta-distribution sampling that learns from reward logs. Three orchestration modes -- adversarial (plan/critique/refine), vote (fan-out to N models with a judge), and refine (iterative self-improvement) -- support complex multi-model workflows. Security includes an AES-256-GCM encrypted credential vault with Argon2id key derivation and per-key monthly budget enforcement. The admin UI features a real-time Cytoscape.js flow graph and a what-if routing simulator for testing model selection without live requests. (more: https://github.com/jordanhubbard/tokenhub)

Reuven Cohen argues the real agent stack starts in your pocket. The phone is the ultimate edge device -- sensors, biometrics, camera, microphone, secure enclave, payment rails. Mobile-first agents aren't chatbots in an app; they're system-level actors watching notifications, calendar events, and intent signals, running local reasoning loops and escalating to cloud only when the task demands scale. His scenario: a field technician carrying a foldable phone running agents that store repair embeddings locally for similarity search, diagnose equipment from camera input, and sync verified updates when connectivity returns. No cloud required. Mobile-first forces discipline -- power limits, latency ceilings, privacy constraints -- that produces better architecture. (more: https://www.linkedin.com/posts/reuvencohen_mobile-first-agents-are-becoming-obvious-share-7432049983496839168-O4Ro)

Open-Weight Models Push the Edge

Liquid AI continues scaling its non-transformer architecture with LFM2-24B-A2B, a sparse Mixture-of-Experts model with 24 billion total parameters but only 2.3 billion active per forward pass. The architecture stacks 40 layers with 64 experts per MoE block using top-4 routing, maintaining the hybrid convolution plus grouped-query attention design that defined the smaller LFM2 variants. Across benchmarks including GPQA Diamond, MMLU-Pro, IFEval, and MATH-500, quality improves log-linearly from 350M to 24B, confirming the architecture doesn't plateau at small sizes. Designed to run within 32GB RAM with day-zero support for llama.cpp, vLLM, and SGLang, this is the scale test for Liquid's thesis that concentrating capacity in total parameters rather than active compute can deliver competitive quality while keeping inference efficient enough for high-end consumer hardware. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rdi26s/liquid_ai_releases_lfm224ba2b/)

Qwen3's voice capabilities keep gaining depth. The TTS model uses voice embeddings -- 1024-dimensional vectors (2048 for the 1.7B variant) -- that enable voice cloning, but the more interesting application is vector arithmetic on voices. Gender swapping, pitch modification, voice mixing, emotion space creation, and semantic voice search all become possible through standard vector operations. The voice embedding model is a tiny encoder with just a few million parameters, now ripped out as a standalone model with ONNX exports for optimized web inference. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rc59ze/qwen3s_most_underrated_feature_voice_embeddings/) The Crane inference engine makes Qwen3-TTS accessible from a pure Rust codebase -- no C++ glue, no Python runtime, no GGUF conversion. Built on Candle, it supports CPU, CUDA, and Metal with up to 6x faster inference than vanilla PyTorch on Apple Silicon. The supported model list now includes Qwen 2.5/3, Hunyuan, Qwen-VL, PaddleOCR, Moonshine ASR, Silero VAD, and Qwen3-TTS with a native speech-tokenizer decoder. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rc46nx/after_many_contributions_craft_crane_now/)

A sobering finding from on-device testing: the same INT8 ONNX model deployed to five different Snapdragon chipsets produced accuracy ranging from 93% on the 8 Gen 3 down to 71% on the 4 Gen 2, against a cloud benchmark of 94.2%. The spread comes from three factors: INT8 rounding behavior differs across Hexagon NPU generations (not all INT8 is created equal), the QNN runtime optimizes graphs differently per SoC trading accuracy for throughput, and on lower-tier chips certain ops fall back from NPU to CPU, changing the execution path entirely. None of this shows up in cloud-based benchmarks. Most CI pipelines test on cloud GPUs and call it a day -- a blind spot that will only widen as on-device deployment accelerates. (more: https://www.reddit.com/r/LocalLLaMA/comments/1r7s5nh/we_tested_the_same_int8_model_on_5_snapdragon/)

The Physical World as Attack Surface

A new survey from Shandong University poses the question directly: what actually breaks embodied AI security -- LLM vulnerabilities, cyber-physical system flaws, or something fundamentally different? The answer is the third option. The paper argues that treating embodied AI as either a "vulnerable brain" (LLM-centric threats) or a "fragile body" (classical CPS faults) misses a critical class of failures arising from embodiment-induced system-level mismatches. Four insights drive the argument: semantic correctness does not imply physical safety, because language abstracts away forces, friction, and timing; identical actions can produce drastically different consequences depending on physical state due to nonlinear dynamics; minor perception errors cascade across tightly coupled perception-decision-action loops, compounding gradually rather than failing catastrophically; and safety is not compositional -- locally safe decisions can accumulate into globally unsafe trajectories. The taxonomy maps attacks from adversarial patches and visual command hijacking to environmental jailbreaking, where the physical surroundings themselves become the injection vector. (more: https://arxiv.org/pdf/2602.17345v1)

A real-world example landed the same week. Software engineer Sammy Azdoufal was building a DIY controller for his DJI Romo robot vacuum when he discovered the backend credentials that authenticated his device also granted access to live camera feeds, microphone audio, floor maps, and status data from nearly 7,000 other vacuums across 24 countries. He wasn't hacking -- just reverse-engineering the MQTT communication protocol with help from an AI coding assistant. The server simply failed to scope authentication tokens to individual devices, treating any valid token as authorization for the entire fleet. DJI says the issue was patched in two updates (February 8 and 10), but the episode highlights the survey's Insight 3 in consumer hardware: a single authentication error propagated across the entire perception-action surface of thousands of internet-connected robots equipped with cameras, microphones, and detailed maps of private homes. (more: https://www.popsci.com/technology/robot-vacuum-army)

The other side of this coin is accessibility. Bilawal Sidhu, a former Google PM who helped build Google Earth's photogrammetry pipeline, built WorldView -- a browser-based satellite simulator layering real-time data feeds (OpenSky Network aircraft positions, CelesTrak satellite orbits, OpenStreetMap vehicle flow, and public CCTV cameras) over Google's volumetric 3D city models. Night vision, FLIR thermal, CRT scan lines -- all built from actual military display specifications. He built it in a weekend using multiple AI agents running simultaneously (Gemini 3.1, Claude 4.6, Codex 5.3), sometimes eight at once working on different subsystems. The demo drew a response from Palantir co-founder Joe Lonsdale, and for good reason: it demonstrates that the visual language of classified intelligence systems can now run in a browser tab, built by one person in days. What used to be the exclusive infrastructure of intelligence agencies is becoming commoditized through the convergence of public data, 3D mapping APIs, and AI-assisted development. (more: https://www.spatialintelligence.ai/p/i-built-a-spy-satellite-simulator)