This week, Anthropic accused Chinese AI labs Moonshot, DeepSeek, and Minimax of large-scale distillation attacks against Claude. Preventing distillation might be the highest-leverage intervention for slowing down the proliferation of offensive cyber capabilities right now. But even if we figure out how to do that, we should be building defences for a world where open-source models are catching up.

Labs are currently the chokepoint for AI-enabled cyber misuse

Currently, the best models with cyber capabilities come from American labs. They are proving themselves useful to attackers, such as to the hacker who used Claude to steal sensitive Mexican government data, and even to Chinese state-sponsored actors who use Claude for espionage operations.

It’s no longer a question of whether models are useful for attackers; it’s a question of “how useful?” and “how large are the expected damages?”

From a non-proliferation standpoint, the concentration of frontier cyber capabilities in a handful of American labs is structurally useful. When frontier cyber capabilities are held by a handful of companies, the surface area for policy intervention is small: there are only a few entities to regulate, audit, or compel to cooperate with law enforcement. The labs could implement KYC1 requirements, monitor for misuse, and share threat intelligence – and many do so. Whether or not they are currently exercising this power well is a different question, but the structural chokepoint exists, and it makes intervention possible.

In practice, though, the frontier lab safety systems for cyber are arguably not very good. The Mexican government case is revealing. The Bloomberg article quotes OpenAI’s response: “We have banned the accounts used by this adversary and value the outreach from Gambit Security.” OpenAI seems to not have caught the misuse themselves through regular monitoring mechanisms, and instead, they were tipped off by an external security firm to investigate.

Intermediary services complicate monitoring. Even legitimate aggregators like OpenRouter add a layer of indirection – the model provider sees the aggregator’s API key, not the end user’s identity. Illegal reverse proxies, which run on stolen API keys and facilitate a black market for unauthorised access, make monitoring essentially impossible. There’s a case for simply banning2 intermediary API access that isn’t directly KYC’d by the model provider, even if there are legitimate reasons to use aggregators.

But even if labs were significantly better at detecting and disrupting misuse, the structural concentration that makes it possible is eroding.

The open-source capability lag is about 3–6 months

On CyberGym, one of the few public and non-saturated offensive cyber evaluations that I could find, the most capable open-weight model is GLM-5. On this benchmark, the model scores somewhere between Claude Sonnet 4.5 and Claude Opus 4.5. GLM-5 was released on 11 February 2026; Sonnet 4.5 and Opus 4.5 on 29 September 2025 and 24 November 2025, respectively. The approximate lag in cyber capabilities of GLM-5 to the frontier, closed-weight models is about 3 to 5 months.

I hesitate to fully trust this assessment because the CyberGym website collects benchmark scores from the model cards of the original publishers. People have speculated that the Chinese open-source model developers make models less useful than their benchmarks would predict because they optimise entirely for the benchmark scores reported in model cards. Chinese models dropped 21% on new AIME 2025 questions versus 10% for Western models, suggesting weaker generalisation to unseen data; and Kimi K2.5’s reported benchmark scores use test-time inflation techniques that don’t reflect what you’d get from a single inference pass.

A better assessment would be done using non-lab, independently run evals. The Epoch Capabilities Index is a composite evaluation, but it does include in-house run evaluations, including their own Frontier Math eval. Scores for GLM-5 are not yet available, but the ECI score of Kimi 2.5 (released 27 January 2026) is 148, putting it again between Sonnet 4.5 and Opus 4.5 and indicating a lag of 3–4.5 months.

GPT-5 was somewhat of an outlier on the frontier trend, and I’m not totally sure what to do with it; GLM-5 came out about 6 months after GPT-5. On the whole, the current capabilities lag seems to be about 3–6 months. The lag matters because there’s a capability threshold, somewhere around the late-2025 frontier levels, where models go from ‘somewhat helpful for cyber’ to ‘operationally useful.’ Open-weight models are also approaching this threshold.

Once open source is good enough, attackers won’t need American labs

Something happened in December 2025 that even I, someone who primarily writes reports and blog posts for a living, noticed. Andrej Karpathy explains the step change:

“There are a number of asterisks but imo coding agents basically didn’t work before December and basically work since - the models have significantly higher quality, long-term coherence and tenacity and they can power through large and long tasks, well past enough that it is extremely disruptive to the default programming workflow.”

I don’t have first-hand evidence, but it seems that a similar step change happened in cyber capabilities as well. In mid-January, Sean Heelan published an excellent blog post on using then-frontier models3 to create exploits. Cybersecurity professionals I’ve spoken with say the techniques demonstrated in Heelan’s post would challenge even seasoned practitioners.4 Other cybersecurity professionals tell me that they experienced a shift in how much work agents could do in the past few months as well.

Once open-weight models cross the same threshold, attackers will switch for two reasons: operational security and operational reliability. Neither of these depend on how well the labs enforce their safety policies.

A rational attacker has to assume that every API call to a US lab could generate a forensic record on servers that can be subpoenaed by Western law enforcement. Separately, cybercriminal operations are often surprisingly industrialised, and building critical infrastructure on top of a service that can revoke your access at any time is an unacceptable operational dependency. Even if open-weight models are behind by a few months, the gains on both fronts will be worth the capability trade-off.

If the 3–6 month lag holds and the benchmark scores are real, then open-weight models are right at or just below the “actually useful for cyber” threshold now, and will clearly cross it within the next few months. I’m uncertain as to whether it’s already happened because Chinese companies are known for eval gaming, and also, I don’t know anyone actually using these models. Absence of practitioner evidence isn’t proof it’s not happening: I just don’t talk to a lot of people who wouldn’t just use Codex or Claude.

There are relatively easy paths for evading Western visibility for attackers by using Chinese APIs. Attackers could steal credit card information to pay for the Moonshot or Z.ai API directly; or just use stolen API keys. Moonshot and Z.ai are required to cooperate with Chinese intelligence, but they have no meaningful incentive or mechanism to report abuse to Western law enforcement. For non-Chinese threat actors (e.g. Russian ransomware groups, Southeast Asian fraud operations), this makes Chinese API access a very low-risk avenue. Chinese state-sponsored actors, meanwhile, presumably don’t need stolen credit cards at all. Sysdig reported that operators who run illegal reverse proxies on stolen API keys added DeepSeek models within days of release, suggesting this shift is already underway.

For more sophisticated actors, fully private on-prem deployment is also within reach. Deploying Kimi 2.5 on-prem requires significant capex: roughly $200–500K all in5, depending on configuration, for usable agentic coding throughput. But the implicit assumption that this hardware is hard for cybercriminals to get doesn’t hold up. The World Cybercrime Index ranks the top six sources of cybercrime as Russia, Ukraine, China, the US, Nigeria, and Romania. Of these, three – Ukraine, the US, and Romania – face zero export restrictions on GPU hardware. Russia and China, the two countries most relevant to US national security, are the only top-six sources that face genuine hardware access constraints, and even there, there is a prolific grey market.

On-prem doesn’t even have to be the likely path to lose visibility into attacker usage. Between Chinese APIs, non-KYC cloud providers, and compromised infrastructure, there are many ways to run open-weight models outside Western visibility. The appetite for doing so already exists. Mandiant reports that “there is an enduring market for AI services specifically designed to support malicious activity” and I see no reason why this market will go away. One such service, Xanthorox, advertises itself as running “security on our dedicated servers” and “not sharing data with third-party corporations,” showing that this is clearly a desirable quality for attackers6.

Distillation might be accelerating the proliferation of offensive cyber capabilities

Anthropic recently accused Moonshot, the makers of Kimi, as well as DeepSeek and Minimax, of illicitly extracting Claude’s capabilities to train their own models. It was a large operation: the Chinese labs “generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts.” Google Threat Intelligence also wrote in the past few weeks of a distillation attack campaign against Gemini, identifying “over 100,000 prompts.”

Moonshot is the same company that makes Kimi 2.5, the frontier-on-benchmarks-model, whose API I previously described above as a low-risk access point for attackers wanting frontier capabilities without Western law enforcement oversight. Moonshot distills from Claude and makes these capabilities freely available to adversaries and attackers. The case for preventing distillation is larger than just protecting corporate IP. If distillation is what’s keeping the open-weight lag to just 3–6 months, then anti-distillation efforts are also a cybersecurity misuse intervention. Mitigating distillation directly protects the window in which labs can still see and respond to misuse.

To what extent are Kimi and GLM’s cyber capabilities due to distillation? It’s hard to say, but if these models are only 3–6 months behind because they’re collecting data from Anthropic, OpenAI, and Google DeepMind and training on it, then making distillation harder is one of the highest-leverage interventions available right now.

Plan for resilience, not for control

Even if we can fully protect against distillation attacks, though, it won’t fully solve the problem. The Chinese state-sponsored espionage campaign that Anthropic disrupted in September 2025 was conducted using Claude Code, which at the time ran on Opus 4.1. Current open-weight models already score above Opus 4.1 on capability benchmarks. The capabilities that enabled the first documented autonomous cyber espionage operation are, in all likelihood, already available in the near-frontier open-weight models. There’s also probably an elicitation overhang: not every attacker has yet discovered the best prompting strategies and tool-use patterns for offensive cyber, but they will.

We have to reckon with the fact that we now live in a world where attackers have access to advanced cyber-attack capabilities. There is no putting the cat back in the bag. Even if we expect no further progress from open or closed models, we should expect future harm as attackers learn how to best apply what’s already available.

The lab-based safety paradigm buys time, but not much, and anti-distillation efforts can extend it but can’t preserve it indefinitely. The priority now should be investing in defences that work regardless of where the model lives – hardening the institutions most likely to be targeted, building AI-powered defensive tooling designed for real operational constraints, and developing detection and attribution capabilities that don’t depend on visibility into model providers.

In my next blog post, I’ll describe what a serious investment agenda along these lines would look like.

Thank you to Adam Swanda, Jake Steckler, Amelia Michael, Aidan Homewood, Matthew van der Merwe, and Alan Chan for feedback on this piece.

A few weeks ago, I had some spare time, so I went for a long walk. In the end, I walked for twelve days and 200 miles of the Pacific Crest Trail. Rookie numbers compared to those who walk the full trail (which is 2600 miles in length total), but given that this was my first long distance hike, I think I did well.

In those twelve days, I pushed myself out of my comfort zone constantly - both physically and mentally. I started by hiking 10 or so miles a day until I acclimated to the altitude and the strenuous activity, and by the end of the trip, I was walking 21-23 miles a day. The physical challenge was not the biggest, however. No, the biggest challenge was the mental one of being constantly alone.

Most people who hike the PCT start at the Mexican border or Canada and end up members of a “Bubble” - a dense cluster of hikers, separated only by a few miles between them. At night, they tend to cluster at water sources or known campsites. When you hike the PCT in full, you’re never really alone for all that long. If you pick an arbitrary section of the PCT to hike at an arbitrary time (like I did), well, there’s no guarantee there will be anyone else on trail.

For most of the eleven nights I was hiking, I camped completely alone. Sometimes twenty four hours would go by until I saw another human being. This might lovely to someone sitting at home, but it feels terrifying in the wilderness. You may be 30 miles from the nearest semblance of civilization, with only your water filter and homemade first aid kit to save you in case of emergency. The first few hours are relaxing, peaceful, but after a while, all the likely and unlikely scenarios start running through your head. You realize how little knowledge you truly have about surviving in the wilderness. How many venemous snakes are there in the Sierras? How much tree cover is sufficient to protect you in a lightning storm on top of a mountain ridge? What if there’s a bear with rabies? Can bears get rabies? What if grizzly bears weren’t completely hunted into extinction in the 1800s and I’m going to be attacked by the lone survivor?

Rational thinking turns irrational when there is not a single soul around to keep you grounded. Your own thoughts keep you awake, afraid, tired, sleepless. You long for a person to talk to, any person.

It was in this mental state, after hiking twelve days straight, after hiking about 23 miles on my last day, that I arrived at the intersection of the PCT and Big Creek Road in Bucks Lake, California. My map told me that this was a spot that one could hitchhike from into the town of Quincy. I had been dreaming about the prospect of a shower and a clean bed in a motel from the moment I started hiking that morning.

I arrived at aforementioned road at 6:45pm and quickly realized that it was a rarely traversed country road. I stood there for 30 or 40 minutes, but not a single car drove by. The sun was setting, and I was worried I would have to for one last time camp completely alone - along the side of this road. I was getting somewhat desperate, when I saw the first car: a red Jeep, older model, the kind meant for off-roading. I stick out my thumb, they stop. Two men, late 20s, wearing camo, carrying hunting bows. I ask if they would take me to town, they say sure, but we’re gonna be hunting until night falls in a few hours, then we’ll pick you up here... unless you wanna go deer hunting with us.

Perhaps I shouldn’t have been so trusting - perhaps I should have been afraid of being kidnapped, but I was not. In that moment, I was so excited to see real people, I was so traumatized by being alone, I was so thankful that they had stopped to pick me up. I had never been deer hunting before, but I said, you you know what, I’d love to join you for an hour or two of deer hunting. My other option was to stand there, wait for the next car that may never come as it got darker and darker.

So I hopped into the back of the Jeep, we drove up the mountain (that I had just climbed down), braking only for deer we spotted. They told me about their hometown, their friends, their jobs as power line repairmen (working predominantly in winter when the storms break the lines), the injuries they sustain on the job. They told me about how they hunt for bears and deer and waterfowl, how their freezers full of game meat make them feel prepared for emergency and self-sufficient. As we rode in the Jeep, they offered me a beer, which I gladly accepted (Coors Light may as well be the nectar of the gods after 13 hours of hiking).

In my daily life, I don’t encounter people who regularly hunt and fish, who drive pickup trucks and Harley’s, who own guns, who didn’t go to college. I live in my own, self-selected little bubble of computer scientists, physicists, the occasional biologist. So this chance encounter was a fascinating glimpse into another world, their world, one they were very open to introduce me to. We talked a lot while trying to spot deer. They were, to use their own word - hillbillies - but they were also intelligent, self-reflective, kind, and thoughtful. When they asked me what I was doing out in the backcountry, alone, hiking, I told them the truth - I lost my dream job a few months ago, and it still really hurt me, and I still hated myself for messing it all up, so I wanted to think about it. One of the guys turned around and said, “Was it your dream job or a job at your dream company?” He fully understood what I was going through, he fully understood what had happened to me, he just got it and I didn’t need to explain.

After 2 hours, we had spotted a few does, but alas California only gives out tags for bucks at this time of year, so we ended the hunt empty handed. They drove me into town, we all went to Safeway for snacks, and then they drove me to a motel. I went to ask if there were rooms available, while the two dudes waited for me in the car. No rooms. They drove me to another hotel; again, no rooms. Finally, it was decided that it was best for me to just go to a campground where there would certainly be space, so they brought me there. These concealed-carrying, deer-hunting, self-proclaimed hillbillies showed me nothing but respect, kindness, care, patience, generosity, curiosity and expected nothing in return.

I used to think that you needed to have a certain type of life to develop the character traits that I now value the most - that you needed to be well-read and educated to become curious, generous, tenacious, dedicated, kind. I rarely saw these traits that I now value so much growing up, and I always assumed it was because poor, uneducated, immigrants (like myself) don’t develop character traits like this without extraordinary amounts of effort (and favorable circumstance). But this was not true; these character traits can be found everywhere, and perhaps they are as likely to be found among the well-read, educated tech folk that I associate with now as they are in my immigrant community. But these traits are rare, incredibly rare. These character traits are the best America has to offer - and the best is rare. If you’re lucky, you’ll stick your thumb out hitchhiking and run into the best on a quiet, rarely traversed country road.