White House Memo Accuses Chinese Firms of Systematic AI Technology Theft
TL;DR
A White House memo from OSTP Director Michael Kratsios accuses China-based firms of "industrial-scale" campaigns to distill U.S. frontier AI models, citing tens of thousands of proxy accounts and jailbreaking techniques targeting companies like Anthropic and OpenAI. The allegations, which build on the first-ever AI espionage conviction and new bipartisan legislation, raise unresolved questions about where open scientific exchange ends and trade-secret theft begins — with consequences for thousands of Chinese researchers in American universities and the labs that depend on them.
On April 23, 2026, Michael Kratsios, Director of the White House Office of Science and Technology Policy (OSTP), sent a memorandum to the heads of every federal agency with a stark warning: foreign entities "principally based in China" are running "deliberate, industrial-scale campaigns to distill U.S. frontier AI systems" . The memo, titled "Adversarial Distillation of American AI Models," described coordinated attacks using tens of thousands of proxy accounts and jailbreaking techniques to extract proprietary capabilities from American AI companies .
The document lands weeks before a planned Trump-Xi summit and follows months of escalating tensions between the world's two largest AI powers. It also arrives in the wake of the first-ever U.S. conviction for AI-related economic espionage and a bipartisan congressional push for new sanctions . But the memo raises as many questions as it answers — about what exactly was taken, how it differs from legitimate competition, and who will pay the price if restrictions tighten.
What the Memo Claims
The Kratsios memo centers on a specific technique: model distillation. In AI development, distillation refers to training a smaller, cheaper model by feeding it the outputs of a larger, more powerful one. The practice is common within the industry — companies routinely distill their own models to create lighter versions . The memo's concern is that foreign actors are doing this to American models without authorization, at massive scale, and for strategic advantage.
According to the memo, the campaigns use "tens of thousands of proxy accounts" to evade detection and employ jailbreaking techniques — methods of circumventing a model's built-in safety restrictions — to "expose proprietary information" and "extract capabilities from American AI models" . Kratsios warned that the resulting distilled models allow adversaries to "deliberately strip security protocols" and "undo mechanisms that ensure those AI models are ideologically neutral and truth-seeking" .
The memo does not name specific Chinese companies. But it builds directly on allegations that U.S. AI firms have made public over the preceding months.
The Companies and the Evidence
In February 2026, Anthropic accused three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — of orchestrating campaigns to extract capabilities from its Claude chatbot. Anthropic reported that the three firms generated more than 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, violating terms of service and regional access restrictions . The company described the effort as intellectual property theft.
OpenAI leveled similar charges. In a letter to the House Select Committee on China, also in February, OpenAI claimed to have observed activity "indicative of ongoing attempts by DeepSeek to distill frontier models of OpenAI and other US frontier labs, including through new, obfuscated methods" . Google's Threat Intelligence Group confirmed that its Gemini model had been subjected to more than 100,000 prompts in what it characterized as a significant distillation attempt .
None of the three accused Chinese companies — DeepSeek, MiniMax, or Moonshot AI — have publicly responded to these allegations .
From Distillation to Espionage: The Linwei Ding Case
The memo's framing of AI theft as a national security issue gained concrete support from a criminal case that concluded months earlier. On January 30, 2026, a federal jury in San Francisco convicted Linwei Ding, a former Google software engineer, on seven counts of economic espionage and seven counts of theft of trade secrets . It was the first conviction on AI-related economic espionage charges in U.S. history.
Between May 2022 and April 2023, while still employed at Google, Ding downloaded more than 2,000 pages of confidential documents related to Google's proprietary AI infrastructure — including designs for Tensor Processing Units (TPUs), Graphics Processing Units (GPUs), and SmartNIC network interface cards — and uploaded them to a personal cloud account . During the same period, Ding was secretly serving as Chief Technology Officer for a China-based technology company and founding his own AI startup in the People's Republic of China .
Ding faces a maximum of 10 years per count for trade secret theft and 15 years per count for economic espionage . The case gave prosecutors a tangible example of the kind of technology transfer the White House memo describes — though the methods (insider theft versus external distillation) differ substantially.
The Legal Response: Bills, Entity Lists, and Sanctions
The memo has catalyzed legislative action. The House Foreign Affairs Committee unanimously approved the "Deterring American AI Model Theft Act of 2026," introduced by Representatives Bill Huizenga and Peter Moolenaar, both Republicans from Michigan. The bill would establish a process to identify foreign actors that extract "key technical features" from closed-source, U.S.-owned AI models and punish them with measures including sanctions and placement on the U.S. Entity List .
"Model extraction attacks are the latest frontier of Chinese economic coercion and theft of U.S. intellectual property," Huizenga said .
The Trump administration has also signaled it will share threat intelligence with U.S. AI companies, coordinate with the private sector on defenses against distillation campaigns, and "explore measures to hold foreign actors accountable" . Retired General Paul Nakasone, former director of the National Security Agency, suggested the administration may pursue tailored export controls and technology restrictions .
These tools sit within a broader enforcement apparatus. The Economic Espionage Act of 1996 provides for fines of up to $5 million and 15 years' imprisonment for individuals, and fines of up to $10 million or three times the value of the stolen trade secret for organizations . Between 1996 and 2020, the Department of Justice brought 190 cases against 276 defendants under the Act, yielding 31 convictions for economic espionage under Section 1831 . Export controls under the Export Administration Regulations (EAR) already restrict advanced chip sales to China, with the Bureau of Industry and Security (BIS) adding 65 Chinese entities to the Entity List in 2025 alone .
In December 2025, the DOJ's Operation Gatekeeper disrupted a network responsible for exporting at least $160 million worth of AI chips to mainland China and Hong Kong . In February 2026, BIS announced a $252 million settlement with a materials engineering company for illegally exporting semiconductor manufacturing equipment to a Chinese Entity List company through a South Korean subsidiary .
The Line Between Theft and Competition
Not everyone agrees the memo's framing is accurate. The legal and technical distinction between model distillation and legitimate reverse engineering remains contested.
Under U.S. trade secret law, reverse engineering — learning how something works by examining it — is generally lawful. The law prohibits misappropriation, not independent discovery or reverse engineering through fair and honest means . The question is whether querying a publicly accessible AI model through its API constitutes reverse engineering (akin to buying a product and taking it apart) or misappropriation (akin to breaking into a facility).
Several factors complicate this analysis. First, the AI companies' terms of service explicitly prohibit using model outputs to train competing systems, making the distillation campaigns a contractual violation regardless of trade secret law . Second, the scale of the alleged campaigns — 16 million queries through 24,000 fraudulent accounts, in Anthropic's case — goes well beyond casual use . Third, the use of proxy accounts and jailbreaking techniques suggests intent to evade detection, which courts may interpret as evidence of improper acquisition .
But critics note that distillation produces a model trained on outputs, not a copy of the original model's architecture, weights, or training data. The resulting model is a derivative work, not a clone. Some AI researchers argue that the practice is closer to a student learning from a teacher than to stealing blueprints .
"The memo conflates several distinct activities," said one analysis from the Center for European Policy Analysis (CEPA), noting that "open scientific exchange, competitive intelligence, government-directed espionage, and criminal theft occupy different points on a spectrum that the memo treats as a single phenomenon" .
The Talent Pipeline Dilemma
Perhaps the most consequential — and least discussed — dimension of the memo concerns its implications for the thousands of Chinese nationals studying and working in U.S. AI research.
A December 2025 study by the Carnegie Endowment for International Peace tracked 100 top Chinese-origin AI researchers who were at U.S. institutions in 2019. By 2025, 87 remained in the United States — 41 at U.S. companies (with over half at the "Magnificent Seven" tech firms: Google, Amazon, Apple, Meta, Microsoft, Nvidia, and Tesla), 40 as university professors, and 3 as startup founders. Only 10 had returned to China .
That 87% retention rate is a strong indicator of American competitiveness. But the study identified a warning sign: fewer Chinese researchers are choosing to come to the U.S. in the first place. PhD applications from Tsinghua University — historically a major pipeline — fell from 50% to 20% in recent years . At the NeurIPS AI conference in 2022, Chinese-origin researchers comprised nearly 50% of sampled authors, but a declining share were based in the United States .
In May 2026, Secretary of State Marco Rubio announced the administration would "aggressively revoke visas for Chinese students, including those with connections to the Chinese Communist Party or studying in critical fields" . The Brookings Institution warned that such policies threaten to cut off a talent pipeline that U.S. AI labs depend on, noting that stricter background checks have already resulted in qualified PhD students being denied entry .
The tension is structural. The same population that represents a potential espionage risk also constitutes a substantial fraction of the researchers producing America's AI advances. Overly broad restrictions risk driving talent to competitors — including to the Chinese labs the memo aims to constrain.
How Allied Governments See the Problem
The United States is not alone in confronting Chinese technology acquisition campaigns, though the scale and methods vary across allies.
In the Netherlands, ASML — the sole manufacturer of extreme ultraviolet lithography machines essential for advanced chipmaking — now faces "thousands of security incidents each year," with several confirmed Chinese infiltration attempts . Chinese state-affiliated hackers maintained access to the networks of NXP, another Dutch semiconductor company, for more than two and a half years, obtaining chip design data and research materials .
In Belgium, authorities deported Chinese researchers suspected of conducting industrial espionage at imec, a leading semiconductor research center . The European Commission has designated advanced semiconductors as one of four critical technology areas requiring enhanced risk assessments and security protocols, and plans to invest more than €3.3 billion in semiconductor R&D through the Chips for Europe initiative .
The Five Eyes intelligence alliance — the United States, United Kingdom, Canada, Australia, and New Zealand — has coordinated warnings about Chinese cyber espionage, with joint statements calling for collective responses including sanctions and diplomatic pressure . Japan, which hosts critical semiconductor supply chain companies, has tightened its own export controls on advanced chipmaking equipment in coordination with Dutch and American restrictions .
These allied experiences suggest the pattern described in the Kratsios memo extends beyond the United States. The CSIS survey of Chinese espionage documented 224 reported instances of Chinese espionage directed at the U.S. since 2000, with the pace accelerating — from roughly 8 cases in the 2000–2005 period to 65 in the 2021–2025 period . A 2024 report found Chinese cyber espionage operations surged 150% overall that year, with attacks on financial, media, and manufacturing sectors rising up to 300% .
What the Memo Doesn't Address
The memo is notably silent on several points that would strengthen its case — or complicate it.
It does not provide technical forensics demonstrating that specific Chinese models were built through distillation of American systems, as opposed to parallel development using publicly available research. DeepSeek, which published its model architecture and training methodology in a widely read technical paper, has been praised by some Western researchers for its efficiency innovations . Whether those innovations resulted from distillation, from access to published academic literature, or from independent research remains an open question.
The memo does not distinguish between state-directed campaigns and actions by private companies that may be operating independently. While the Ding case demonstrated a direct connection between an individual and Chinese state interests, the distillation campaigns attributed to DeepSeek, Moonshot AI, and MiniMax have not been publicly linked to government direction .
The memo also does not quantify the economic losses from distillation. The broader estimate of U.S. losses from Chinese cyber espionage — $20 to $30 billion annually, according to CSIS — encompasses all forms of intellectual property theft, not AI specifically . No public estimate exists for the value of capabilities extracted through model distillation alone.
What Happens Next
The Kratsios memo sets the stage for a series of concrete policy actions in the coming months. Federal agencies have been directed to coordinate with AI companies on threat intelligence sharing and defensive measures . The Deterring American AI Model Theft Act is moving through Congress with bipartisan support . And the Trump administration's broader posture toward China — including the upcoming summit — will determine whether the memo's rhetoric translates into enforcement.
The stakes extend beyond any single company or prosecution. Global AI research output has exploded, with more than 590,000 papers published in 2025 alone . The question of who owns the knowledge embedded in AI models — and whether querying a model constitutes theft — will shape the next decade of AI competition between the United States and China. The answer will determine not just corporate profits, but the rules governing a technology that both nations consider central to their economic and military futures.
Related Stories
Anthropic Launches Computer Control Feature for Claude Code
Anthropic Reaches $30 Billion Annual Revenue Run-Rate with Major Compute Deals
Anthropic Discontinues OpenClaw Support for Claude Subscription Plans
New Chip Smuggling Case Exposes Export Control Vulnerabilities
China Pulls Ahead in Global Competition for AI Talent
Sources (18)
- [1]White House accuses China of 'deliberate, industrial-scale campaigns' to steal US AI modelsnextgov.com
OSTP Director Michael Kratsios sent memo to federal agency heads accusing China-based actors of using proxy accounts and jailbreaking to extract capabilities from American AI models.
- [2]White House official accuses foreign entities of 'industrial-scale' theft of US AIthehill.com
Kratsios memo warns distillation campaigns allow actors to strip security protocols and undo safety mechanisms in resulting models.
- [3]White House accuses China of 'industrial-scale' AI technology theft weeks ahead of Trump-Xi summitfoxbusiness.com
Trump administration plans to share intelligence with AI companies, coordinate defenses, and explore accountability measures for foreign actors.
- [4]Anthropic accuses DeepSeek, Moonshot and MiniMax of distillation attacks on Claudecnbc.com
Anthropic reported 16 million exchanges from approximately 24,000 fraudulent accounts targeting Claude, in what it described as intellectual property theft by three Chinese AI companies.
- [5]Anthropic claims 3 Chinese companies ripped it off, using its AI tools to train their modelsfortune.com
OpenAI documented ongoing attempts by DeepSeek to distill frontier models using new obfuscated methods; Google confirmed over 100,000 prompts targeting Gemini.
- [6]Former Google Engineer Found Guilty of Economic Espionage and Theft of Confidential AI Technologyjustice.gov
Linwei Ding convicted on 7 counts of economic espionage and 7 counts of trade secret theft for stealing over 2,000 pages of Google AI trade secrets related to TPUs, GPUs, and SmartNIC designs.
- [7]Former Google engineer found guilty of espionage and theft of AI techcnbc.com
Ding secretly affiliated with two PRC-based technology companies while employed at Google, founding his own AI startup in China as its CEO.
- [8]Deterring American AI Model Theft Act of 2026congress.gov
Bipartisan bill to identify foreign actors extracting key technical features from closed-source U.S. AI models and punish them with sanctions and Entity List placement.
- [9]Economic Espionage Act of 1996wikipedia.org
Between 1996 and 2020, 190 cases brought against 276 defendants, with 31 convicted of economic espionage under Section 1831. Maximum penalties of $5 million and 15 years for individuals.
- [10]Managing Export Control Risks in the AI Chip Ecosystemmofo.com
BIS revised export policy for AI chips to China in January 2026; DOJ Operation Gatekeeper disrupted $160 million in illegal AI chip exports; BIS announced $252 million settlement for illegal semiconductor equipment exports.
- [11]Reverse Engineering in the Age of AI: Are Your Trade Secrets Still Safe?gtlaw.com
Trade secret law prohibits misappropriation but not reverse engineering through fair and honest means; the line between lawful reverse engineering and unlawful extraction is contested in the AI context.
- [12]Watch Out Europe: China is Stealing Your Chip Researchcepa.org
ASML faces thousands of security incidents per year; NXP was infiltrated by Chinese hackers for over two years; Belgian authorities deported Chinese researchers from imec for suspected espionage.
- [13]Have Top Chinese AI Researchers Stayed in the United States?carnegieendowment.org
87 of 100 top Chinese-origin AI researchers at U.S. institutions in 2019 remained by 2025; 41 at U.S. companies, 40 as professors; but the inflow pipeline is narrowing.
- [14]China-US immigration policies could reshape the AI talent racerestofworld.org
PhD applications from Tsinghua University to U.S. programs fell from 50% to 20%; visa restrictions and geopolitical tensions are reshaping the flow of AI talent between China and the U.S.
- [15]US security and immigration policies threaten its AI leadershipbrookings.edu
Brookings warns that overly broad visa restrictions and security screenings risk cutting off a talent pipeline that U.S. AI labs depend on for competitiveness.
- [16]Five Eyes Warn Of Chinese Cyber Espionagesilicon.co.uk
Five Eyes alliance has coordinated intelligence sharing and joint warnings on Chinese cyber espionage, advocating for collective sanctions and diplomatic pressure.
- [17]Survey of Chinese Espionage in the United States Since 2000csis.org
224 reported instances of Chinese espionage since 2000; Chinese cyber espionage surged 150% in 2024; estimated U.S. losses of $20-30 billion annually from Chinese cyber espionage.
- [18]OpenAlex: AI Research Publication Trendsopenalex.org
More than 590,000 AI research papers published in 2025, reflecting the explosive growth in global AI research output.
Sign in to dig deeper into this story
Sign In