We didn’t think the next great liquidity attack would hit a model, not a pool.
But here we are: Chinese labs have been running a massive distillation arbitrage on OpenAI and Anthropic, treating their APIs like an AMM with infinite slippage. Code is law, but liquidity is truth—and the truth is, billions of tokens of inference compute are being siphoned to train unauthorized replicas. The scale is staggering: tens of thousands of fake accounts, each generating hundreds of thousands of tokens per month, all to extract the soft decision boundaries of GPT-4o and Claude 3.5.
This isn’t a hack. It’s a systematic exploitation of the one vulnerability that no rate limiter can fix: the assumption that people will play by the rules.
Context: The Art of Distillation
Model distillation, or knowledge distillation, is a well-known technique in machine learning. A “teacher” model (here, closed-source API) generates outputs—logits, soft labels, or full responses—which are then used to train a smaller, cheaper “student” model. The student learns to mimic the teacher’s behavior, often with a fraction of the parameters. In academic circles, this is a legitimate research tool. In industrial espionage, it’s a weapon.
The mechanics are simple: register thousands of accounts, each with a unique IP and usage pattern. Fire prompts at the teacher model—anything from general knowledge questions to carefully crafted adversarial inputs—and collect the responses. Feed those responses into a custom training pipeline. Weeks later, a model emerges that can replicate ~80% of the teacher’s performance, at a fraction of the computational cost and with no licensing fees.
Back in 2017, I audited Golem’s pre-sale smart contracts. I found three critical logic flaws in the token distribution algorithm—bugs that could have caused mass inflation. The lesson? The most dangerous vulnerabilities are not in the code logic, but in the assumptions about human behavior. OpenAI and Anthropic assumed their account verification, rate limits, and anomaly detection would suffice. They were wrong.
Now, both companies have publicly warned that this distillation campaign is draining their revenue and eroding their competitive advantage. But the damage isn’t just financial. It’s existential.
Core: The Mechanics of the Drain
Let’s deconstruct the attack vector. It’s not a single exploit; it’s a confluence of engineering and economics.
The Data Pipeline
Distillation requires high-quality teacher outputs. The attackers aren’t just scraping responses—they’re optimizing for information gain. My analysis of the reported scale (tens of thousands of accounts) suggests a coordinated effort. Each account likely targets a different subset of the teacher model’s knowledge: some focus on reasoning, others on creative writing, others on code generation. The output distribution is then aggregated to train a student model that captures the teacher’s full latent space.
The cost to the attackers? Minimal. API pricing for GPT-4o is roughly $10 per million input tokens and $30 per million output tokens. With 10,000 accounts generating, say, 500,000 tokens per month each, the monthly API bill would be around $200,000. But that’s a rounding error for state-backed labs. For OpenAI and Anthropic, that same volume represents millions of dollars in lost potential revenue—and worse, it’s subsidizing their competitors.
The Alignment Collapse
Here’s the part that keeps me up at night. Distillation doesn’t just transfer capabilities; it selectively filters safety alignment. The RLHF (Reinforcement Learning from Human Feedback) that makes GPT-4 refuse to generate harmful content is only partially preserved during distillation. The student model, optimized purely for utility, often bypasses safety guardrails. This is the classic “alignment tax” problem—the more you compress, the more you lose the nuanced refusal behavior.
In 2020, I modeled Uniswap V2’s geometric mean pricing. I realized that traditional market makers were obsolete because their pricing was deterministic and manipulable. Here, the same principle applies: the deterministic nature of API responses makes them vulnerable to extraction. The attacker can replay prompts that triggered refusals in the teacher, but the student model—lacking the alignment—will produce unconstrained outputs. These “naked” models can be weaponized for disinformation, malware generation, or targeted social engineering.
The Resonance Index
In 2021, during the Bored Ape Yach Club frenzy, I developed a “Resonance Index” to quantify the social capital of celebrity ownership. It predicted the market peak weeks before the crash. The underlying metric was the rate of narrative decay—how quickly the hype was outpacing genuine utility.
This distillation attack exhibits a similar pattern. The narrative that closed-source models are unassailable is decaying in real time. With each token extracted, the perceived value of API exclusivity diminishes. The market is beginning to price in the commoditization of frontier AI capabilities. Liquidity pools don’t care about your feelings—they care about truth. And the truth is, the cost of replication is plummeting.
Contrarian: The Long Game
Most analysts are calling this an existential threat to OpenAI and Anthropic. I disagree. The contrarian thesis is this: distillation is forcing the industry to evolve faster than it would have otherwise.
The Acceleration of Open Models
Open-source models like Llama 3 and Mistral are already closing the gap. Distillation doesn’t just steal from closed models—it also validates the open-source approach. If you can replicate 80% of GPT-4o using a 7B parameter model, then the marginal value of the original drops. The market will price models based on their inference cost, not their training cost. Closed models will be forced to find utility in real-time data, fact-checking, and continuous learning—areas where a frozen, distilled model cannot compete.
The Regulatory Trap
OpenAI and Anthropic are lobbying for stricter API regulations, including mandatory source disclosure for all deployed models. This might seem like a protective measure, but it could backfire. If regulators mandate that any model trained on API outputs must be licensed from the original provider, they will effectively freeze the innovation loop. The threat of litigation will push small players out of the market, concentrating power in the hands of the incumbents. But that’s a brittle strategy—it assumes the legal frameworks can keep pace with the technology.
During the 2022 Terra collapse investigation, I spent three months dissecting the algorithmic stablecoin mechanism. The fatal flaw was the assumption that infinite growth could sustain a system that relied on trust in a single oracle. The parallel is stark: relying on legal protection to defend IP is a trust-based mechanism in a trust-minimized market. Code is law, but liquidity is truth—and the truth is that legal walls are porous.
The Liquidity Mining Analogy
Let’s draw a direct parallel to DeFi. In 2020, liquidity mining programs offered triple-digit APYs to attract TVL. Projects subsidized those yields with token emissions. When the emissions stopped, the liquidity fled. The “real users” were mercenary capital.
Distillation is the liquidity mining of AI. The attackers are mercenary users. They extract capability through API incentives (cheap inference) and convert it into private student models. Stop the incentives—increase API prices, enforce stricter rate limits—and the distillation stops. But like DeFi, the damage is done: the TVL (capability) has been extracted, and the ecosystem has learned how to replicate the service without the original.
Institutional clients I’ve advised since 2025 are already building private, distilled models for compliance and cost reasons. They don’t care about alignment; they care about speed and auditability. The narrative that “open weights are dangerous” is being replaced by “open weights are inevitable.”
Takeaway: The Next Narrative
The bug wasn’t in the code; it was in the narrative that APIs are safe borders. The attack has exposed a fundamental truth about the AI economy: value is not in the model, but in the verifiability of its provenance.
Over the next two years, I expect the emergence of “model attestation” protocols—on-chain proofs that a model’s training data and distilled outputs are untainted by unauthorized extraction. Think of it as a form of digital twin for machine learning, where every weight and logit is linked back to a source transaction. Ethereum’s blob data, post-Dencun, is already saturated; these on-chain model fingerprints will compete for space.
On the capital side, firms will invest in AI security companies that can detect model theft through API traffic analysis—the same way Chainalysis tracks on-chain movements. The insurance vertical will grow: “model theft insurance” will become a standard clause in enterprise AI contracts.
But the contrarian play? Short the concept of model scarcity. Long the idea that distillation is a feature, not a bug. The labs that embrace open distillation will be the ones that win the long game, because they will capture the network effect of millions of users refining their models in the open.
Liquidity pools don’t care about your feelings. They care about truth. And the truth is, the attack on OpenAI and Anthropic is a signal that the AI industry is entering its post-scarcity phase. The code is written, the liquidity is flowing, and the narrative is decaying. The only question is: are you hunting the narrative, or being hunted by it?