- President Trump’s science advisor Michael Kratsios claims foreign actors are running a systematic campaign to extract capabilities from top US AI systems.
- The alleged theft involves tens of thousands of proxy accounts and jailbreaking techniques targeting “chains of thought.”
- US labs have raised similar alarms before—Anthropic, OpenAI, and Google have all reported attacks on their models.
Michael Kratsios, President Trump’s science advisor and director of the Office of Science and Technology Policy, issued a memo this week claiming that Chinese actors are systematically distilling American frontier AI models at what he described as “massive scale.” According to the memo, foreign operators are using tens of thousands of proxy accounts and jailbreaking techniques to pull capabilities from top US systems. The goal is to create smaller, cheaper models that match the performance of their American counterparts.
The process is called distillation. It’s a technique where a smaller model learns by observing the outputs of a larger one—essentially reverse-engineering intelligence by asking enough questions and studying the responses. When done legitimately between model trainers, it’s a standard part of the AI ecosystem. Kratsios is drawing a sharp distinction between that above-board research and what he characterizes as state-backed theft campaigns.
“Foreign actors are using tens of thousands of proxy accounts and jailbreaking techniques to pull capabilities from top US models,” the memo states. The attackers aren’t just after the outputs—they’re after the chains of thought, the internal reasoning steps that frontier models develop through expensive reinforcement learning. These reasoning traces represent months of compute and careful tuning. Extracting them lets competitors skip straight to the results without paying for the process.
The memo doesn’t name specific Chinese models that were allegedly built on illegally distilled American research. Kratsios points broadly to open-source and open-weight releases that the US government believes rest on this foundation, but offers no technical evidence or specific cases. That absence is notable given the specificity of the other claims.
What is claimed is sweeping: that this distillation industrial complex operates with state backing, that it strips safety guardrails from the resulting models, and that it undermines mechanisms designed to keep AI systems “ideally neutral” and “truth-seeking.” The Trump administration has made no secret of its desire to see US model makers bake its own political messaging into systems under that same banner of neutrality, much like the Chinese government does with its domestic models. The memo positions this as defensive, necessary to counter Chinese state influence in AI—despite the US government pursuing something functionally similar with its domestic pressure on labs.
The administration plans to share intelligence about these campaigns with US companies, tighten private sector cooperation, develop joint countermeasures, and explore action against those responsible. Anthropic, OpenAI, and Google have all flagged similar attacks before, suggesting the issue is genuinely on their radar even if the scope is hard to verify independently.
Kratsios acknowledges that legitimate distillation remains valid. His objection is to the systematic, state-backed nature of the alleged campaigns. But without named models or technical specifics, the memo reads more as a declaration of intent than a documented case. The US is clearly preparing to treat AI model weights as sensitive intellectual property with national security implications. Whether that framework can be enforced—and how it might reshape the open-source AI landscape—remains to be seen.
The tension is obvious: distillation is how knowledge spreads in AI research. Drawing a line between learning and theft means defining where open inquiry ends and espionage begins. The Trump administration has planted its flag on one side of that line. What enforcement looks like, and whether other governments accept the framing, will determine whether this memo marks a shift or just signals more friction ahead.
