what we're talking about when we're talking about AI espionage
Will Depue thinks Chinese labs have unfettered access to methods used by Frontier Labs in America. I think he's wrong.
Last week, Will Depue, formerly of OpenAI, said the thing a lot of people quietly believe. “There is no question, none at all, that china has full access to all of openai & anthropic’s github/slack/docs today,” and then the part worth answering: “i wouldn’t be surprised if we saw plausibly-deniable stolen ai research methods in chinese oss models.”
Will is a serious person and I want to take his argument seriously. When we’re talking about Chinese AI espionage, I think it’s tempting to make this entire conversation about one simple thing: that China has access to everything that a Frontier Lab would like to keep secret.
In my mind there are 4 things of value inside a Frontier Lab:
Model Weights
Methods
People
Culture
Stealing each of these will have different outcomes, different results, and different capabilities. More importantly, I think there are tells when each of these things will be accomplished, if they are in fact accomplished.
the most valuable thing in the building
I’m going to start with a claim that sounds backwards. Of the four, model weights are the least durable advantage to steal. If you walked out of Anthropic with Claude’s weights tomorrow you would hold something genuinely better than an API key. You could see the full distribution of what the model considered and not just the word it landed on, which is where a surprising amount of what it knows actually lives. Depending on how the model is served, you might even recover the reasoning tokens the API only shows you in summary. And you could generate as much training data as you wanted, with no rate limit, no cost, and none of the thousands of fake accounts it otherwise takes to get caught. You would be looking at the model directly, rather than through the keyhole of an API.
They still come last, because a stolen model is a depreciating asset. It is frozen the day you take it and a few months from embarrassing, since the frontier keeps moving and your pilfered asset does not. And even used quietly, to distill from behind closed doors, it gives you this quarter’s model rather than the thing that builds next quarter’s.
Whenever I think of the model weight question here, I think of that scene from There Will Be Blood, where Daniel Day-Lewis is chewing the scenery and talking about drinking his milkshake. That effect, that drinking of the milkshake, is effectively what distillation has done to a great many of the advances made by Anthropic and OpenAI over the last couple of years. When one distills a model, one receives many of the benefits of weight ownership, but is forced to do so through a laborious process. API access and the lack of reasoning traces make this process cumbersome, burdensome, and awkward.
Methods are important. Training recipes, RL infrastructure, reward pipelines, and frameworks that turn compute and text into something that reasons are arguably the most important thing that a lab can build.
The next thing is talent, which obviously has been leaking from Frontier Labs for a long time. Many of the labs in China are now run by people having left Frontier Labs in America, as Jensen said: half of all AI researchers are Chinese. If the frontier was built in large part by people born in China, the idea that China must jump through impossible hoops to find great talent is precisely backwards.
Finally culture, which I think is the most important sustained advantage of American AI. You may hate the culture of Anthropic, you may hate the culture of OpenAI, but it is undeniable that these two frontier labs have built one of the most impressive and fanatical groups of young people ever assembled in the name of science. That is also true, by the way, of most Chinese frontier labs.
So today I want to set out to ask two questions: Does China have access to any of these four things? What would the tells be if they were to access these?
steal the milkshake: tells in the outputs
The first category is model weights, and to his credit Will has not claimed China holds the actual weights of Anthropic or OpenAI. I will move through this one quickly, for the reasons above. I will correct one thing I used to believe, though, because it matters for the rest. Distilling through the API and distilling from weights you hold locally are not the same process at different speeds. Holding the weights is the better version, for everything I just listed. It is only that the advantage tends to surface as distillation that is unusually good, which is hard to tell apart from ordinary distillation done well, while the one unmistakable tell, a lab serving a model that is bit-for-bit one of ours, is the thing nobody would be careless enough to do.
Today many labs drink Claude’s milkshake, so to speak. The models from across the world taste like Claude, inheriting its texture, its quirks, the way that a forgery inherits brush strokes from a great painter. Claude pours that milkshake for anyone with an API key. In February, Anthropic published that three labs (DeepSeek, Moonshot, and MiniMax) ran more than 16 million conversations through Claude across about 24,000 fraudulent accounts that slipped past the rules. If you ask V3 by DeepSeek what it was, it told you cheerfully for quite a while that it was ChatGPT. This can be explained by reasons other than distillation, but I think you need to be naive to believe that distillation is not occurring on both sides of the Pacific in industrial quantities. I refer you to Nathan Lambert’s excellent piece on distillation for more information.
steal the kitchen: tells in the tooling
Now to the core of Will’s claim. Have methods been stolen from Frontier Labs? What evidence do we have that supports this?
If a lab, or a foreign government in support of indigenous labs, steals the kitchen that milkshake was made in, I believe that you would see evidence in the tooling. Training frameworks that were released in the open source would carry idiosyncratic design choices that have never reached a paper at NeurIPS. I also believe that if the tooling were stolen from Frontier Labs, one of the first things that would happen is that methods at the labs that stole it would be closed-source. Publishing someone else’s methods would give too many people opportunities to realize the espionage had occurred. Closure by itself is not a tell, of course. Chinese labs are also closing models for ordinary commercial reasons, since once a model is good enough to sell, giving it away stops being the obvious move. The tell would not be closure alone, but closure paired with a sudden capability jump that scale, talent, and known public work cannot explain.
There is a documented history of method theft in the case of Linwei Ding, who spent a year uploading more than two thousand pages of Google’s confidential specifications for the data centers it uses to train its largest models, while secretly affiliating himself with two PRC-based technology companies, according to the DOJ. A jury convicted him in January.
So what evidence do we have beyond Mr. Ding’s case? I think we should have a look at Slime, the Z.ai post-training architecture. When GLM 5.2 tied Claude Opus on the research-grade physics benchmark this month at a sixth of the price and with open weights, it raised suspicions that looked past the model to the kitchen, so to speak, that made it. Importantly, this infrastructure is open source today. Although Slime is as much a tool of Tsinghua University as Z.ai, it is the RL framework behind the whole GLM line. It is open-sourced under Apache and assembled almost entirely from other public code. The training half runs Megatron, which is made by NVIDIA. The rollout half runs SGLang out of Berkeley and Stanford. In the README of Slime you see that the list includes Qwen, DeepSeek, and Llama, so this is a Chinese open kitchen that has happily been cooking American models for you.
Intel folks will tell you this happens all the time, that Slime could be plausible cover, a stolen recipe rebuilt from public parts so it leaves no fingerprints. I can’t disprove that, and I won’t pretend to. But it helps to know what Slime actually is. It is the plumbing, the orchestration layer that runs Megatron on the training side and SGLang on the rollout side and shuttles data between them. The parts of a kitchen that are actually secret, the reward models, the data mix, the environments a model is graded against, are nowhere in it, because no lab on either side of the Pacific puts those in an open framework. Slime is the commodity layer, the part nobody needed to steal. So I’ll concede the obvious limit: the fact that it is open does not prove that nothing was taken, and if the stolen thing were a reward model rather than a framework, Slime would look exactly the same.
What Slime does do is point at where the real test is. The people who would know agree that post-training inside the frontier labs runs well ahead of anything in open source, and Slime sits squarely in open source. So if Z.ai were quietly cooking from a stolen frontier recipe, you would expect their open kitchen to be closing the gap with the closed ones. Instead it is visibly a step behind, which is exactly what you would see if the recipe had never left the building.
steal the chef: tells in the org chart
Now to talent, by far the easiest place to trace. For the uninitiated, Frontier Labs do a very good job of having very few people who see the entire stack. This is a methodology famously practiced by Apple to protect company secrets, and it works quite well to avoid having any single person who sees the entire stack understand how it all works.
Now, as I mentioned earlier, a great deal of the AI talent today is Chinese, as in born in China. MacroPolo’s talent tracker puts it at 38% of the researchers who published at NeurIPS 2024 having received their undergraduate education in China, up from 29% five years earlier. Although that’s not a perfect way of comparing these ecosystems, I do trust Jensen when he says that half of all AI researchers are Chinese.
There are well-documented cases of talent leaving Frontier Labs and moving to China. One of the most remarkable is Yao Shunyu, who is 27 and proposed one of the core ideas behind how frontier AI agents function. Mr. Yao left OpenAI last year for Tencent, reportedly making 100 million RMB. Wu Yonghui left DeepMind to run ByteDance’s Seed Lab. By one count, at least 85 established researchers have crossed from American institutions to Chinese ones in 2025.
None of this, I repeat, none of this is espionage; it’s a free labor market. California has no non-compete laws, and AI does not have the same rules as defense contractors when it comes to hiring foreign nationals. Visa policy, labor market, and the obvious value of frontier knowledge have driven these researchers back to China; it’s not a critical mass yet. I am actually astonished at how few people have made this transition, to be honest.
steal the vibes: tells in the culture
I’m lucky enough to be one of fewer than a thousand people on earth who have spent time in both Chinese and American frontier labs. I count myself lucky to have visited most of the Chinese and American labs over the last couple of years through various projects, and I do think that this piece of the value of labs is criminally underrated when we’re talking, as Will was, about what can be stolen from Frontier Labs.
I think it’s very important to understand just how electric the experience is of spending time inside of an American AI lab. There’s been much ink spilled this year about the religious connotations of people who work in AI. I really do think the feeling of religiosity you experience inside these labs is a good frame for understanding how devoted the teams are.
This quasi-religious fervor that I feel walking the halls of American frontiers does not exist to the same degree in most of China’s AI labs. Certainly it was present; however, the overwhelming resources that are marshaled to support research in America do not exist in China. I believe firmly that this has to do with export controls, because great research takes resources. In order to feel like you are doing good work, you necessarily need to feel that you have the resources to explore your taste and curiosity. The exact GPU count per researcher is speculative at best. I can only say that I believe there is at least one order of magnitude more compute available to the average person working at OpenAI or Anthropic than at Kimi or DeepSeek. This creates a culture difference; being able to pursue research, taste, and direction freely creates a culture whereby you feel empowered to try things out and work on solutions. Export controls make that culture harder to sustain at comparable scale, because taste-driven exploration depends on slack: spare compute, failed experiments, and the permission to chase ideas that may not pay off this quarter.
When a researcher leaves an American frontier lab and moves back to China, I believe that the culture is one thing they cannot take with them. The incredible youth of Chinese AI labs (it was very normal for us to speak to senior 24-year-old PhD students during our visits) means that the energy of these places is fundamentally different on both sides of the Pacific. I don’t think that you can steal the culture; you can imitate it at best.
tells tells tells
When I line up the tells, the picture is consistent. If the weights had been stolen, the world would look about like it does now, because a model trained on a stolen copy and a model distilled through the API end up in nearly the same place, which is the whole reason weights were the least durable thing to take. In the tooling, the fingerprint a real methods heist would leave is simply not there, and what looks from a distance like a stolen recipe is better explained up close by distilled outputs and very good people rebuilding the work in the open. In talent, the tell is loud, and it cuts the other way: Z.ai and DeepSeek reached the frontier without teams hollowed out of OpenAI or Anthropic, and a lab that gets there with home-grown researchers is not one that needed to steal the recipe.
Culture is the advantage I would bet lasts the longest, even if I won’t put a number of years on it. With the notable exception of DeepSeek, which I’ve heard is a genuinely pleasant place to work, the Chinese labs seem to run on the Jensen ethic of “torturing you into greatness.” They work obscenely hard on limited compute, producing models at a fraction of the West’s resources by working themselves to the bone. That is a different bargain from the one at Anthropic or OpenAI, where the hard work comes wrapped in mind-boggling reward. A culture like that is slow to build and hard to copy, which is why theft is the wrong thing to worry about with it. What could erode it has nothing to do with espionage: if export controls ease and the compute gap closes, the conditions that made the culture possible go with them.
To answer Will, I am ready to change my mind on Chinese infiltration of the West’s stack when I see recipes reproduced a little too precisely, efficiency leaps derived from closed-source methodology changes, or tooling that is kept closed while it opens up everything else. I’ll be watching Slime closely and consulting with my technical friends to understand if that will ever be a “tell.”
Concerned, however, that a natural convergence on the optimal methods will end up looking virtually indistinguishable from brazen theft.
the molehunt
I want to end with James Angleton, who ran counterintelligence at the CIA for two decades and spent most of them certain that a Soviet mole was hidden somewhere inside the agency. He never found the mole he imagined. What the hunt turned up instead was everyone else, careers frozen and loyal officers accused on no evidence, whole operations abandoned because the man in charge trusted his theory more than he trusted his own people. The real moles, when they finally surfaced, were never the work of his intuition. Aldrich Ames, years later, was caught the dull and reliable way, by a bank balance that did not match a government salary and a house he had no business affording, the kind of concrete tell a man chasing a phantom never has the patience to check.
The Chinese spy theory has a little Angleton in it. It is a suspicion that cannot really be proven or disproven, and it runs on the certainty that the enemy is already inside. I find myself wondering what it is like to be a Chinese researcher at an American lab right now, feeling that suspicion settle on you for nothing you have done, and I think most of the cost of getting this wrong gets paid by people who earned none of it.
I think Will is right that the security at these labs could be better, and that some access is probably happening. I am sure some Slack screenshots have made the trip across the Pacific. Where I part from him is the jump from access to methods leaving the building en masse, because if those methods were the crucial thing, the people who hold them would be leaving a great deal faster than they are.
We are entering an era where being an American citizen will matter, and federal policy is already enforcing it. This month the U.S. government directed Anthropic to suspend Fable 5 and Mythos 5 for any foreign national, including its own foreign-national employees, while leaving its other models untouched, and in July the company starts asking ordinary users for a government ID and a face scan to prove who they are. That verification layer will get pulled into the same game as everything else, one more step in the delicate architecture labs everywhere use to stay a move ahead of each other’s security teams.
Last year the AI companies had a choice. Wrap yourself in the flag, or get wrapped in the flag. They managed neither, which is the worst outcome on the board. They embraced it too little to get any credit for it, alienated millions of Americans with their sycophancy in the meantime, and are now about to have the hammer of national security regulation come down on them anyway. If only we had a better model for sycophancy....
sources (AI generated)
Distillation at scale — Anthropic, Detecting and preventing distillation attacks (Feb 2026): DeepSeek, Moonshot, and MiniMax ran 16M+ Claude conversations across ~24,000 fraudulent accounts. https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks
Models that answer “ChatGPT” — Why DeepSeek’s new AI model thinks it’s ChatGPT, TechCrunch (Dec 2024). https://techcrunch.com/2024/12/27/why-deepseeks-new-ai-model-thinks-its-chatgpt/
On distillation — Nathan Lambert, How much does distillation really matter for Chinese LLMs? (Interconnects).
Weights vs API distillation (white-box vs black-box) — A Comprehensive Survey on Knowledge Distillation, arXiv:2503.12067; Universal Logit Distillation Loss, arXiv:2402.12030. Reasoning traces are deliberately summarized: TechCrunch on the o-series chain of thought, https://techcrunch.com/2025/02/06/openai-now-reveals-more-of-its-o3-mini-models-thought-process/
GLM-5.2 ties Opus on physics — Z.ai, GLM-5.2 release (benchmark: CritPt). https://z.ai/blog/glm-5.2
Slime — THUDM/slime, GitHub (Apache-2.0). https://github.com/THUDM/slime · SGLang origin (UC Berkeley / Stanford / LMSYS): https://en.wikipedia.org/wiki/SGLang
Linwei Ding — DOJ, Former Google Engineer Found Guilty of Economic Espionage and Theft of Confidential AI Technology (Jan 2026). https://www.justice.gov/opa/pr/former-google-engineer-found-guilty-economic-espionage-and-theft-confidential-ai-technology
“Half of AI researchers are Chinese” — Jensen Huang, via CNBC (Oct 2025). https://www.cnbc.com/2025/10/08/nvidia-huang-ai-race-china-us-trump.html
Chinese share of NeurIPS authorship — MacroPolo, Global AI Talent Tracker 3.0 (NeurIPS 2024: 38% undergrad-in-China, up from 29% in 2019). https://archivemacropolo.org/interactive/digital-projects/the-global-ai-talent-tracker/
Talent moves (Yao Shunyu, Wu Yonghui, ~85 researchers) — implicator.ai; CNBC (Jun 2026). https://www.implicator.ai/chinas-ai-talent-is-going-home-the-real-blow-is-the-students-who-stopped-leaving-2/ · https://www.cnbc.com/amp/2026/06/05/china-may-move-toward-us-path-on-ai-as-firms-poach-employees.html
California non-competes — Cal. Bus. & Prof. Code §16600. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=16600.&lawCode=BPC
Jensen’s “pain and suffering” — CNBC, Stanford (Mar 2024). https://www.cnbc.com/2024/03/15/nvidia-ceo-huang-at-stanford-pain-and-suffering-breeds-success.html
Angleton & Ames — James Jesus Angleton (Wikipedia); Aldrich Ames (FBI). https://en.wikipedia.org/wiki/James_Jesus_Angleton · https://www.fbi.gov/history/famous-cases/aldrich-ames
Export-control directive — Anthropic, Fable 5 and Mythos 5 access (Jun 12, 2026): the U.S. government directed suspension of Fable 5 and Mythos 5 for any foreign national, including foreign-national employees; other models unaffected. https://www.anthropic.com/news/fable-mythos-access
Identity verification — government ID + live selfie; limited rollout from Apr 14, broad consumer rollout from Jul 8, 2026. Anthropic Help Center: https://support.claude.com/en/articles/14328960-identity-verification-on-claude · https://www.techtimes.com/articles/318778/20260621/claude-identity-verification-starts-july-8-what-facial-data-anthropic-collects.htm