China Bypassed U.S. AI Chip Bans With Distillation Attacks

The United States spent three years building an export control regime to keep advanced AI chips out of China. On April 22, 2026, Georgetown researcher Helen Toner told the Senate Judiciary Committee that the chip restrictions may have been solving the wrong problem: China had already learned to replicate U.S. AI model capabilities using distillation attacks — no restricted hardware required.

Chinese AI firms had already found a way to copy U.S. models that requires no hardware at all — a method called a distillation attack (a technique where one AI model learns by imitating the outputs of another, without ever accessing the original's internal code or parameters). Toner's Senate testimony marks the first time this specific threat has been formally named before Congress.

How Distillation Attacks Actually Work

Building a frontier AI system — the kind that rivals GPT-4 or Claude 3 — normally requires thousands of specialized graphics processors (GPUs) running for months at a cost of tens of millions of dollars. U.S. export controls, first enacted in October 2022 and tightened again in October 2023, aim to block China from buying those processors.

But there is a shortcut that sidesteps the hardware entirely. If you cannot build the model yourself, you can copy one that already exists — not the code, but the behavior. Here is how distillation attacks work in practice:

1. Query at scale: Send tens of millions of questions to a publicly available AI model through its official API (the interface that lets developers access the model over the internet)
2. Collect outputs: Save every response — those answers become your training dataset
3. Train a local copy: Feed those collected responses to a smaller "student" model, teaching it to mimic the "teacher" model's answers
4. Iterate: Repeat across multiple models, domains, and question types until the student matches the teacher's performance across benchmarks

The resulting model inherits the original's capabilities — reasoning ability, coding skill, language understanding — without the attacker ever accessing proprietary weights (the numerical parameters, numbering in the billions, that define how an AI thinks) or the original training data. Because API (application programming interface) queries are standard commercial activity, no export law is broken at any step.

The Senate Hearing: "Stealth Stealing"

The April 22 hearing before the Senate Judiciary Committee was titled "Stealth Stealing: China's Ongoing Theft of U.S. Innovation." Toner testified as Interim Executive Director of CSET (Georgetown University's Center for Security and Emerging Technology — a non-partisan research institute founded in 2019 specifically to advise policymakers on AI and national security).

Her testimony linked distillation attacks to a broader, systematic pattern: Chinese AI firms methodically copying U.S. innovations, not through hacking or direct infiltration, but through the legal and commercially available outputs of U.S. models. The core problem she identified is a legal blind spot: current U.S. intellectual property (IP) law was written before generative AI existed. It protects source code, patents, and trade secrets — but not model behavior. Distillation attacks exploit this gap by targeting the one thing that is legally unprotected: the answers a model gives.

The DeepSeek Precedent

The vulnerability Toner described is not theoretical. In January 2025, DeepSeek R1 — a Chinese AI model — emerged as a credible rival to GPT-4-class systems, reportedly trained for approximately $6 million, compared to the $100 million or more that comparable U.S. systems typically cost to develop. OpenAI publicly accused DeepSeek of using its model outputs without authorization to bootstrap that training. DeepSeek denied the accusation, but the episode made the technical threat suddenly concrete for U.S. lawmakers who had assumed chip export controls were sufficient.

Toner's testimony argues this gap may not be an engineering breakthrough: systematic distillation from U.S. models — run continuously, across multiple systems simultaneously — can compound capability advantages faster than any compute restriction can contain.

Why AI Chip Export Controls Are Necessary but Not Sufficient

Export controls restrict training — the expensive, hardware-intensive process of building a model from scratch. Distillation attacks exploit inference (running an already-trained model to generate a single response), which requires dramatically less compute and is commercially available to anyone with an API key and a credit card.

This creates a structural asymmetry that chip restrictions cannot close:

• U.S. labs spend years and hundreds of millions of dollars training frontier models on restricted hardware
• Those models are deployed via public API for commercial access at a few cents per query
• Any actor anywhere in the world can query those APIs and accumulate training data at minimal cost
• The resulting student model inherits frontier capabilities at near-zero marginal cost
• The full cycle resets with every new major U.S. model release

Toner's testimony pointed toward two emerging policy directions: strengthening IP law to treat model outputs as legally protectable assets, and implementing behavioral access controls that can detect and block systematic querying patterns. Neither is straightforward. Extending IP protection to outputs would require rewriting decades of copyright and trade secret doctrine. Geographic access controls raise questions about how AI companies would identify users from specific jurisdictions without disrupting legitimate global customers — and without turning compliance into a massive new operational burden.

What This Means for Teams Building with AI Automation Now

For developers and businesses that rely on major AI platforms for AI automation workflows, the Senate testimony has practical implications that extend beyond geopolitics:

Rate limiting is already a de facto first defense. Most enterprise AI providers implement rate limits — caps on how many API requests a single account can make per minute or day. These exist primarily for cost management, but they also significantly raise the cost of collecting the billions of training examples needed for a full distillation attack. If you are building AI-powered products, understanding and monitoring your own API usage patterns is both a cost discipline and a security habit.

Proprietary data is your real competitive moat. If a competitor can distill your model's public behavior, the lasting advantage comes from fine-tuning (adapting a base model on specialized private data) on datasets they cannot access — internal databases, customer interaction histories, proprietary domain knowledge that is never publicly queryable. The more your model's value derives from non-public data, the harder it is to steal through distillation.

Model watermarking is emerging as a technical countermeasure. Researchers have developed techniques to embed invisible statistical signatures (watermarks) into model outputs — patterns designed to survive the distillation process and identify the original source model in any downstream copy. Several U.S. AI labs are actively investing in watermarking research, though no standardized, production-deployed approach yet exists.

The April 22 Senate hearing is a marker: "distillation attack" now has formal legislative standing in the United States. Expect IP reform targeting AI outputs, and expect major AI platform providers to introduce new access controls over the next 12 to 18 months. For teams building on those platforms, watch for changes to terms of service and API access policies — they are likely to become significantly more restrictive about bulk querying at scale.

Read CSET's full research and testimony documents at cset.georgetown.edu and follow ongoing U.S.-China AI policy developments in our AI automation and policy news feed.

Related Content — Get Started with AI Automation | Guides | More AI News