Model weights represent the core intellectual property of frontier AI systems—the product of hundreds of millions of dollars in compute and research. Once stolen, weights can be deployed without replicating the training process, making them extremely high-value targets for cyber espionage.

RAND has identified 38 distinct attack vectors for model weight theft, ranging from insider threats to supply chain compromises. As of 2025, most frontier AI labs maintain security below the standards RAND recommends for defending against state-level threats.

Russia currently has no indigenous ability to produce compute, and is entirely reliant on smuggling or Chinese exports for compute. This strictly limits its ability to train models near the frontier of capabilities. One of the greatest possible threat models Russia could pose in a world of very powerful AI would be if it could steal a frontier model, and then prioritise its limited compute resources towards running the maximum number of copies of this model. This would circumvent fundamental limitations on its compute access, and accelerate the full spectrum of its AI efforts. 

Resolution criteria:

This question resolves Yes if, before January 1, 2030, 00:00:00 UTC, a Russian actor is publicly attributed with successfully stealing model weights from a large frontier AI developer.

1. Russian Actor

Must meet BOTH:

A) Russian connection (ANY of):

• Russian intelligence services (FSB, GRU, SVR) or military cyber units

• Known Russian APT groups (APT28, APT29, Sandworm, Turla, etc.)

• Cyber groups identified as Russian, Russia-based, or Russia-sponsored

• Russian nationals or entities conducting the operation

B) Sophistication level:

• Characterized by authoritative sources as APT (Advanced Persistent Threat), sophisticated/advanced cyber actors, nation-state level capabilities, OR capable of complex multi-stage intrusions

Excludes: Actors merely using Russian tools without other Russian connection, or false flag operations

2. Large Frontier AI Developer

Organisation meeting BOTH criteria at time of theft:

Training compute: Trained a model using >10^26 FLOPS (the specific model whose weights were stolen)

Revenue: >$500 million USD annual revenue in the fiscal year of theft or immediately preceding year (parent company revenue counts for subsidiaries)

Likely qualifiers as of 2025: OpenAI, Anthropic, Google DeepMind, Meta, xAI (plus future entrants meeting both thresholds, including Chinese labs)

3. Successful Theft of Model Weights

Qualifies:

• Complete trained parameters of a covered model (>10^26 FLOPS)

• Training checkpoints representing ≥70% completion

Requires: Confirmed exfiltration from target organization (deployment by Russia not required)

Excludes:

• Training data, code, or architectural designs alone

• Weights from models <10^26 FLOPS or from organizations <$500M revenue

• Failed attempts detected before exfiltration

• Legitimately obtained weights (licensing, open releases)

4. Public Attribution Standard

Requires attribution from at least ONE authoritative source:

Tier 1 - Government:

• US, UK, EU member state, or Five Eyes intelligence agencies

• Victim's home country government

• Official sanctions or indictments citing the theft

Tier 2 - Private (requires corroboration):

• Victim organization's official statement, OR

• Major cybersecurity firm (CrowdStrike, Mandiant, Microsoft, Palo Alto, Recorded Future, etc.) report that:

  • Identifies Russian actors and characterizes as sophisticated/APT

  • States model weights specifically were stolen

  • Is corroborated by major news outlet (Reuters, Bloomberg, AP, FT, WSJ, NYT, BBC, WaPo, Guardian)

Tier 3 - Investigative journalism (high bar):

• Major news outlet investigation with multiple independent sources, technical details, explicit Russian actor identification, and on-the-record statements

Must be specific: Attribution must explicitly identify Russian actors (not just "state-sponsored actors" or "Eastern European threat actors")

Timing: Theft and attribution must occur before January 1, 2030. 

Contested attribution: If victim organization explicitly denies theft or Russian attribution, weighs heavily against Yes resolution.

Multiple incidents: Only one theft meeting all criteria needed for Yes.

Retroactive attribution: Earlier thefts attributed during 2025-2030 count if model and organization meet thresholds.

Joint attribution: Russian actors + actors from other countries still counts as Yes.

Weights in development: Stolen training checkpoints count if final model would be >10^26 FLOPS and checkpoint represents ≥70% training completion or frontier capabilities.

Insider threats: Count if attributed to Russian actors acting on behalf of Russian interests (not purely personal gain).

Supply chain attacks: Count if ultimately attributed to Russian actors with successful weight exfiltration.

False flags: Do not count if authoritative sources determine operation falsely attributed to Russia.

Sophistication verification: Met by standard language: APT designation, "sophisticated," "advanced," "nation-state level," or descriptions of complex intrusion tactics.

Compute verification: Prioritize official statements, technical papers, credible third-party estimates (Epoch AI), government assessments. Resolve as Ambiguous if insufficient information. Criteria tracks that under SB53 to give a clearer set of US-based large frontier developers that are the most likely targets.