Anthropic has formally accused Chinese tech giant Alibaba of orchestrating the single largest known AI model distillation attack ever directed at the company - a coordinated, six-week extraction campaign that generated nearly 29 million exchanges with its Claude AI system through tens of thousands of fake accounts. The accusation, detailed in a confidential letter sent to U.S. Senate leaders and White House officials on June 10, marks a sharp escalation in what American AI companies are increasingly framing as state-linked industrial espionage against frontier AI technology.
Alibaba has not responded to requests for comment.
28.8 Million Queries, 25,000 Fake Accounts: The Numbers Behind the Attack
The scale of what Anthropic is describing is hard to ignore. Between April 22 and June 5, 2026, operators allegedly linked to Alibaba and its AI research division, Alibaba Qwen, used approximately 25,000 fraudulent accounts to conduct 28.8 million interactions with Claude. That is roughly 462,000 queries per day, sustained across 44 consecutive days.
This was no passive probe.
Anthropic's letter, addressed to Senate Banking Committee Chair Tim Scott (R-SC) and Ranking Member Elizabeth Warren (D-MA), describes what it calls "the largest known distillation attack on Anthropic to date." The targeted capabilities were specific and deliberate: software engineering and agentic reasoning - the precise skills that power Claude's ability to plan and execute complex, multi-step tasks autonomously. These are also the capabilities at the commercial core of Anthropic's advanced Mythos Preview model.
The method used, known as adversarial distillation, does not require stealing source code or model weights. Instead, attackers craft carefully designed queries, collect the AI's responses at massive scale, and use that data to train their own, cheaper model to replicate the behavior of the more powerful one. The original model's years of training and billions in R&D investment effectively become free raw material for a competitor.
What "Distillation" Actually Means - and Why It's Difficult to Stop
Distillation, in the AI industry's legitimate usage, is a well-established technique for compressing knowledge from a large, expensive model into a smaller, more efficient one. Companies use it internally all the time. The adversarial version of it - where that knowledge is extracted without authorization, from a competitor - occupies a legal and technical gray area that has proven maddeningly difficult to police.
Unlike a traditional data breach, no firewall was circumvented. No server was hacked. The attackers simply used Claude the way any user would, except they did so across 25,000 accounts, at industrial volume, with queries designed to extract the model's deepest reasoning patterns.
Anthropic noted in its letter that models built through adversarial distillation typically lack the safety guardrails engineered into the original system. A Claude-derived model built this way would carry frontier-level software engineering capabilities without the safety architecture Anthropic spent years developing. For a model intended for use in agentic tasks - where an AI autonomously executes code, manages workflows, and operates across tools - that gap is a national security concern, not just a commercial one.
A Pattern That Has Been Accelerating Since January 2025
This is not the first time Anthropic has raised this alarm. In February 2026, the company publicly disclosed a separate wave of distillation campaigns tied to three Chinese AI startups: DeepSeek, Moonshot AI, and MiniMax. DeepSeek's operation generated over 150,000 Claude exchanges. Moonshot AI's campaign produced more than 3.4 million. MiniMax ran the largest of the three at over 13 million interactions, with all three collectively operating through approximately 24,000 fake accounts.
The Alibaba campaign, at 28.8 million exchanges, now exceeds that entire February disclosure on its own.
DeepSeek's January 2025 model release had already rattled global AI markets with its surprisingly strong performance at a fraction of the development cost Western labs had spent. Anthropic's February letter suggested that low cost was at least partially explained by extracting capabilities from systems like Claude rather than developing them independently.
Anthropic now names four Chinese AI operators - DeepSeek, Moonshot AI, MiniMax, and Alibaba Qwen - as having conducted distillation campaigns against its platform, each case escalating in both scale and the prominence of the actor involved.
Alibaba's Compounding Washington Problem
The distillation accusation arrives at a fraught moment for Alibaba in Washington.
On June 8, the Pentagon added Alibaba to its list of Chinese military companies - a designation that carries significant implications for U.S. government contractors and investors. Alibaba immediately filed suit against the Defense Department, calling the label factually and legally baseless and arguing it has no military affiliation.
Days later, Anthropic's letter became public, accusing Alibaba of a coordinated intellectual property extraction campaign against one of the U.S. government's most strategically important AI companies. Alibaba's American depositary receipts fell roughly 3% on the news Wednesday, dipping below $100 in afternoon trading. The stock has lost over 32% year-to-date.
The two cases together - Pentagon blacklist and AI theft accusation - frame Alibaba not merely as a Chinese company subject to trade friction, but as a company allegedly engaged in active, ongoing efforts to acquire U.S. military and technological assets by other means.
Alibaba has so far said nothing publicly about the distillation claims.
Washington Moves Toward Legislation - With Complications
The letter was timed deliberately. Anthropic sent it to Scott and Warren on June 10, ahead of a scheduled Senate Banking Committee hearing on AI. By routing its accusations through Congress rather than simply updating its terms of service or pursuing civil litigation, Anthropic is signaling that the distillation problem has outgrown what any individual company can address through platform enforcement alone.
Anthropic's ask of lawmakers is specific: clarify antitrust guidelines so that U.S. AI companies can legally share more information about distillation attempts with each other; expand export controls on advanced AI chips; and create formal penalties for firms that use adversarial distillation to acquire competitor capabilities.
The legislative response was swift. Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) announced plans to introduce a bipartisan amendment to must-pass defense legislation that would blacklist or sanction any Chinese firm found to be improperly accessing U.S. AI model outputs. A parallel bipartisan effort in the House, backed by Representatives Bill Huizenga and Sydney Kamlager-Dove, is also under consideration. Whether either provision survives to the final version of the defense bill remains uncertain.
Anthropic, OpenAI, and Alphabet's Google have already begun coordinating through a private information-sharing arrangement to track and document distillation attempts that violate their respective terms of service.
Anthropic's Own Policy Complications
Anthropic's position as a victim of foreign AI extraction is somewhat complicated by its own entanglement with the Trump administration's export control apparatus.
On June 12, two days after Anthropic sent its letter to Congress, the Commerce Department imposed export restrictions on Anthropic's two most advanced models, Fable 5 and Mythos 5. The directive, citing concerns that the models could be accessed by military or intelligence users in China and other countries of concern, effectively required Anthropic to shut off access to both models globally - including for the company's own non-U.S. employees.
The restrictions remain in place. Meetings between Anthropic's technical leadership and White House officials have produced little resolution. Reports indicate that negotiations shifted after CEO Dario Amodei stepped back and co-founder Tom Brown took over those discussions, though the access blackout has not been lifted.
The result is a company simultaneously arguing to Congress that China is stealing its AI capabilities, and arguing to the White House that U.S. export restrictions are preventing it from running its own business. Both disputes are real. Both are unresolved.
What's at Stake as Anthropic Heads Toward an IPO
The financial backdrop to all of this matters. Anthropic filed confidentially for an initial public offering this month at a reported valuation of $965 billion, following a $65 billion Series H funding round. U.S. officials have estimated that unauthorized distillation campaigns cost Silicon Valley AI labs billions of dollars cumulatively, and for a company preparing to go public, the threat of cheaper Chinese imitations built on extracted Claude capabilities is a material business risk, not just a geopolitical one.
The accusation against Alibaba reframes that risk in the starkest terms possible. Anthropic is telling Congress, the White House, and eventually the public markets that the frontier AI capabilities it is preparing to monetize are being systematically copied - at industrial scale, by major Chinese technology companies, and through methods that current law does not clearly prohibit.
The Hagerty-Kim amendment's fate in the defense bill will be one of the first concrete tests of whether Washington is prepared to treat adversarial AI distillation as a statutory violation rather than a terms-of-service problem. If it passes, it would establish a formal legal mechanism to penalize Chinese firms for extraction campaigns that have, until now, existed in regulatory no-man's-land.
If it doesn't, the message to China's AI industry will be equally clear.
Comments 0
Join the discussion and share your perspective.
Sign in to post a comment and reply to other readers.
No comments yet
Be the first to share your perspective on this article.