What did Anthropic accuse Alibaba of doing?
Anthropic accused Alibaba's Qwen AI lab of running 28.8 million exchanges through its Claude model using nearly 25,000 fraudulent accounts. The company called it the largest known distillation attack on Anthropic to date. Anthropic detailed the operation in a letter sent to US senators and White House officials, first reported by Bloomberg News.
Adversarial distillation is a technique where one AI lab sends massive volumes of queries to a competitor's model and uses the responses to train its own model — at a fraction of the normal research and development cost.
How big was the Alibaba distillation campaign?
The scale was significant. Here is what Anthropic's letter described:
| Detail | Figure |
|---|---|
| Timeline | April through June 2026 |
| Total exchanges with Claude | 28.8 million |
| Fraudulent accounts used | ~25,000 |
| Characterization | Largest known distillation attack on Anthropic |
Anthropic noted the campaign mirrors similar operations it flagged earlier in 2026 involving other Chinese developers.
What happened in earlier distillation attacks on Claude?
This was not the first time Anthropic raised the alarm. In February 2026, Anthropic accused three Chinese AI labs — DeepSeek, Moonshot, and MiniMax — of running separate distillation campaigns against Claude, as CyberScoop reported.
Those three campaigns combined for 16 million exchanges and used 24,000 fraudulent accounts. The breakdown by lab:
You might also like
- DeepSeek: 150,000 exchanges
- Moonshot: 3.4 million exchanges
- MiniMax: 13 million exchanges
Anthropic said all three campaigns "followed a similar playbook, using fraudulent accounts and proxy services to access Claude at scale while evading detection."
Why does Anthropic say this is a national security problem?
Anthropic argues that models copied through distillation lack the safety guardrails built into the original. The company wrote in its letter to the Trump administration: "These attacks are carried out illicitly, systematically, and at industrial scale to harvest US AI capabilities across frontier labs and repackage them as their own without incurring the training and R&D costs."
The company warned that foreign labs could feed these unprotected capabilities into military, intelligence, and surveillance systems. Anthropic specifically flagged risks including offensive cyber operations, disinformation campaigns, and mass surveillance.
Gal Elbaz, co-founder and CTO of Oligo Security, told CyberScoop: "The scary part is, you can take all of the power and unleash it, because you don't have anyone that actually enforces those guardrails on the other side."
Because Anthropic explicitly blocks its products from being accessed in China, the alleged campaign also represents a direct violation of its terms of service and regional access restrictions.
What did Anthropic ask the US government to do?
Anthropic urged Washington to implement stricter guardrails to halt distillation attacks. The company paired its February 2026 revelations about DeepSeek, Moonshot, and MiniMax with a call for stronger export controls, per Anthropic's own blog post on detecting and preventing distillation attacks.
Anthropic is not alone in raising this concern. OpenAI has also accused DeepSeek of using distillation techniques against its models.
How did markets react to the Alibaba accusation?
Alibaba shares (NYSE: BABA) fell 3% on Wednesday following the reports. The stock drop came after Bloomberg News published details from Anthropic's letter to US policymakers, as Investing.com reported.
Here's what we know so far: Alibaba has not publicly responded to Anthropic's specific accusations, and CyberScoop noted it could not immediately reach the Chinese labs for comment on the earlier February claims.
What makes distillation attacks different from normal AI training?
Distillation can be a legitimate training method, Anthropic acknowledged. The problem is using it as a shortcut to extract a competitor's capabilities without permission. Gal Elbaz of Oligo Security described it as stealing intellectual property, computing power, and effort.
The campaigns targeting Claude were identifiable because "the volume, structure, and focus of the prompts were distinct from normal usage patterns, reflecting deliberate capability extraction rather than legitimate use," Anthropic said.
This case connects to broader debates about AI global standards and how frontier AI labs protect their models across borders. It also raises questions that AI policymakers — including those discussing AI governance at G7 — are actively working through. As public awareness of AI risks grows, Pew's 2026 survey data on AI trust shows Americans are already uneasy about how fast the technology is moving.
Anthropic has called on cloud providers, industry peers, and policymakers to coordinate a response to distillation attacks. The company's letter to US senators and White House officials represents its most direct appeal to date for government action on the practice.
0 Comments
Log in to comment
Not a member yet? Join the community
Pick a meme
KlipyHave a great take?
Drop your email — we'll send a magic link so you can post it. No password.
Not a member of the community? Join today.
Join the community →