Anthropic has formally accused Chinese e-commerce and AI giant Alibaba of orchestrating what it calls “the largest known distillation attack on Anthropic to date” — a systematic campaign to extract the capabilities of its Claude frontier models through nearly 25,000 fraudulent accounts.
In a letter sent to the U.S. Senate Banking Committee on June 10 and subsequently obtained by Reuters, Bloomberg, and the Wall Street Journal, Anthropic detailed an operation it says was conducted by operators affiliated with Alibaba’s Qwen AI lab between April 22 and June 5, 2026. The campaign generated approximately 28.8 million exchanges with Claude — essentially mining the model’s outputs at industrial scale.
Industrial-scale extraction
Model distillation — training a smaller model by having it learn from a larger, more capable teacher — is a legitimate technique when done with one’s own models. What Anthropic describes is something different: using fake accounts to systematically sample outputs from a competitor’s frontier model, across enough task types to build a coverage dataset, without any licensing or public disclosure.
“These distillation attacks are carried out illicitly, systematically, and at an industrial scale to harvest U.S. AI capabilities across frontier labs and repackage them as their own,” Anthropic wrote in the letter, “without incurring the training and R&D costs required to train U.S. frontier models.”
Context: the post-Mythos landscape
The accusation lands in a particularly tense moment. Just weeks earlier, the Trump administration directed Anthropic to suspend access to its most advanced models — Claude Fable 5 and the invitation-only Claude Mythos 5 — for users outside the United States, citing national security and export control concerns. The Alibaba operation allegedly ran right through that period, and Anthropic’s letter frames it as a direct challenge to U.S. export controls on frontier AI.
Broader implications
The attack highlights a fundamental asymmetry in frontier AI security. Every conversation Claude has with a legitimate user looks identical to a conversation with an attacker extracting its capabilities. Anthropic says it detected the fraudulent accounts through behavioral patterns and scale anomalies, but the episode raises uncomfortable questions about how labs can protect their most advanced models when the extraction surface is effectively every API endpoint.
Alibaba has not yet publicly responded to the allegations. Its shares were down approximately 31% year to date as the story broke on June 24. Anthropic, meanwhile, published an accompanying technical post — “Detecting and preventing distillation attacks” — detailing its countermeasures, including account verification, usage pattern analysis, and watermarking techniques.
The story is likely to intensify the ongoing policy debate around AI export controls, and almost certainly won’t be the last distillation battle between U.S. and Chinese AI labs.