Anthropic Accuses Alibaba of Largest Known AI Distillation Attack

Anthropic has accused Alibaba of running the largest AI model extraction campaign the company has ever disclosed. In a letter to the US Senate Banking Committee dated June 10 and confirmed by CNBC on June 24, Anthropic alleged that operators affiliated with Alibaba and its Qwen AI lab generated more than 28.8 million interactions with Claude through approximately 25,000 fraudulent accounts between April 22 and June 5, 2026.

How the Attack Worked

Distillation is a machine learning technique in which a smaller model is trained using outputs from a larger, more capable model. In legitimate use, companies distill their own models to create faster, cheaper versions. In adversarial use, the technique allows an attacker to extract the capabilities of a competitor's model without ever accessing its weights or training data.

Anthropic's letter described the Alibaba campaign as a systematic effort to query Claude millions of times using carefully structured prompts. The attackers created approximately 25,000 fraudulent accounts, bypassed geographic restrictions, and ran the operation continuously for six weeks, Cybersecurity Magazine reported.

No passwords were stolen and no firewalls were breached. The attackers used Claude exactly as an ordinary user would, just at a scale that no individual or legitimate enterprise would ever reach. The 28.8 million exchanges produced an estimated 14.4 billion tokens of training data targeting Claude's strongest capabilities.

What They Were Targeting

Anthropic stated that the campaign specifically sought to extract Claude's agentic reasoning, software engineering proficiency, and long-horizon task completion capabilities. Those are precisely the features that distinguish Claude Opus 4.8 and the company's most advanced restricted models from competing systems, Let's Data Science reported.

The targeted capabilities are also among the most commercially valuable in AI-assisted development tools. A distillation dataset of 14.4 billion tokens, carefully curated and focused on a target model's strongest capabilities, could meaningfully improve an existing model family without requiring the attacker to match Anthropic's full training investment, Sesame Disk reported.

The Broader Pattern

This is not the first time Anthropic has disclosed Chinese distillation campaigns. In February 2026, the company announced it had identified three industrial-scale distillation efforts from three other Chinese AI labs: DeepSeek, Moonshot, and MiniMax. At that time, Anthropic published a blog post warning that these campaigns were growing in intensity and sophistication.

The Alibaba campaign dwarfs all three previous disclosures combined in both scale and duration. The 25,000-account operation required significant infrastructure, including email domains, payment methods, IP rotation, session management, and coordination logic, indicating a sustained and well-resourced effort rather than an opportunistic scrape.

Alibaba has not issued a detailed technical rebuttal. The company's shares fell to a 16-month low following the news, Digital Applied reported.

The Legislative Response

The disclosure is already driving legislative action in Washington. Senators Bill Hagerty and Andy Kim are moving to add an amendment to defense legislation that would blacklist or sanction entities conducting large-scale distillation campaigns against US AI companies, CNBC reported.

The geopolitical context matters. Current US export controls target AI hardware shipments and model weight sharing with China. But API-based distillation sits in a legal gray area. The attacker is using a commercial service as intended, just at adversarial scale and with adversarial intent. Existing regulations were not designed to address this attack vector.

The accusation arrives at a sensitive moment for Anthropic. The company confidentially filed for an IPO on June 1 at a valuation approaching $1 trillion, and demonstrating that it can defend its intellectual property from state-affiliated extraction campaigns is directly relevant to investor confidence.

What to Watch

The immediate question is whether Congress acts on the legislative proposals before the end of the current session. The longer-term question is whether the AI industry develops technical defenses against adversarial distillation, such as output watermarking, behavioral fingerprinting, or rate-limiting strategies that can distinguish legitimate high-volume use from systematic extraction, without degrading the experience for ordinary enterprise customers.