Anthropic Accuses Alibaba of Largest Known Claude Distillation Attack
7 min. read 
Published on
Anthropic has accused Alibaba of running a large unauthorized campaign to extract capabilities from Claude, calling it the largest known distillation attack against its platform.
According to a Reuters report, Anthropic made the allegation in a June 10 letter sent to U.S. Senators Tim Scott and Elizabeth Warren, the chair and ranking member of the Senate Banking Committee.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Anthropic said the campaign ran from April 22 to June 5, 2026, and generated more than 28.8 million exchanges with Claude through almost 25,000 fraudulent accounts.
What Anthropic says Alibaba did
The company alleged that operators affiliated with Alibaba and Alibaba Qwen, Alibaba’s AI lab, used the accounts to harvest Claude’s advanced capabilities. The letter said the campaign targeted areas such as software engineering and agentic reasoning.
Anthropic framed the activity as adversarial distillation. Distillation can be legitimate when a company trains smaller models from its own systems, but it becomes controversial when one company uses another company’s model outputs without permission.
Anthropic has warned about this risk before. In a February post on detecting and preventing distillation attacks, the company said DeepSeek, Moonshot AI, and MiniMax generated more than 16 million Claude exchanges through about 24,000 fraudulent accounts.
| Alleged campaign | Company named by Anthropic | Reported scale | Period |
|---|---|---|---|
| Latest Claude distillation allegation | Alibaba and Alibaba Qwen | More than 28.8 million exchanges and almost 25,000 fraudulent accounts | April 22 to June 5, 2026 |
| Earlier Claude distillation disclosure | DeepSeek, Moonshot AI, and MiniMax | More than 16 million exchanges and about 24,000 fraudulent accounts | Disclosed in February 2026 |
Why distillation is becoming an AI security issue
Model distillation means training a smaller or less capable model on outputs from a stronger model. In ordinary machine learning, companies use it to make faster or cheaper versions of their own models.
The concern here is unauthorized extraction. If attackers use thousands of accounts to query a frontier model at scale, they may be able to copy parts of its behavior without paying the full cost of research, training, and safety testing.
Anthropic’s February distillation post also argued that illicitly distilled models may lack the safeguards present in the original systems. That turns the issue into a security and policy problem, not only a commercial dispute.
What the letter says about Mythos Preview
The latest accusation also connects the alleged Alibaba campaign to Anthropic’s advanced Mythos Preview capabilities. Anthropic told lawmakers that distillation could help Chinese AI labs move faster toward those capabilities.
The company has described Mythos-class systems as especially sensitive because of their advanced reasoning and cybersecurity potential. That context makes the allegation more important for Washington, where AI model access has already become part of export-control policy.
Reuters separately reported that the Commerce Department issued an order restricting foreign-national access to Fable 5 and Mythos 5, leading Anthropic to disable access globally for those top-tier models while it worked through compliance.
How the U.S. government is responding
The White House had already warned about adversarial distillation before Anthropic’s Alibaba letter. In an April 23 memo titled Adversarial Distillation of American AI Models, the Office of Science and Technology Policy said foreign entities, principally based in China, were conducting industrial-scale campaigns against U.S. frontier AI systems.
The memo said attackers use proxy accounts and jailbreaking techniques to extract capabilities from American models. It also directed the government to share information with U.S. AI companies, support private-sector coordination, develop best practices, and explore accountability measures.
Those policy moves are now moving into Congress. A Bloomberg report carried by The Edge Singapore said Senators Bill Hagerty and Andy Kim planned an amendment to defense legislation that could blacklist or sanction Chinese firms found improperly accessing U.S. AI model outputs to train competing systems.
- Anthropic wants stronger threat-intelligence sharing among U.S. AI companies.
- The White House has framed adversarial distillation as a national security issue.
- Lawmakers are considering sanctions or blacklisting tools for improper model-output extraction.
- Export controls are expanding from chips toward access to advanced AI models.
Alibaba faces broader U.S. pressure
Alibaba is already under scrutiny in Washington. Reuters said the company was added this month to the Pentagon’s Chinese military companies list, a designation Alibaba is challenging.
Alibaba did not immediately respond to Reuters’ request for comment on Anthropic’s accusation. The allegation remains a claim made by Anthropic in a letter, not a legal finding by a court or public enforcement decision.
The Bloomberg-backed report also noted that the proposed Senate response may not make it into the final defense bill, so the legislative path remains uncertain.
Why this matters for AI companies
The dispute shows how frontier AI companies now treat model-output access as part of their security perimeter. Account creation, API traffic patterns, prompt behavior, and proxy networks can all become evidence in a suspected extraction campaign.
For companies building AI products, the case also shows why terms of service alone may not stop large-scale misuse. Platforms need fraud detection, model-output monitoring, rate-limit enforcement, customer verification, and cross-company intelligence sharing.
For governments, the challenge is harder. Distillation sits between cybersecurity, trade secrets, export controls, and competition policy, which makes enforcement difficult when the alleged actors sit outside U.S. jurisdiction.
| Issue | Why it matters |
|---|---|
| Fraudulent accounts | They can hide industrial-scale querying behind normal-looking user activity. |
| Proxy infrastructure | It can mask the source of traffic and make attribution harder. |
| Agentic reasoning extraction | It may help rivals copy advanced task-planning behavior. |
| Safety guardrail loss | Illicitly trained models may not preserve the original model’s protections. |
| Policy response | Governments may treat repeated extraction as a national security risk. |
Fable 5 and Mythos 5 restrictions add pressure
The Alibaba allegation arrived in the same month that Anthropic faced a separate clash with the U.S. government over access to its most advanced models. Reuters reported that Anthropic disagreed with the directive but disabled access to Fable 5 and Mythos 5 globally to comply.
The Fable 5 and Mythos 5 access dispute shows how fast AI security concerns are moving from company policy into national-security regulation.
Anthropic said the government order stemmed from concern over a potential jailbreak that could allow Fable 5 to help identify software vulnerabilities. The company said it believed there was a misunderstanding and said it was working to restore access.
What happens next
The immediate question is whether U.S. agencies or lawmakers will act on Anthropic’s allegations against Alibaba. Any move toward sanctions, blacklisting, or new export controls would raise the stakes for AI competition between the U.S. and China.
Another question is whether other frontier AI labs will report similar large-scale extraction attempts. Anthropic, OpenAI, and Google have already been moving toward greater information sharing around suspected distillation campaigns.
The White House distillation memo makes clear that Washington now sees unauthorized model extraction as more than a business dispute. It treats the practice as a threat to American AI leadership, innovation, and national security.
For now, Anthropic’s accusation adds another flashpoint to an already tense AI race. The outcome may shape how AI companies police model access, how governments define AI theft, and how quickly export controls expand from hardware to model capabilities.
The broader lesson from the foreign access restrictions is that frontier AI models are no longer treated only as commercial software. They are increasingly viewed as strategic assets that governments want to monitor, restrict, and protect.
FAQ
Anthropic accused Alibaba-linked operators of using almost 25,000 fraudulent accounts to generate more than 28.8 million Claude exchanges in an alleged unauthorized distillation campaign.
An AI distillation attack is an alleged unauthorized effort to train a model using outputs from a more advanced model. Distillation itself can be legitimate, but it becomes a security and intellectual property issue when used to copy another company’s model capabilities without permission.
Anthropic said the alleged campaign ran from April 22 to June 5, 2026, involved almost 25,000 fraudulent accounts, and generated more than 28.8 million exchanges with Claude.
Reuters reported that Alibaba did not immediately respond to a request for comment. The accusation remains Anthropic’s allegation unless regulators, courts, or Alibaba provide further public findings or responses.
U.S. lawmakers and officials are concerned that adversarial distillation could let foreign competitors copy frontier AI capabilities at lower cost, bypass safety guardrails, and weaken export controls designed to protect advanced U.S. technology.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages