No passwords were stolen. No servers were breached. But Anthropic says Alibaba pulled off the largest AI theft in history — and all they needed was 25,000 fake accounts and six weeks of access to Claude.
In a letter dated June 10, 2026, sent to US Senate Banking Committee Chairman Tim Scott and Ranking Member Elizabeth Warren, Anthropic accused Alibaba and its Qwen AI lab of conducting what it calls “the largest known distillation attack on Anthropic to date.” The campaign involved approximately 25,000 fraudulent accounts running 28.8 million exchanges with Claude between April 22 and June 5, 2026. The letter, first reported by Bloomberg and confirmed by CNBC on June 25, is now public — and it is reshaping how the AI industry thinks about model theft.
Key highlights
- Alibaba used 25,000 fake accounts to run 28.8 million conversations with Claude over six weeks
- The targeted capabilities: agentic reasoning, software engineering, and long-horizon task completion
- Anthropic told US senators this constitutes a national security threat, not just an IP violation
- The attack used distillation — collecting Claude’s outputs to train Alibaba’s own Qwen model
- Anthropic is pushing for export controls on AI model access, not just hardware
- This is the first time a major AI lab has formally accused a foreign government-linked company of AI model theft at this scale
What is a distillation attack — and why is it so hard to stop?
Model distillation is a legitimate AI training technique where a smaller or weaker model is trained using the outputs of a larger, more capable one. It is used openly inside companies all the time. What Alibaba allegedly did takes the same technical concept and weaponises it: instead of using your own model’s outputs, you send carefully crafted prompts to a competitor’s model at massive scale, collect all the responses, and use those responses as training data.
The attacker interacts with Claude exactly as a legitimate user would. No code is stolen. No firewall is breached. The only signal that something is wrong is the volume and pattern of requests — which is exactly why 25,000 separate accounts were used to stay under detection thresholds.
The specific capabilities Alibaba reportedly targeted — agentic reasoning, software engineering, and long-horizon task planning — happen to be precisely the areas where Claude leads competing models. These are also the capabilities that took Anthropic billions of dollars in compute and years of research to develop. By extracting them through distillation, Alibaba could theoretically close that gap at a fraction of the cost.
Anthropic’s argument: this is a national security issue, not just IP theft
Anthropic’s letter does not frame this primarily as intellectual property theft, even though that is what it appears to be on the surface. Instead, Anthropic argues the threat is geopolitical. The letter states: “These distillation attacks turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors.”
The distinction matters because it shapes what kind of government response Anthropic is asking for. The company is pushing for export controls on AI model access — not just hardware like Nvidia GPUs, which the US already restricts for export to China. Anthropic also wants mandatory screening of high-volume API usage patterns and coordinated monitoring between AI labs and government to detect and respond to future campaigns.
The framing is deliberate. By going to the Senate Banking Committee — which oversees financial sanctions — rather than the Commerce Department or intelligence committees, Anthropic is signalling it wants economic tools like sanctions and access restrictions, not just regulatory guidance.
Real-world impact: who gets affected?
For AI developers and enterprises, the Alibaba attack has two immediate implications.
First, API rate limiting and account verification are likely to get stricter across all major AI providers. If Anthropic tightens access controls in response to this attack — requiring more robust identity verification, monitoring for unusual query patterns, or limiting high-volume API access from certain regions — that affects every legitimate high-volume user, from startups to enterprise teams running automated workflows.
Second, the distillation attack raises a harder question for the industry: if a sufficiently motivated actor can replicate a frontier model’s capabilities simply by querying it at scale, what does that mean for the competitive moat AI companies claim to have? The answer is uncomfortable — model capabilities alone are not a defensible asset if they can be extracted through the API. The defensible assets are the infrastructure, the safety work, the deployment trust, and the ongoing research pipeline.
AI4Planet analysis
Anthropic’s Senate letter is a significant escalation, but it is also strategic timing. The company filed its IPO registration statement at a $965 billion valuation the same week this letter went public — and an IPO filing makes national security positioning very useful. A company that frames itself as protecting American AI leadership is a different investment story than one that simply makes a competitive AI product.
That said, the underlying technical claim appears credible. Distillation attacks are real, they have been documented before at smaller scales, and the specific signature Anthropic describes — 25,000 accounts, systematic query patterns targeting specific capability domains — is consistent with an organised extraction campaign rather than organic usage.
The harder policy question is whether access controls on AI models are even enforceable. Unlike chip export controls — where physical hardware creates a chokepoint — API access is software-based and routinely circumvented by determined actors using VPNs, third-party accounts, and distributed infrastructure. Anthropic’s proposed solutions may raise the cost of future attacks without eliminating them entirely.
Final thoughts
The Alibaba distillation attack — if confirmed — is a turning point for how AI companies think about their competitive moat. Capabilities can be extracted. What cannot be extracted so easily is trust, safety infrastructure, enterprise relationships, and the engineering culture that produces the next model. Those are the assets that actually matter.
Watch for two things: whether Congress responds to Anthropic’s push for model-access export controls, and whether other AI labs — OpenAI, Google — file similar disclosures or quietly tighten their own API monitoring. If Alibaba did this to Claude, it almost certainly tried the same with other frontier models.
Frequently asked questions
Q: What is a model distillation attack?
A: A distillation attack involves sending large volumes of carefully crafted prompts to a rival AI model, collecting all the outputs, and using those outputs to train your own model. No hacking is involved — the attacker simply uses the target model as a normal user would, at massive industrial scale.
Q: Did Alibaba hack Anthropic?
A: No. According to Anthropic’s letter, Alibaba used 25,000 fraudulent user accounts to interact with Claude through normal API access. No systems were breached. The attack exploited access, not a security vulnerability.
Q: What capabilities did Alibaba target?
A: Anthropic alleged the campaign specifically targeted Claude’s agentic reasoning, software engineering, and long-horizon task completion abilities — the areas where Claude leads competing models including Alibaba’s own Qwen series.
Q: What is Anthropic asking the US government to do?
A: Anthropic is pushing for export controls on AI model access (not just hardware), mandatory screening of high-volume API usage, and coordinated monitoring between AI labs and government to detect future distillation campaigns.
Q: Has Alibaba responded to the accusations?
A: As of June 28, 2026, Alibaba has not issued a public statement responding to Anthropic’s letter to the US Senate.
Q: Could this affect my API access to Claude?
A: Potentially yes. In response to this type of attack, Anthropic may tighten identity verification, implement stricter rate limiting, or restrict API access from certain geographies. Legitimate high-volume enterprise users may face additional friction.
Q: Is distillation always illegal?
A: Not inherently. Using your own model’s outputs to train a smaller version is a common and legal practice. What Anthropic alleges — using fraudulent accounts to systematically extract a competitor’s model capabilities — would likely constitute a violation of Anthropic’s terms of service and potentially US computer fraud or trade secret law, but the legal framework for AI model theft at this scale is still developing.
Tags: Alibaba Claude distillation attack, Anthropic Alibaba Qwen AI theft, AI model distillation explained, Anthropic Senate letter 2026, AI export controls China, Claude API security, Qwen AI training data, AI national security 2026

