Anthropic Accuses Alibaba of the Largest Known AI Distillation Attack on Claude

Anthropic accuses Alibaba of orchestrating the largest known AI distillation attack on Claude, prompting U.S. export restrictions and a stock decline.

Anthropic has publicly accused Alibaba of orchestrating what it describes as the largest known distillation attack on its Claude models to date. In a letter dated June 10 and addressed to Senate Banking Committee Chair Tim Scott and ranking member Elizabeth Warren ahead of a congressional hearing on artificial intelligence, the company alleged that operators affiliated with Alibaba and its Qwen AI lab ran a coordinated extraction campaign between April 22 and June 5, 2026. The letter was also shared with White House officials, and Bloomberg was first to report its existence.

The scale of the alleged operation is striking. According to the letter reviewed by multiple outlets, the campaign relied on roughly 25,000 fraudulent accounts that together generated more than 28.8 million exchanges with Claude. The effort specifically targeted Claude's most commercially valuable frontiers — software engineering and agentic reasoning — capabilities that sit at the core of Anthropic's advanced Mythos Preview model.

Distillation, as Anthropic frames it, involves systematically querying a stronger model to generate training data for a cheaper competing one, without ever touching the underlying source code. The attacker simply needs enough high-quality outputs to teach a smaller "student" model to mimic the target. Anthropic warned that systems built this way often lack proper safety guardrails, creating risks that extend beyond intellectual property theft into broader safety and security territory. The company put the stakes in blunt economic terms, writing that distillation attacks turn hundreds of billions of dollars in American R&D into a subsidy for geopolitical competitors.

Not the first time

This is an escalation of a pattern Anthropic first went public with earlier in the year. On February 23, the company disclosed three separate campaigns tied to Chinese labs DeepSeek, Moonshot AI, and MiniMax, which it said collectively produced more than 16 million Claude exchanges through about 24,000 fraudulent accounts. The breakdown was revealing: MiniMax ran the largest of the three at over 13 million exchanges focused on agentic coding; Moonshot AI — itself backed by Alibaba — accounted for over 3.4 million exchanges targeting agentic reasoning, tool use, and computer vision; and DeepSeek, though smaller at over 150,000 exchanges, drew attention for probing Claude's reasoning and for generating censorship-safe responses to politically sensitive prompts about dissidents and party leadership.

Set against that backdrop, the Alibaba figure is enormous. At 28.8 million exchanges, the alleged campaign is nearly 75% larger than the combined total of all three prior operations put together. Anthropic's February disclosure had already noted that the campaigns were growing in "intensity and sophistication," and the latest accusation appears to bear that warning out. Notably, Claude is not commercially available in China, which means every one of the accounts involved was created in violation of Anthropic's terms of service from the outset.

Market reaction and mounting pressure in Washington

The news landed on an already-strained stock. Alibaba's U.S.-listed shares closed down 2.73% at $99.80 on the day the allegations surfaced, edging up only slightly to around $100.15 in after-hours trading. The dip reflects a company facing pressure on several fronts at once. Earlier this month, Alibaba was added to the Pentagon's blacklist of firms alleged to support China's armed forces — a designation it is contesting in federal court, and one that Anthropic's letter cited directly. The letter also claimed Alibaba had ignored prior warnings from the Trump administration before proceeding with the campaign.

The timing intersects sharply with U.S. policy. Just two days after Anthropic sent its letter, on June 12, the Commerce Department imposed export restrictions on Anthropic's most advanced Fable 5 and Mythos 5 models, blocking access by any foreign national — including the company's own foreign-national employees — over concerns the models could reach military or intelligence users in China and other countries of concern. Anthropic said the directive cited "national security authorities" without specifying the underlying concern, and the company is still working with the administration to resolve it.

The bigger picture

Anthropic used the letter to push a specific policy ask: it urged Congress to clarify antitrust guidance so that U.S. firms can share threat intelligence on distillation more freely, alongside calls for tighter export controls and penalties for offenders. The appeal lands two months after the White House Office of Science and Technology Policy issued a memorandum pledging to help AI companies detect and coordinate against industrial-scale distillation.

Not everyone reads these disclosures purely as security warnings. Some analysts note the line between legitimate distillation — a standard, well-established machine-learning technique when a company optimizes its own models — and adversarial exploitation can be blurry, and that framing these incidents as national-security threats also conveniently protects the competitive lead of American labs. What is harder to dispute is the structural shift underway: every frontier lab that exposes an API is now a potential target, and the assumption that broad model access and core IP protection can coexist is being openly challenged.

Alibaba did not immediately respond to requests for comment across the outlets that reported the story, and the company — which has denied any relationship with China's military in its Pentagon case — may still be formulating its position.