In a letter to the U.S. Senate Banking Committee, Anthropic accused Alibaba and operators related to its AI lab Qwen of using nearly 25,000 fraudulent accounts to extract the capabilities of the Claude model at a large scale. According to the letter seen by Reuters and other media, this incident, described by Anthropic as the "largest known" model distillation attack, occurred between April 22 and June 5, 2026, involving over 28.8 million interactions with Claude. Its sensitivity stems not only from its scale but also because it coincided with consecutive U.S. government escalations in AI export controls and the Pentagon's listing of Alibaba on its "Chinese military company" roster.

The so-called "model distillation" does not involve directly stealing model weights or source code. Instead, it uses the output results of a strong model to train another model, allowing the latter to rapidly replicate some of its capabilities. In AI R&D, this is originally a common technique. However, if conducted through fraudulent accounts, in violation of service terms, or by circumventing access restrictions, it is viewed as the illegal extraction of intellectual property. For U.S. policymakers, a more棘手 issue is that even without obtaining the most advanced model itself, large-scale queries could help competitors acquire similar capabilities in areas like software engineering and agent reasoning.

42 Days, 28.8 Million Interactions: Anthropic Points the Finger at Ali and Qwen

Dated June 10, the letter was addressed to U.S. Senate Banking Committee Chairman Tim Scott and senior member Elizabeth Warren. Content seen by multiple media outlets shows Anthropic described this operation as the largest known distillation attack against the company.

The core numbers are straightforward. From April 22 to June 5, attackers used approximately 25,000 fraudulent accounts to conduct over 28.8 million interactions with Claude. Anthropic believes the operators behind these accounts are related to Alibaba and Alibaba Qwen, with the aim of accelerating China's acquisition of Anthropic's advanced model capabilities.

Anthropic's concern in the letter is not merely the replication of general question-answering abilities but the potential outflow of capabilities closer to the cutting edge, such as in software engineering, automated tasks, and agent reasoning. Once these outputs are systematically collected, they could become data for training other models.

Nuance is important here. Anthropic's phrasing uses "operators related to Alibaba and Alibaba Qwen," which does not equate to confirming that Alibaba officially orchestrated the attack directly, nor does it prove that related models have successfully replicated Claude's advanced capabilities. As of the reports' publication, Alibaba had not responded to the distillation allegation. Regarding its listing on the Pentagon's "Chinese military company" list, Alibaba has filed a lawsuit, calling the designation "devoid of factual or legal basis."

Why Are Distillation Attacks More Sensitive Than Ordinary Scraping?

Ordinary data scraping typically refers to crawling web pages, text, or publicly available materials. Distillation attacks target the output capabilities of the model itself.

Attackers can repeatedly pose questions to a strong model, saving its answers, reasoning processes, code generation results, or task execution plans, and then use them to train their own model. This way, even without accessing the underlying weights, they may learn the behavioral patterns of the strong model on certain tasks.

This is precisely where AI companies and regulators are becoming increasingly vigilant. The access interface of an advanced model is originally a commercial product and a channel for external services. But when the scale of access reaches tens of millions of instances and the accounts are identified as fraudulent, the product interface can become a channel for capability extraction.

Anthropic has previously disclosed similar incidents publicly. In February 2026, the company stated it had discovered smaller-scale similar activities by DeepSeek, Moonshot AI, and MiniMax, with DeepSeek-related interactions exceeding 150,000, Moonshot AI over 3.4 million, and MiniMax over 13 million. Compared to these cases, the 28.8 million interactions linked to Alibaba and Qwen-related operators are significantly larger.

By writing to Congress, Anthropic is also pushing for the U.S. government to engage in threat intelligence sharing with private AI companies. According to its statement, the intensity and complexity of such attacks are rising, requiring faster coordinated responses.

Allegations Coincide with U.S. Policy Escalation, Anthropic Itself Also Restricted

This allegation did not emerge in isolation.

In April this year, the White House accused China of stealing intellectual property from U.S. AI labs on an "industrial scale." By early June, the Pentagon updated its 1260H list, adding Alibaba to its "Chinese military company" list. Alibaba is challenging this designation, but the move has already tightened its relationship with U.S. national security scrutiny.

Subsequently, on June 12, the U.S. Commerce Department imposed export restrictions on Anthropic's latest Mythos and Fable models, citing national security concerns. The U.S. side worries these advanced models could be used by military or intelligence agencies in countries like China.

For Anthropic, this restriction brings direct consequences. Due to difficulties in effectively screening global user identities and access sources, the company has had to impose broader access restrictions on the relevant models, rather than just region-specific blockades.

This creates a contrast. On one hand, Anthropic is asking the government for help combating external distillation attacks; on the other hand, it is also beginning to bear the product access limitations resulting from stricter export controls. AI models are no longer just software services; they are being incorporated into security control frameworks similar to those for advanced chips.

Attribution and Countermeasure Boundaries Remain the Biggest Questions

In the short term, this incident is most likely to prompt further discussion in the U.S. Congress and among regulators regarding AI model access control. Compared to traditional export controls, managing model interfaces is more challenging. Users can register across borders, resell access rights, or distribute query volumes across numerous small accounts.

However, this incident remains at the stage of Anthropic's unilateral allegation. The intent of the attack, the true operating entities behind the accounts, and the extent of capability outflow have not entered judicial determination. Whether Alibaba will respond, how it explains the identity of Qwen-related operators, and whether there were third parties operating using the Alibaba ecosystem or name remain unresolved questions.

A more practical impact is that the U.S. may further require AI companies to strengthen account review, abnormal query monitoring, and cross-company threat intelligence sharing. For frontier model companies like Anthropic, OpenAI, and Google, this will increase security and compliance costs. For Chinese AI companies, the difficulty of accessing overseas advanced model services may continue to rise.

This allegation has not yet become a judicial conclusion, but it has made one question more concrete: beyond model weights, model outputs themselves are becoming assets subject to control and contention in the U.S.-China AI competition.