Anthropic, the San Francisco AI safety company behind Claude, disclosed this week that it has accused Alibaba Group of orchestrating what it calls the largest known model distillation attack ever recorded against its systems. Between April 22 and June 5, 2026, operators linked to Alibaba’s Qwen AI lab allegedly used nearly 25,000 fraudulent accounts to generate 28.8 million exchanges with Claude, specifically targeting the model’s most advanced reasoning and software-engineering capabilities. Anthropic described the campaign as “brazen” and “illicit,” formally alerting US Senate Banking Committee leadership and Reuters via a letter dated June 10, 2026. The incident marks a significant escalation in the technology competition between US and Chinese AI development programs, and raises urgent questions about how frontier AI companies protect their intellectual property.
What Was Announced
Anthropic disclosed the alleged attack through a formal letter sent to Senate Banking Committee Chair Tim Scott and Ranking Member Elizabeth Warren on June 10, 2026, with the letter later reviewed by Reuters. The company stated that the campaign ran from April 22 to June 5, 2026, and involved nearly 25,000 fraudulent accounts generating more than 28.8 million interactions with Claude over that period.
According to Anthropic, the accounts were operated by individuals connected to Alibaba’s Qwen AI lab, a division of Alibaba Cloud responsible for the Qwen family of large language models. The targets of the data extraction were Claude’s most advanced capabilities, described as its “Mythos Preview” features, which include advanced agentic reasoning, multi-step task planning, and software-engineering performance that Anthropic markets as among the most capable in the industry.
Anthropic characterized the incident as the largest distillation attack in its history, explicitly surpassing a prior campaign it disclosed in February 2026. In that earlier case, Anthropic alleged that teams linked to DeepSeek, Moonshot AI, and MiniMax conducted a combined operation involving 16 million exchanges across 24,000 fraudulent accounts. The alleged Alibaba campaign exceeds that in both scale and the sophistication of the capabilities targeted.
As of the time of publication, Alibaba had not publicly responded to the allegations. Alibaba is also separately contesting a US Department of Defense designation that classified it as a military-affiliated company, a designation that would restrict its relationships with US enterprise customers and defense contractors.
Technical Details
Model distillation is a machine learning technique in which a smaller or less capable model is trained using the outputs of a larger, more advanced model, rather than learning directly from raw training data. The resulting “student” model can achieve performance well above what its size and independent training would normally allow, by learning the behavioral patterns and reasoning strategies of the more capable “teacher” model. Distillation is a legitimate and widely used practice within AI development, but conducting it using unauthorized access and fraudulent accounts violates the terms of service of the models being queried and potentially constitutes IP theft under applicable law.
In Anthropic’s account of this attack, the fraudulent accounts were designed to systematically query Claude in patterns that would expose the model’s reasoning chains, multi-step planning behavior, and software-engineering outputs at scale. By accumulating millions of high-quality query-response pairs from a frontier model, a competitor can create a richly labeled training dataset for its own models without independently developing the underlying research, alignment techniques, or computational resources that produced the original capability.
The specific targeting of Claude’s agentic and software-engineering capabilities is significant. These represent some of the highest-value and most commercially lucrative capabilities in the current AI landscape, with AI coding tools alone representing a market that reached approximately $9.3 billion in 2026. Extracting these behavioral patterns from a frontier model at scale would give a competing lab a substantial shortcut in closing capability gaps that might otherwise require years of independent research.
Industry Impact and Reactions
The Anthropic-Alibaba dispute is the most prominent example yet of what appears to be a growing pattern of systematic data extraction targeting Western frontier AI models. The February 2026 disclosures about DeepSeek, Moonshot, and MiniMax established that multiple Chinese AI organizations had allegedly used similar techniques, and the scale of the alleged Alibaba campaign suggests the practice is becoming more organized and more targeted rather than opportunistic.
For the broader AI industry, the incidents highlight a significant structural vulnerability in the current model for commercial AI deployment. Large language models are monetized by providing API access that, in principle, allows any paying customer to query the model at scale. Detecting unauthorized distillation campaigns requires distinguishing between legitimate heavy users and actors systematically mining model outputs, a detection challenge that becomes harder as the attacks become more sophisticated and the accounts more convincingly mimic ordinary usage patterns.
The decision to route the complaint through the US Senate Banking Committee, rather than pursuing purely civil litigation, signals that Anthropic is framing this as a national security and trade policy issue as much as an intellectual property dispute. Given Alibaba’s simultaneous contest of the Pentagon’s military-company designation, the timing creates a complex regulatory context in which US policymakers are being asked to act on multiple fronts regarding the same company’s activities in the AI sector.
What Comes Next
Congressional attention on AI-related IP theft has been building throughout 2026, and Anthropic’s letter to the Senate Banking Committee is likely to accelerate that focus. Legislators on both sides of the aisle have signaled interest in developing legal frameworks that specifically address distillation attacks and unauthorized data extraction from AI systems, which are not cleanly addressed by existing copyright law or trade secret statutes.
On the technical side, API providers across the industry are likely to review and tighten their fraud detection systems in response to the disclosures. Anthropic has not detailed what countermeasures it has implemented since detecting the campaign, but the company’s decision to make the attack public is itself a deterrent signal to other potential actors. The industry will also be watching closely to see whether Alibaba responds with its own statement and whether any legal action follows Anthropic’s congressional notification.
Conclusion
Anthropic’s accusation against Alibaba represents one of the most consequential IP disputes in the short history of large language model development. With 28.8 million alleged fraudulent interactions targeting the most advanced capabilities of a leading US frontier model, the incident underscores that the competition for AI leadership is playing out not only in research labs and on GPU clusters, but increasingly through attempts to extract and replicate the most valuable outputs of rival systems. How regulators, courts, and the industry respond to this and similar incidents will help define the rules of AI development for years to come.
Stay updated on the latest AI news at Evolve Digital.
