Anthropic accuses Alibaba of illicit Claude distillation

The word 'attack' conjures stolen weights and breached servers, but Anthropic's accusation describes something stranger and, in some ways, more unsettling: a campaign built entirely out of normal-looking conversations. Distillation, as the technique is plainly described, means feeding carefully constructed queries to a frontier AI model, collecting its responses, and using those responses to train a cheaper rival system that approximates the original's capabilities ^[3]. No firewall is breached. The model simply answers, as it is designed to do, and each answer becomes a labeled training example for someone else's system.

That reframing matters because it explains the numbers. Anthropic alleges operators affiliated with Alibaba and its Qwen lab ran 28.8 million exchanges across roughly 25,000 fraudulent accounts between April 22 and June 5, 2026 ^[1]. The fake accounts are not a way past the lock; they are a way past the rate limits, spreading an industrial harvesting operation thinly enough to look like ordinary demand. Anthropic says the campaign deliberately targeted Claude's most commercially valuable behaviors - software engineering and agentic reasoning, the cornerstones of its Mythos Preview model ^[1]. In Anthropic's framing, these were 'illicit, systematic, and industrial-scale efforts to harvest U.S. AI capabilities and repackage them without incurring the training and R&D costs required to train U.S. frontier models' ^[2]. The product being extracted was not data in storage - it was the model's behavior in motion.

The scale is the story, and the scale is also the escalation. Anthropic's headline figures - 28.8 million exchanges and roughly 25,000 fraudulent accounts over a six-week window from April 22 to June 5, 2026 - dwarf the earlier Chinese-lab cases the company has cited ^[1]. In February 2026 Anthropic flagged distillation tied to DeepSeek, Moonshot AI, and MiniMax; the previously reported volumes there were on the order of more than 150,000 exchanges for DeepSeek and more than 13 million for MiniMax ^[7]. Against that backdrop, the Alibaba figure represents a step-change in alleged extraction volume, which is precisely why Anthropic labeled it the 'largest known distillation attack' to date ^[2].

The market did the math quickly. Alibaba's Hong Kong-listed shares (HKG:9988) fell about 4.43% to HK$95.00 on June 25, 2026, dropping as much as 4.8% intraday and erasing roughly HK$88 billion in market value, with trading volume running about 51% above its average ^[5]. The selloff did not happen in isolation: it landed alongside a separate U.S. Department of Defense designation of Alibaba as a 'Chinese military company,' which the firm is contesting with a lawsuit filed June 23 ^[5]. Two narratives - illicit AI extraction and military-linkage - compounded into a single bad week for the stock.

For two years the U.S.-China AI contest has been fought over hardware: export controls on advanced GPUs, restrictions on who can buy what compute. The Alibaba dispute marks a shift in the frontier of that conflict from chips to cognition. If a rival can be denied the chips but still converse its way to a frontier model's behavior, then the model's outputs themselves become the new contraband. The incentive structure is explicit in the coverage: with the Trump Administration directing restrictions barring non-U.S. citizens from accessing Fable 5 and Mythos 5 models, foreign labs gain a strong reason to obtain those capabilities indirectly, through distillation rather than direct access ^[2].

Washington has been moving toward this fight. In April 2026 the White House Office of Science and Technology Policy published a memo flagging distillation as a national security concern and pledging to share intelligence with U.S. AI labs about foreign distillation campaigns ^[3]. Anthropic's letter pointedly states that in proceeding, Alibaba 'ignored the Trump Administration's warnings' ^[1]. The institutional response is hardening on two tracks at once: senators are proposing defense-bill amendments to sanction Chinese firms that improperly access U.S. AI outputs ^[2], while OpenAI, Anthropic, and Google have reportedly begun coordinating to clamp down on competitors extracting results from frontier models ^[6]. The competitive frontier and the national-security frontier are merging.

The accusation has not landed as a clean morality tale, and that is the most interesting thing about it. Beijing's rebuttal is unequivocal: the Chinese Foreign Ministry called the allegations 'groundless' and 'deliberate attacks on China's development,' while former SenseTime research dean Tian Feng framed them as technological-hegemony anxiety and a 'kick away the ladder' tactic, arguing that distillation is a widely used compression technique and that Chinese firms advanced through lawful data and algorithm work ^[4]. The same counter-framing is echoing in Western developer circles, where the dominant reaction has been skepticism rather than alarm - a 'pot calling the kettle black' sentiment built on the argument that a company that trained its own model on scraped web data is now objecting to its outputs being reused. That tension was amplified by Elon Musk publicly accusing Anthropic of stealing data itself, recasting the episode as a fight over AI training ethics rather than a one-sided theft.

There is also a quieter, more precise objection worth surfacing: this is, by its own description, a terms-of-service violation reported to the Senate, not a filed lawsuit, and observers have cautioned against treating a letter as a verdict. Anthropic has framed the campaign in stark security terms, but the public record so far is an accusation backed by Anthropic's own telemetry, with Alibaba declining to comment ^[1]. For many practitioners, the more durable takeaway is not the geopolitics at all but a market signal: the appetite for capable open-weight local models that sidestep this entire dependency on a single frontier vendor's API. Whatever the merits of the specific claim, the episode is accelerating a search for alternatives that do not require asking a competitor's model 28.8 million questions.