Anthropic accuses Alibaba of largest-known Claude distillation attack

The striking thing about this case is what did not happen. Nobody stole Claude's weights, broke into Anthropic's servers, or leaked source code. According to the allegations, the operators simply talked to Claude - millions of times. That is the mechanism behind a 'distillation attack.' Distillation is the practice of training a smaller, cheaper model on the outputs of a larger, more capable one, using the frontier model as an effectively unpaid teacher. You feed the teacher a flood of prompts, harvest its answers, and then fine-tune your own model to imitate those answers. Done at scale, the student inherits much of the teacher's behavior without anyone ever paying for the compute and research that produced it.

Anthropic says the campaign was deliberately aimed at Claude's most commercially valuable skills: agentic reasoning, software engineering, and long-horizon planning ^[2]. Those are exactly the capabilities that are hardest and most expensive to train into a model from scratch, which is why harvesting them via the API is so attractive. The alleged toolkit was mundane - nearly 25,000 fraudulent accounts standing in for real users, funneling more than 28.8 million exchanges through normal API access ^[2]. The community seized on this distinction immediately: this was API abuse, not a heist, and that nuance sits at the center of why the accusation has been so divisive.

This is not Anthropic's first distillation accusation, and the trajectory is the real story. In February 2026, Anthropic accused three Chinese labs - DeepSeek, MiniMax, and Moonshot AI - of collectively generating about 16 million Claude exchanges through roughly 24,000 fake accounts ^[1]. The Alibaba campaign, by Anthropic's accounting, exceeded that combined volume on its own: more than 28.8 million exchanges over a 45-day window from April 22 to June 5 ^[2]. The account count barely moved - from about 24,000 to nearly 25,000 - but the volume per account roughly doubled, suggesting a more aggressive harvesting cadence.

The June 10 letter also marked a threshold of a different kind. It was the first time Anthropic named a major Chinese conglomerate, rather than a standalone AI startup, as a distillation source ^[2]. Naming Alibaba - a company with deep commercial and political weight - escalates the dispute from a quarrel between AI labs into a state-adjacent confrontation, which is precisely the frame Anthropic chose when it routed the complaint through the Senate rather than the courts.

Anthropic clearly expected the scale of the numbers to carry the story. Instead, the dominant reaction online was skepticism aimed back at Anthropic itself. Across community discussion, the recurring refrain was a hypocrisy charge - that a company built in part on scraped and copyrighted training data is poorly positioned to cry foul when someone learns from its outputs. The phrase 'the thief accuses the thief' captured the prevailing mood, and a secondary thread kept emphasizing the technical point from the first section: the operators just chatted with Claude through paid-for API access, so framing it as an attack struck many observers as overblown. A practical strand of the conversation pivoted away from blame entirely, with commenters recommending open-weights alternatives as the structural fix - if the weights are public, there is nothing to 'distill' illicitly.

That skepticism found an authoritative echo abroad. Tian Feng, former dean of SenseTime's Intelligence Industry Research Institute, called the accusation a 'kick away the ladder' tactic, argued distillation is a widely adopted compression technique across the AI industry, and accused Anthropic of diverting attention from its own data-misuse history ^[3]. Not all reaction ran one way: a contrarian minority reframed the episode as a U.S.-China cold-war issue where geopolitics outweigh the hypocrisy debate, and a smaller group defended Anthropic's safety-driven motive. But the center of gravity was unmistakably unsympathetic - a notable outcome for an accusation this serious.

The fallout was immediate on two fronts. Alibaba's ADRs fell more than 3% and dropped below $100 after the report, showing the accusation alone carried market consequence regardless of how it is ultimately adjudicated ^[1]. On the policy side, Senators Bill Hagerty and Andy Kim signaled plans to attach an amendment to must-pass defense legislation that would blacklist or sanction Chinese firms found improperly accessing U.S. AI model output ^[1], while Anthropic asked Congress for penalties, tighter export controls, and intelligence sharing ^[2].

The open question is enforceability. If the alleged conduct amounts to creating fake accounts and querying a public API, the remedy is not obvious - terms-of-service violations are far easier to allege than to prosecute across borders, and the underlying interactions look like ordinary usage. Anthropic's choice to frame the issue as national security, arguing that distillation lets PRC labs capture the returns on American AI investment without bearing the costs and could accelerate China's military and cyber AI capabilities ^[2], is a bid to move the fight onto terrain where legislative tools exist. Whether that framing survives contact with the 'it was just an API' counterargument is the thing to watch as the defense-bill amendment advances.