Anthropic has accused Alibaba and its AI lab Qwen of running the largest known model distillation attack in its history. Between April 22 and June 5, operators affiliated with Alibaba registered nearly 25,000 fraudulent accounts and generated 28.8 million exchanges with Claude — targeting the model’s most advanced, restricted capabilities. The disclosure came in a June 10 letter to the US Senate Banking Committee, and it landed on Hacker News today with 706 upvotes and over 1,100 comments. That kind of reaction tells you this one hit a nerve.
What Distillation Actually Means #
Model distillation is a legitimate machine learning technique — you train a smaller, cheaper model on the outputs of a larger, more capable one. Done honestly, it’s how you get efficient models out of expensive ones. Done adversarially, it’s how you replicate a competitor’s years of R&D without paying for it. The basic playbook: write targeted prompts, collect the frontier model’s responses, and use those response pairs as training data. Your model learns to behave like the original at a fraction of the cost.
The legal and ethical status of API-based distillation is genuinely murky — you’re technically using a public API. But 25,000 fraudulent accounts changes the calculus. That’s not a gray area; that’s fraud.
The Scale Makes This Different #
In February 2026, Anthropic disclosed that three Chinese AI startups — DeepSeek, MiniMax, and Moonshot AI — had collectively run distillation campaigns totaling roughly 16 million exchanges. That was alarming. The Alibaba campaign, at 28.8 million exchanges, nearly doubles the combined total in a single operation. The pace of escalation across just four months is the signal worth paying attention to.
Anthropic described this as the largest known attack of its kind it has faced. The campaign ran for 44 days, operated across tens of thousands of fake accounts to evade rate limits, and focused on extracting Claude’s software engineering and agentic reasoning capabilities — the skills that make frontier models commercially valuable in 2026.
Why They Targeted Mythos Preview #
The specific target here matters. Anthropic’s Mythos Preview model isn’t publicly available — Anthropic restricted access after internal evaluations showed it could autonomously discover and exploit zero-day vulnerabilities in major operating systems and browsers. So instead of releasing it broadly, Anthropic launched Project Glasswing, an industry consortium that uses Mythos’ capabilities for defensive security research only.
What Alibaba’s operators were after was precisely this — the agentic coding and reasoning capabilities that Anthropic deemed too dangerous to release. And here is the part that gets underplayed in most coverage: models trained through adversarial distillation don’t inherit the safety tuning of the original. You get the capabilities without the guardrails. That’s not just an IP concern. It’s a safety concern.
What Developers Should Watch #
This story has real practical implications for anyone building on AI APIs:
API access is likely to tighten. Expect stricter rate limits, identity verification, and usage monitoring from Anthropic and other providers. This attack accelerates moves toward KYC requirements for API access.The ToS prohibition is real. Almost every major AI provider explicitly prohibits using API outputs to train competing models. This is now being treated as a serious offense, not a technicality.Model provenance matters. If your stack relies on third-party or open-source models, understand how they were trained. A distilled model missing safety alignment can introduce unexpected behavior in production.Congress is paying attention. Anthropic’s letter asks for antitrust guidance on sharing threat intelligence, AI chip export controls, and penalties for distillation attacks. Policy is moving faster than most developers realize.
The Bigger Picture #
Qwen, for context, is already one of the most competitive model families available. Qwen3.7-Max outperforms Claude Opus 4.6 on several software engineering benchmarks and costs roughly half as much per token. Alibaba doesn’t need Claude’s capabilities to compete — which makes this campaign feel less like catch-up and more like a deliberate consolidation of an already strong position.
Whether or not Congress acts on Anthropic’s asks, one thing is clear: the API layer is now a frontline in AI competition. Anthropic’s detection infrastructure — behavioral fingerprinting, watermarked outputs, payment pattern analysis — caught this campaign. Read Anthropic’s technical writeup on detecting and preventing distillation attacks if you want to understand how the detection works. But the fact that 28.8 million queries slipped through before detection is its own kind of wake-up call.