Anthropic says Alibaba ran 28.8 million API exchanges through nearly 25,000 fraudulent accounts over 45 days to harvest Claude’s most valuable capabilities — specifically, the software engineering and agentic reasoning that makes Claude useful for coding agents. The accusation, disclosed publicly June 24, landed on top of an already turbulent week: Anthropic’s two most powerful models had just been globally disabled by a U.S. Commerce Department directive. Senate lawmakers on both sides of the aisle are now pushing to blacklist Chinese AI firms caught doing this.
What Distillation Actually Is (And Why It’s Undetectable) #
Distillation is not hacking. Nobody broke into Anthropic’s servers. The attackers simply queried the Claude API — exactly as it was designed to be used, but at industrial scale with a specific goal: collect enough responses to train a competing model that approximates Claude’s behavior. Chain-of-thought traces are the real prize. When a model shows its reasoning step by step, those traces teach a student model not just what to answer, but how to think through a problem. That’s worth hundreds of millions in training investment, available through API calls costing a few hundred thousand dollars.
The problem Anthropic faces is structural: a distillation query is indistinguishable from a legitimate one. Detection requires pattern analysis — massive volume hitting narrow capability areas, synchronized account behavior, repetitive prompt structures. By the time you’ve spotted the pattern, the data is already collected.
This Isn’t New — It’s Getting Worse #
The Alibaba campaign didn’t happen in isolation. In February 2026, Anthropic disclosed that DeepSeek, MiniMax, and Moonshot AI had collectively run 16 million Claude exchanges through roughly 24,000 fraudulent accounts. OpenAI made similar accusations against DeepSeek the same month. White House AI advisor David Sacks said there was “substantial evidence” DeepSeek had distilled from OpenAI models when R1 launched. Google’s Threat Intelligence Group documented extraction attempts against Gemini.
The Alibaba operation alone exceeded all three prior campaigns combined. It ran for 45 days — April 22 to June 5 — while Anthropic’s behavioral fingerprinting systems were supposedly active. In April, the White House had already flagged distillation as a national security concern and committed to sharing intelligence with US AI labs. None of that stopped it.
What This Means If You Build on Claude #
The practical fallout is already visible. On June 12, the Commerce Department ordered Anthropic to disable Fable 5 and Mythos 5 globally — models that had launched three days earlier and which teams had already integrated. The stated reason was a “narrow potential jailbreak,” unrelated to the Alibaba campaign, but the context is the same: US-China AI tensions are now directly hitting developer access.
Anthropic complied but pushed back publicly in its Fable and Mythos statement: “A narrow potential jailbreak should not be cause for recalling a commercial model deployed to hundreds of millions of people.” That disagreement matters — it signals the company sees the Commerce Department’s approach as disproportionate, but it doesn’t restore developer access.
Expect more friction going forward. Anthropic has already strengthened verification for educational accounts, research programs, and startup pathways — the routes most commonly exploited for fraudulent account creation. Enterprise teams using the API through foreign national employees now face potential “deemed export” compliance requirements. The API is getting harder to access, and that is a direct downstream effect of these attacks.
The Safety Gap in Distilled Models #
Anthropic’s warning deserves more attention than it is getting: AI systems built through adversarial distillation often lack safety guardrails. When you train on a model’s outputs rather than its full training process, you copy what it does without necessarily copying why it does not do other things. The capabilities Alibaba specifically targeted — agentic reasoning and code execution — are exactly the ones with the highest misuse potential.
If you are using an open-weight model and do not know its full training lineage, there is a real possibility it was trained partly on outputs from a model with stronger safety alignment than the student model inherited. This is not theoretical. It is the mechanism behind every major distillation campaign disclosed so far, and it compounds with every model generation.
Can This Actually Be Stopped? #
Senators Hagerty and Kim are moving to sanction Chinese firms caught accessing US AI model outputs — a bipartisan response that signals political will exists. Anthropic is asking for clarified antitrust guidelines so labs can share distillation intelligence, stronger export controls on AI chips, and explicit penalties for distillation attacks.
The technical reality is harder. Any model accessible via a public API can be distilled. The more capable the model, the higher the value of the attack. Policy can raise the cost and create legal deterrence, but a determined, state-affiliated actor with effectively unlimited resources is a fundamentally different threat than a terms-of-service violation. Anthropic is right that no single company can solve this. The question is whether coordinated policy and technical countermeasures can move faster than the next campaign.