Anthropic has accused Alibaba of using nearly 25,000 fraudulent accounts to extract capabilities from its Claude AI models, in what the US AI company described as the largest known attack of its kind against it.
The campaign, carried out between April 22 and June 5, generated more than 28.8 million exchanges with Claude, according to a June 10 letter Anthropic sent to senior members of the US Senate Banking Committee, Reuters reported.
Anthropic said the effort involved “distillation,” a technique in which a less capable AI model is trained on the outputs of a more advanced system, potentially allowing rivals to replicate some of its capabilities at lower cost.
The company said the campaign was conducted by operators affiliated with Alibaba and Alibaba Qwen, Alibaba’s AI lab, according to the report.
The allegation comes as businesses adopt generative AI tools across business functions, putting pressure on vendors to show they can detect misuse while keeping services available for corporate customers.
The dispute also comes as AI development becomes more closely tied to US-China technology tensions. Anthropic said the alleged campaign could help accelerate China’s ability to reach the capabilities of its advanced Mythos Preview model, while US officials have stepped up scrutiny of advanced AI systems over fears they could be used by military or intelligence users in countries of concern.
In February, Anthropic said it had identified similar campaigns by DeepSeek, Moonshot AI, and MiniMax to extract capabilities from Claude, with the alleged activity ranging from more than 150,000 exchanges by DeepSeek to more than 13 million by MiniMax.
Alibaba did not immediately respond to a request for comment.
If Anthropic’s claims are true, the alleged campaign could allow Alibaba to build a comparable model in a short period of time and offer it at a much lower cost, said Anand Joshi, an AI analyst at TechInsights. Analysts said the alleged campaign also points to a broader pattern beyond the two companies. Viewed alongside previous incidents cited by Anthropic, they said, model extraction appears to be escalating rather than remaining an isolated risk.
“The enterprise supply chain no longer ends at software, APIs, and cloud regions,” said Sanchit Vir Gogia, chief analyst at Greyhound Research. “It now includes rented intelligence, and rented intelligence can be copied and redeployed well outside the safety controls it was born with.”
Gogia said distillation should be a board-level concern because a weaker model trained on a stronger one can inherit its capabilities without the governance and controls around the original system.
For enterprises, the allegations point to a potentially more serious risk than conventional intellectual property theft: reverse engineering at scale. If proven, they would suggest that AI models can be copied systematically, turning model extraction into a new AI supply-chain risk. “If a rival can clone the exact brain of the AI your company relies on, they can easily find its blind spots, hack your automated systems, or cause the AI vendor to panic and shut down services that your business needs to run every day,” said Pareekh Jain, CEO of Pareekh Consulting.
The allegation raises questions about the controls AI vendors have in place and how customers can protect themselves.
“Vendors should provide verified accounts, smart rate limits, abuse detection, usage monitoring, contractual bans on distillation, incident disclosure, and audit rights,” Jain said. “Enterprises should ask how the vendor detects and blocks large-scale model extraction and can demand contracts that guarantee backup plans and financial refunds if the AI service gets attacked or suddenly shut down.”
Joshi said enterprise customers should also press vendors for greater transparency around model development and safeguards.
“Enterprise buyers should ask what training data was used, how it was trained, what guardrails exist, how they can audit it, and so on,” Joshi said. “Model publishers will have to come up with watermarking technology in models as well as model responses. So if the model ‘skills’ are stolen, they should be able to find the thief.”
The article originally appeared on InfoWorld.