Anthropic just told the US Senate that Alibaba ran nearly 29 million exchanges through Claude using 25,000 fake accounts. That is almost double the previous record, set five months ago by three Chinese labs combined.
The letter, dated June 10 and addressed to Senators Tim Scott and Elizabeth Warren, describes what Anthropic calls "the largest known distillation attack on Anthropic to date." Between April 22 and June 5, operators affiliated with Alibaba and its AI lab pushed 28.8 million queries through fraudulent accounts, targeting Claude's coding, reasoning, autonomous agent, and complex planning capabilities.
This is not a new problem. In February, Anthropic publicly accused DeepSeek, Moonshot AI, and MiniMax of running a similar campaign: 16 million exchanges across 24,000 fake accounts. That was already industrial-scale. Alibaba just made it look like a dress rehearsal.
What distillation actually steals
Distillation in its legitimate form is a well-known training technique. You use a large, expensive model to generate training data, then feed that data to a smaller, cheaper model. The student learns from the teacher's outputs. Companies do this with their own models all the time.
The problem is when the teacher never agreed to teach. Anthropic does not offer commercial access to Claude in China, and Chinese subsidiaries are explicitly restricted. The 25,000 accounts in the Alibaba campaign used commercial proxy services to route traffic around those blocks and avoid detection. Anthropic calls the architecture a "hydra cluster," thousands of coordinated accounts that mix distillation traffic with legitimate-looking requests.
What gets extracted is not random. The February campaign targeted chain-of-thought reasoning, reward modeling, tool use, and coding. When Anthropic released a new model mid-campaign, the attackers redirected nearly half their traffic to the new system within 24 hours. This is not some amateur scraping job. It is a focused intelligence operation running at machine speed.
The most recent Alibaba campaign went further, specifically targeting autonomous agent and planning capabilities, the features that make Claude useful for complex, multi-step workflows. These are exactly the capabilities that cost hundreds of millions of dollars to develop and that differentiate frontier models from their open-weight competitors.
The geopolitics are getting ugly
Anthropic's letter does not just describe technical theft. It frames the attacks as a national security threat, noting that the US Department of Defense considers Alibaba (along with BYD and Baidu) to have ties to the Chinese military. Alibaba has denied these ties and is currently suing the Pentagon to be removed from its blacklist.
The timing matters. Earlier in June, the Trump administration ordered Anthropic to suspend access to its latest models, Fable 5 and Mythos 5, for all foreign nationals, including Anthropic's own employees. The government cited national security authorities. Anthropic is negotiating to restore access, but the situation is complicated: the company is simultaneously telling Congress that Chinese firms are stealing its capabilities while its own government is restricting who can use them.
The White House Office of Science and Technology Policy issued a memorandum pledging support for AI companies in detecting and coordinating against distillation attacks. Anthropic's letter urges lawmakers to penalize companies involved in these campaigns and increase protective measures. But the current regulatory landscape is a mess. Export controls restrict access to the models while the models themselves are being extracted at industrial scale through the API.
The real cost is not just Anthropic's
The February campaign affected DeepSeek, Moonshot, and MiniMax, three labs that collectively spent a fraction of what Anthropic invested in Claude's development. Alibaba's campaign dwarfs theirs. If the extracted capabilities end up in models used by Chinese military or intelligence systems, the safety guardrails that Anthropic built into Claude, the ones preventing bioweapon instructions and cyberattack planning, may not survive the distillation process.
Anthropic's blog post from February explains why this matters beyond competitive fairness. Illicitly distilled models often strip safety guardrails. The original model refuses certain requests. The distilled copy may not. That is not a theoretical risk. It is the entire point of the extraction.
The company's proposed defense is multi-layered: classifiers and behavioral fingerprinting to detect coordinated activity, intelligence sharing with other AI labs and cloud providers, and model-level safeguards that reduce the utility of outputs for distillation without hurting legitimate users. But the scale of these attacks suggests that detection alone is not enough. When you are dealing with 28.8 million exchanges across 25,000 accounts in six weeks, you need something more than pattern matching.
The uncomfortable question is whether any API-based model can fully prevent extraction. If the model is accessible through an API, it can be queried. If it can be queried, it can be distilled. The only real defense may be making the cost of querying higher than the value of the extracted data. At 28.8 million exchanges, Alibaba clearly found a way to make the economics work.
What happens next
Alibaba did not respond to requests for comment. The letter was sent to Congress ten days before it became public, which suggests Anthropic was looking for political advantage before going public. That is smart positioning for a company that is about to go public itself.
The broader pattern is clear: every frontier model is now a target for extraction, and the attackers are getting better at it. DeepSeek, Moonshot, and MiniMax ran 16 million exchanges. Alibaba ran 28.8 million. The next one may run 50 million. The question is whether the US government will respond with actual penalties or just more memoranda.
For developers and companies using Claude, the practical impact is limited. Anthropic's models remain accessible and the extraction does not degrade performance. But it does mean that the competitive moat around Claude's capabilities is thinner than anyone would like. The research and development investment that went into building those capabilities is being subsidized by the very company that is supposed to benefit from them.
The distillation problem is not going away. It is accelerating. And the gap between the attackers' sophistication and the defenders' response is growing, not shrinking. This is the cost of building AI behind an API: every capability you ship is a capability someone else can copy, as long as they are willing to spend the electricity.