Anthropic accused Alibaba of carrying out the largest distillation attack on its Claude AI model to date, claiming the Chinese e-commerce giant used nearly 25,000 fraudulent accounts to extract the chatbot’s capabilities in a coordinated campaign between April and June 2026. In a letter to the U.S. Senate Committee on Banking, Housing, and Urban Affairs dated June 10 and obtained by CNBC, Anthropic said operators affiliated with Alibaba’s Qwen AI lab generated more than 28.8 million exchanges with Claude during the roughly six-week period.
Distillation is an AI training method where a smaller, less capable model learns from the outputs of a larger, more advanced one. When applied to a competitor’s proprietary model without permission, the technique becomes a form of intellectual property theft, allowing attackers to rapidly improve their own systems by training on a more powerful model’s responses.
Anthropic said the campaign targeted Claude’s most prized capabilities, including software engineering and agentic reasoning skills—functions that allow AI systems to plan and execute complex tasks autonomously. The company stated in its letter that Alibaba “ignored the Trump Administration’s warnings” by proceeding with the distillation attack, referring to a White House memorandum issued in April 2026 that pledged government-industry coordination to detect and defend against such campaigns.
“We believe combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the Administration to maintain American AI leadership,” an Anthropic spokesperson said in a statement.
Prior Distillation Campaigns in February
The Alibaba accusation marks an escalation in a pattern Anthropic first disclosed publicly in February 2026. At that time, the company identified three other Chinese AI labs—DeepSeek, Moonshot AI, and MiniMax—conducting what it called “industrial-scale” distillation attacks. According to Anthropic’s February announcement, those three firms created approximately 24,000 fraudulent accounts and conducted more than 16 million queries against Claude to train their own models. The campaigns were growing in intensity and sophistication, Anthropic warned at the time, and the company called for industry-wide collaboration to defend against the threat.
The White House’s April memorandum, issued by the Office of Science and Technology Policy, directed federal agencies to share intelligence with AI companies about distillation threats and to co-develop defensive best practices. The memo explicitly named China as a source of “deliberate, industrial-scale campaigns” to steal U.S. AI models, signaling that the administration viewed the attacks as a national security concern. Anthropic’s June letter to Congress suggests that despite these warnings, the attacks have continued and intensified under new actors—or that Alibaba, a major Chinese technology firm, mounted its own separate campaign.
A representative for Alibaba did not immediately respond to requests for comment on the accusations. The company’s Qwen AI lab is one of China’s leading efforts to build frontier large language models and has released several models publicly, including Qwen 3.7, which the company released in May 2026.
Sources
- CNBC — Anthropic’s June 10 letter to Senate, details of the 28.8 million exchanges and 25,000 fraudulent accounts, description as “largest known distillation attack,” and Anthropic’s statement on coordinated action.
- Reuters — Confirmation of the campaign dates (April 22–June 5, 2026), the 28.8 million exchanges, the link to Alibaba’s Qwen AI lab, and the White House April memorandum on distillation defense.
- The Hacker News — Details of the February 2026 distillation attacks by DeepSeek, Moonshot, and MiniMax, including the 16 million queries and 24,000 fraudulent accounts.
- CNN — Confirmation of the February 2026 accusations against DeepSeek, Minimax, and Moonshot AI, and the scale of the earlier campaigns.
- Financial Times — Alibaba’s use of fraudulent accounts to access Claude and the targeting of specific capabilities.
