Anthropic dropped a bombshell yesterday. In a letter to two members of the U.S. Congress, the company accused Alibaba — one of China’s largest technology conglomerates — of orchestrating “the largest known distillation attack” against its Claude AI model. The numbers are staggering: approximately 25,000 fraudulent accounts conducting 28.8 million interactions with Claude between April 22 and June 5, 2026. That’s not a bug in the system. That’s a business plan.
Here’s what makes this story different from the usual “company accuses rival” headline. Anthropic isn’t just complaining about competition. They’re describing what looks like a state-adjacent industrial espionage operation that exploited the fundamental architecture of how AI-as-a-service works — and it worked.
What Actually Happened
Let’s be precise about what Anthropic is alleging. Operators linked to Alibaba’s Qwen AI lab set up thousands of fake accounts on Anthropic’s API. These accounts didn’t just ask Claude random questions. They ran a coordinated campaign targeting Claude’s most valuable differentiators: software engineering capabilities, agentic reasoning, and task orchestration — the exact features that make Claude worth paying for.
Think about that for a second. If you wanted to clone a competitor’s best product, you wouldn’t waste time copying their login page. You’d go after the parts that are hardest to build from scratch. That’s exactly what happened here. I explored this same dynamic from a different angle when Sakana AI matched Anthropic’s best models without ever accessing them — that was the legitimate version of what Alibaba allegedly did at industrial scale.
Anthropic first flagged this pattern back in February 2026, when they publicly called out DeepSeek, MiniMax, and Moonshot AI for running similar — but smaller — campaigns. That earlier batch involved roughly 16 million exchanges across 24,000 fake accounts. MiniMax alone ran 13 million of those. But Alibaba’s operation dwarfs all of them combined.
The Distillation Playbook
For anyone who hasn’t encountered this term before: model distillation is basically learning someone else’s recipe by tasting their food thousands of times. You send carefully crafted prompts to a competitor’s AI model, collect the outputs, and use those outputs as training data for your own model.
It’s not hacking in the traditional sense. No firewalls were breached. No passwords were stolen. The attackers used the product exactly as it was designed — they just used it at a scale and with a specificity that was never intended.
The Treblle security team broke down the mechanics beautifully. These operations use what they call a “Hydra architecture” — sprawling proxy networks that distribute requests across thousands of accounts simultaneously. One documented network managed over 20,000 fraudulent accounts, deliberately mixing extraction queries with mundane requests to flatten any anomalous signals in the traffic.
If you banned one account, two more took its place. The traffic patterns, according to Anthropic’s analysis, “resembled an ant colony.”
DeepSeek’s Approach Was the Scariest
While Alibaba ran the largest campaign by volume, DeepSeek’s approach was arguably the most technically sophisticated. They ran only about 150,000 exchanges — a fraction of the others — but their targeting was surgical.
DeepSeek’s operators asked Claude to imagine it had just produced a correct answer to a complex problem, then articulate the step-by-step reasoning in detail. On the surface, this looks like a curious philosophical prompt. In reality, it’s a pipeline for generating labeled training examples for a reinforcement learning reward model.
They also specifically targeted censorship-safe query rewrites — prompting Claude to rephrase politically sensitive questions about dissidents, party leaders, and authoritarianism in ways that evade safety filters. That’s not curiosity. That’s building a product feature.
Why This Matters Beyond AI Companies
The obvious question is: why should anyone outside Silicon Valley care about one AI company accusing another of copying its outputs?
Three reasons.
First, Anthropic argues that distilled models are unlikely to retain the safety measures that prevent misuse — including safeguards against bioweapons development, malicious cyber activities, and disinformation campaigns. When you distill a model, you’re copying its capabilities, not its conscience. The safety training that makes Claude refuse harmful requests doesn’t necessarily survive the distillation process.
Second, there’s the geopolitical angle. Anthropic’s letter directly connects distillation attacks to U.S. export controls. The argument: when Chinese labs appear to rapidly close the gap with American AI models, policymakers assume export controls on advanced chips aren’t working. But if that rapid advancement is actually built on extracted capabilities rather than genuine innovation, the export controls may be more effective than they look. I covered the US government’s move to kill Anthropic’s best model last month, and the regulatory machinery is clearly tightening around AI.
Third — and this is the part that should make every developer pause — this暴露了一个根本性的脆弱性 in the AI-as-a-service model. If your business depends on API access to a proprietary model, and your competitor can systematically extract that model’s capabilities through your own API, then your competitive moat is made of paper.
The API Security Problem Nobody Talks About
Here’s what kept me thinking about this story. Anthropic detected these attacks through behavioral fingerprinting, cross-account correlation, IP analysis, and payment metadata. That’s impressive detective work. But according to Treblle’s 2025 report — which analyzed over a billion API requests — 47% of APIs process requests without any authentication at all. Even among those that do authenticate, most have no way to ask: what are these authenticated users actually doing, collectively, over time?
That gap is exactly what distillation attackers live in.
I’ve spent years working with APIs in government IT systems. Authentication tells you who claims to be calling. Observability tells you what they’re actually doing. Both are necessary. Neither alone is sufficient. Most API security stops at the first question. We’ve seen the consequences when security itself becomes the weak link — the Klue supply chain breach showed how even cybersecurity companies can be compromised through their own infrastructure.
The fact that Anthropic caught this operation is a testament to their engineering sophistication. But Anthropic is one of the best-funded AI labs in the world. What about the thousands of smaller AI companies whose entire business model is selling API access to fine-tuned models? They’re running the same game with a fraction of the detection capability.
Alibaba’s Silence Speaks Volumes
As of this writing, Alibaba hasn’t publicly responded to Anthropic’s allegations. That’s not unusual — companies rarely comment on ongoing regulatory matters. But the silence is notable given the scale of what’s being alleged.
This isn’t a small startup being accused of scraping a few training examples. This is a company with a $200+ billion market cap being accused of running a coordinated, months-long operation involving tens of thousands of fake accounts and nearly 30 million API interactions. If the allegations are accurate, this is one of the largest documented cases of corporate AI espionage in history.
The letter was sent to Congress, which means this is likely heading toward regulatory scrutiny. In the current political climate — where U.S.-China tech tensions are at a fever pitch — this kind of allegation doesn’t just stay in the trade press. It becomes ammunition for policy. The Streisand Effect already kicked in once when the US government tried to restrict Anthropic’s model access — this latest accusation only adds fuel.
What This Means for the AI Industry
We’re entering a phase where the competitive dynamics of AI are shifting from “who has the best models” to “who can protect what they’ve built.” The traditional software playbook — build something, sell access, iterate — is colliding with a reality where your product can be reverse-engineered by simply using it.
For AI companies, the lesson is clear: API rate limiting and account verification aren’t just operational concerns. They’re existential ones. If you can’t distinguish between a genuine user and a distillation operation, you’re essentially giving away your R&D investment at API-call prices.
For developers and organizations building on top of AI APIs, this raises uncomfortable questions about dependency. When you build your product on Claude’s capabilities, you’re trusting that those capabilities remain proprietary. If they don’t — if they get extracted, distilled, and baked into competing models — your competitive advantage erodes along with Anthropic’s.
And for policymakers, the distillation problem complicates the export control debate in ways that don’t have easy answers. You can restrict who buys advanced chips. But how do you restrict who uses an API? The internet doesn’t respect export controls.
What we’re witnessing isn’t just a corporate dispute. It’s the opening chapter of a much larger story about how AI competition actually works — and who gets to define the rules. The chess game just got a lot more complicated.