The latest
Anthropic is accusing Alibaba of trying to shortcut its way into Claude’s capabilities.
In a letter sent to U.S. senators and White House officials, the company said operators linked to Alibaba’s Qwen lab used a large network of fake accounts to access Claude and extract its capabilities at an unprecedented scale.
Anthropic described the campaign as the largest known distillation attack against its models so far.
Distillation does not mean stealing the model’s code.
It means extracting its behavior.
The idea is simple, and dangerous: ask an advanced model millions of carefully designed questions, then use the answers to train a rival model to imitate its capabilities.
Details
• According to Reuters and the Financial Times, Anthropic said the operation ran from late April to early June and used nearly 25,000 fraudulent accounts.
• The company said those accounts generated more than 28.8 million interactions with Claude, even though Anthropic does not offer commercial access to Claude in China.
• Anthropic alleges the accounts used methods to bypass geographic access restrictions and its terms of service.
• The letter linked the operation to operators associated with Qwen, Alibaba’s AI lab.
• Anthropic said the campaign targeted Claude’s highest-value capabilities, especially software engineering, agentic reasoning and long-horizon tasks.
• These capabilities are at the center of the next AI race: models that do not just answer questions, but plan, write code, use tools and carry out multi-step work.
• The allegation follows earlier Anthropic claims against other Chinese AI labs, including DeepSeek, Moonshot AI and MiniMax.
• Anthropic previously said those labs used about 24,000 fake accounts and more than 16 million queries to extract Claude’s capabilities.
• If Anthropic’s account is accurate, the Alibaba-linked operation was larger in both scale and potential impact.
• Alibaba did not immediately respond to the allegations, according to media reports.
• Alibaba shares fell about 3% after reports of the accusation.
• The case comes as Washington tightens scrutiny of Chinese access to advanced U.S. AI models, alongside existing restrictions on chips and other sensitive AI infrastructure.
• Anthropic wants Congress to close loopholes that allow Chinese labs to access outputs from leading U.S. models and to penalize large-scale distillation attacks.
• The company is framing the case as a national security risk, not just a commercial breach of terms of service.
• Its concern is that distilled models may carry advanced capabilities without the same safety controls built into the original systems.
• The biggest risk, in Anthropic’s view, is that those capabilities could support offensive cyber operations or tools that are harder to trace.
What to watch
This is not just a fight between two companies.
It is an early test of how AI models can be protected when their outputs become strategic assets.
The old question was whether China could get the chips.
The new question is whether Chinese labs can get the behavior of U.S. models without owning the chips or the code.
If a company can send millions of prompts through fake accounts and train a model on the answers, traditional export controls become less effective.
The next fight will center on three things: user verification, detection of abnormal usage patterns and penalties for industrial-scale distillation targeting protected models.
The bottom line: AI is no longer only stolen through code or chips.
It can be extracted through conversation itself.
And if Anthropic’s allegations are accurate, Alibaba did not try to hack Claude through the back door.
It tried to make Claude teach its rival, one question at a time.
