In a letter to the U.S. Senate Banking Committee, Anthropic accused Alibaba and its associated Qwen AI lab operations of using nearly 25,000 fraudulent accounts to systematically extract capabilities from the Claude model. According to the letter seen by Reuters and other media, this attack—termed by Anthropic as the "largest known" model distillation incident—occurred between April 22 and June 5, 2026, involving over 28.8 million interactions with Claude. The sensitivity of this case stems not only from its scale but also from its timing, coinciding with the U.S. government’s escalating export controls on AI and the Pentagon’s addition of Alibaba to its list of "Chinese military companies."
所谓“模型蒸馏”,并非直接窃取模型权重或源代码,而是利用一个强大模型的输出结果来训练另一个模型,使其快速复现部分能力。在人工智能研发中,这原本是一种常见技术;但如果通过欺诈性账户、违反服务条款或绕过访问限制来实施,则被视为非法获取知识产权。对美国政策制定者而言,更棘手的是,即使未获取最先进的模型本身,大规模调用也可能帮助竞争对手获得类似的软件工程、智能体推理等能力。
The letter, dated June 10, was addressed to Senator Tim Scott, Chairman of the U.S. Senate Banking Committee, and senior member Elizabeth Warren. The contents of the letter, seen by multiple media outlets, describe Anthropic's action as the largest known distilled attack against the company.
The core numbers are straightforward. Between April 22 and June 5, the attacker used approximately 25,000 fraudulent accounts to interact with Claude over 28.8 million times. Anthropic believes the operators behind these accounts are linked to Alibaba and Alibaba’s Qwen, with the aim of accelerating China’s access to Anthropic’s advanced model capabilities.
The concerns in the letter are not merely about the replication of general Q&A capabilities, but rather about the potential leakage of capabilities in software engineering, automated tasks, and agent reasoning found in frontier models. Once these outputs are systematically collected, they could become data for training other models.
The boundaries here are equally important. Anthropic’s phrasing—“operators associated with Alibaba and Alibaba Qwen”—does not equate to confirmed direct involvement by Alibaba’s official organization in the attack, nor does it prove that the relevant models have successfully replicated Claude’s advanced capabilities. As of the publication of the relevant report, Alibaba has not responded to the distillation allegations. Regarding its inclusion on the Pentagon’s list of “Chinese military companies,” Alibaba has filed a lawsuit, stating that the designation is “without factual or legal basis.”
Regular data scraping typically refers to extracting web pages, text, or publicly available information. Distillation attacks target the model's own output capabilities.
Attackers can repeatedly query powerful models, save the responses, reasoning processes, code generation outputs, or task execution plans, and use them to train their own models. This allows them to learn the behavioral patterns of powerful models on certain tasks, even without access to the underlying weights.
This is precisely where AI companies and regulators are becoming increasingly vigilant. Access interfaces to advanced models were originally commercial products and channels for external services. However, when access scales reach tens of millions of requests and accounts are identified as fraudulent, these product interfaces could become channels for capability extraction.
Anthropic has previously disclosed similar incidents. In February 2026, the company reported detecting smaller-scale similar activities involving DeepSeek, Moonshot AI, and MiniMax, with over 150,000 interactions related to DeepSeek, over 3.4 million related to Moonshot AI, and over 13 million related to MiniMax. In comparison, the 28.8 million interactions linked to Alibaba and the operators of Qwen are significantly larger.
Anthropic wrote to Congress, also advocating for the U.S. government to share threat intelligence with private AI companies. According to Anthropic, the intensity and complexity of such attacks are increasing, requiring faster coordinated responses.
This allegation did not occur in isolation.
In April, the White House accused China of stealing intellectual property from U.S. AI labs on an “industrial scale.” By early June, the Pentagon updated its 1260H list, adding Alibaba to the list of “Chinese military companies.” Alibaba is challenging this designation, but the move has already tightened its relationship with U.S. national security reviews.
Subsequently, on June 12, the U.S. Department of Commerce imposed export restrictions on Anthropic’s latest Mythos and Fable models, citing national security concerns. The U.S. fears these advanced models could be used by military or intelligence agencies in countries such as China.
For Anthropic, this restriction has direct consequences. Due to difficulties in effectively verifying global user identities and access sources, the company has had to impose broader restrictions on model access, rather than implementing precise regional blocks.
This creates a contrast: Anthropic is simultaneously calling on governments to help combat external distillation attacks, while also facing increased restrictions on product openness due to stricter export controls. AI models are no longer merely software services—they are being brought under security control frameworks similar to those applied to advanced chips.
This incident is most likely to prompt continued discussions in the U.S. Congress and among regulators regarding access controls for AI models. Controlling model interfaces is more challenging than traditional export controls; users can register across borders, resell access rights, or split usage across numerous small accounts.
However, this incident remains at the stage of Anthropic’s unilateral allegations. The intent behind the attack, the true operators behind the accounts, and the extent of capability leakage have not yet been formally established by judicial authorities. Whether Alibaba will respond, how it will explain the identity of the entities operating Qwen, and whether third parties have exploited Alibaba’s ecosystem or name remain unresolved questions.
A more realistic impact is that the U.S. may further require AI companies to strengthen account verification, monitor unusual access patterns, and share threat intelligence across organizations. For leading model companies such as Anthropic, OpenAI, and Google, this will increase security and compliance costs. For Chinese AI companies, accessing overseas advanced model services may become increasingly difficult.
This allegation has not yet become a judicial determination, but it has made one issue more concrete: beyond model weights, the outputs of models themselves are becoming assets that are regulated and contested in the U.S.-China AI competition.
律动 BlockBeats