Anthropic accuses Alibaba of largest known 'distillation attack' on Claude

The geopolitical battle for artificial intelligence supremacy is increasingly being fought not just with silicon, but through the illicit extraction of intellectual property.

This reality was starkly illustrated in June 2026 when Anthropic levelled a serious accusation against Alibaba. In a letter to the US Senate Banking Committee, the American AI firm detailed an industrial-scale "distillation attack" allegedly orchestrated by the Chinese tech giant's AI lab, Qwen.

The operation, which reportedly took place between April 22 and June 5, 2026, involved nearly 25,000 fraudulent accounts generating over 28.8 million exchanges with Anthropic's Claude model. The incident highlights a critical vulnerability in frontier AI systems and exposes the extreme measures competitors will employ to close the capability gap.

To understand the severity of the threat, it is necessary to examine the mechanics of model distillation.

In legitimate research contexts, distillation is a technique used to create a smaller, more efficient "student" model by training it on the outputs of a larger, more capable "teacher" model. Frontier labs frequently use this method internally to create cost-effective versions of their proprietary systems.

However, when deployed illicitly against a competitor, distillation transforms into a sophisticated form of intellectual property theft. By systematically querying a superior model and capturing its responses, an attacker can train their own system to mimic the target's advanced capabilities. This effectively allows the attacker to bypass the immense computational costs and years of foundational research required to develop those capabilities independently.

Anthropic claims the Alibaba campaign specifically targeted Claude's advanced reasoning and coding capabilities. Generating nearly 30 million interactions in just six weeks requires sophisticated automation, indicating a highly coordinated effort to extract the model's most valuable intellectual property.

The implications of the attack extend far beyond commercial competition, striking at the heart of US national security strategy.

The United States government relies heavily on export controls, specifically restricting access to advanced semiconductors like Nvidia's high-end GPUs, to constrain the AI development capabilities of geopolitical rivals, particularly China. The strategy assumes that without the necessary hardware, competitors cannot train frontier models from scratch.

Distillation attacks provide a direct workaround to these hardware restrictions. If a foreign entity can extract the capabilities of a US-developed model using relatively modest computing resources (which are sufficient for inference and distillation, if not foundational training), the effectiveness of the export controls is severely undermined.

Recent analysis from international security experts notes that distillation attacks enable Chinese models to meet performance benchmarks they have yet to independently achieve, reinforcing public narratives of cost-efficient Chinese AI development.

Beyond the economic implications, illicitly distilled models present profound security risks. They typically lack the safety guardrails meticulously engineered into the original systems by companies like Anthropic.

The concern is that foreign labs distilling American models can feed these unprotected capabilities into military, intelligence, and surveillance systems. This enables authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance without the ethical constraints imposed by the original developers.

Technology companies are developing increasingly sophisticated countermeasures, including behavioural fingerprinting systems that identify the repetitive, high-volume query patterns associated with automated model extraction. Detecting these attacks, however, is far more difficult than preventing a conventional cyber breach. Distillation relies on the legitimate use of APIs rather than exploiting software vulnerabilities, making it challenging to distinguish genuine high-volume users from coordinated extraction campaigns.

The challenge is compounded by the "hydra cluster" architecture adopted by sophisticated attackers. By distributing requests across thousands of proxy accounts, extraction operations can evade rate limits and behavioural thresholds. When one account is suspended, another immediately takes its place, creating a continuous and resource-intensive game of whack-a-mole for security teams.

Detection alone is only part of the problem. Establishing responsibility for these campaigns remains equally difficult, particularly when state-affiliated actors may be involved. Without widely accepted standards for attribution and evidence, governments and companies face significant obstacles in coordinating responses, enforcing accountability, and deterring future model extraction efforts.

The revelation of the Alibaba campaign has prompted a swift, albeit complex, response from the US government. The White House has directed federal agencies to treat China's distillation attacks as a national security priority. Turning that directive into effective policy, however, will require balancing the protection of American intellectual property against the risk of escalating broader trade tensions. The challenge is further complicated by Alibaba's recent designation on the Pentagon's list of Chinese military companies, a classification the company continues to contest.

The policy response extends well beyond a single investigation.

The Alibaba case illustrates that protecting AI increasingly involves more than securing data centres or semiconductor supply chains. It also requires safeguarding the knowledge embedded within frontier models. How governments and industry respond will influence not only the pace of AI innovation but also the future balance between open research, commercial competition, and national security.

• Industrial-Scale Extraction: Anthropic alleges Alibaba orchestrated a massive campaign, generating 28.8 million exchanges with Claude to illicitly extract its capabilities.

• Bypassing Development Costs: Distillation attacks allow competitors to train their own models on the outputs of superior systems, bypassing the immense costs and time required for independent development.

• National Security Risks: The attacks undermine US export controls on advanced semiconductors and raise concerns about the proliferation of advanced AI capabilities without necessary safety guardrails.

• Detection Challenges: Attackers utilise sophisticated proxy networks and thousands of fraudulent accounts, making it incredibly difficult for companies to detect and block extraction efforts.

• Policy Implications: The US government is increasingly viewing distillation attacks as a national security threat, prompting calls for coordinated action between the tech industry and policymakers.

The geopolitical battle for AI supremacy is being fought not just with silicon, but through the illicit extraction of intellectual property. To understand how these global conflicts impact the availability and security of enterprise AI tools, subscribe to the Project Flux newsletter.

•Reuters: Anthropic says Alibaba illicitly extracted Claude AI model capabilities

•Anthropic Research: Detecting and preventing distillation attacks

•IISS Report: AI distillation attacks in the US–China contest

All content reflects our personal views and is not intended as professional advice or to represent any organisation.