Anthropic accused Alibaba of running 28.8 million queries to steal Claude's capabilities. The campaign dwarfed prior efforts. Policymakers are seeking sanctions.
Anthropic accused operators affiliated with Alibaba Group Holding (BABA) of running the largest known model-distillation campaign against its Claude AI models, a six-week operation that generated more than 28.8 million interactions through roughly 25,000 fraudulent accounts.
The allegation, reported by CNBC, covers the period from April 22 to June 5. Distillation works by sending large volumes of designed prompts to a target model and capturing its responses, which become training data for a competing model. It does not require hacking the target; it simply exploits the fact that an API response sold as a service can be repurposed as training material.
Previous campaigns were smaller. In February, Anthropic named three Chinese labs – DeepSeek, Moonshot AI and MiniMax – as having collectively generated more than 16 million Claude interactions through about 24,000 fraudulent accounts. The alleged Alibaba campaign topped that combined total in under seven weeks.
Detection is the hard part. A distillation query looks identical to a legitimate one. A developer asking Claude to debug a function sends the same kind of request as a campaign systematically extracting Claude's coding behavior. The only signal is pattern: massive volume, repetitive structures and prompts targeting the same narrow capabilities, arriving from hundreds of coordinated accounts in sequence. Google's Threat Intelligence Group warned in a February blog post that as organizations integrate large language models into core operations, the proprietary logic of those models has become a high-value target.
There is a safety angle beyond the commercial one. When a lab distills a frontier model without permission, the copy inherits the dangerous capabilities through the outputs. The safety guardrails built into the original do not transfer. Months spent making the model refuse harmful requests are lost. Distillation itself is a legitimate technique used by many companies to compress their own models. The line Anthropic is drawing is between using it on your own models and using it on a competitor's without permission.
In a letter to senators, Anthropic's Head of Policy Sarah Heck said the attacks were carried out "illicitly, systematically, and at industrial scale to harvest U.S. AI capabilities across frontier labs and repackage them as their own without incurring the training and R&D costs," according to Business Insider.
Policy response is accelerating. House Republicans are seeking sanctions on Chinese companies that copy American-made AI models, PYMNTS reported. Sen. Bill Hagerty and Sen. Andy Kim are moving to add an amendment to defense legislation that would blacklist or sanction entities found conducting such campaigns. The White House Office of Science and Technology Policy issued a memorandum in April warning of industrial-scale foreign distillation of U.S. models.
The structural problem outlasts any single campaign. A distillation query is indistinguishable from a legitimate one. The only way to fully close the gap is to restrict who can access the model, which conflicts directly with selling AI as a service. If adversarial distillation becomes routine, AI labs may find themselves spending as much on access controls and identity verification as on training, treating every API call as a potential intelligence transfer rather than a revenue event.
The Hagerty-Kim amendment has not yet been scheduled for a vote.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.