Anthropic accuses Alibaba of stealing Claude AI via 28.8M API calls

Key Takeaways

• Anthropic alleges Alibaba extracted Claude's capabilities through 28.8 million API exchanges using ~25,000 fraudulent accounts
• The alleged campaign ran 44 days and targeted Anthropic's advanced Mythos Preview model capabilities
• This follows earlier accusations against DeepSeek, Moonshot AI, and MiniMax for similar distillation attacks

Anthropic has accused Alibaba of running the largest known distillation attack against its Claude AI model, alleging that the Chinese tech giant used nearly 25,000 fraudulent accounts to extract model capabilities through 28.8 million API exchanges. The accusation, contained in a letter to US senators dated June 10, marks a significant escalation in tensions over AI intellectual property between American labs and Chinese competitors.

The letter, obtained by Reuters, was sent to Senators Tim Scott and Elizabeth Warren ahead of a Senate Banking Committee hearing on AI. Anthropic claims the campaign ran from April 22 to June 5, 2026, and was conducted by operators affiliated with Alibaba and Alibaba Qwen, the company's AI research lab. Alibaba has not responded to requests for comment.

What is model distillation and why does it matter?

Distillation is a technique where a smaller AI model learns to replicate the behavior of a larger, more capable one by studying its outputs. Instead of investing billions in compute, data, and research to build a frontier model from scratch, a company can train a cheaper model to mimic an existing leader. The student model never sees the teacher's weights or architecture. It just learns to produce similar answers.

Anthropic argues this method allows adversaries to bypass years of research investment. In its letter, the company stated that distillation "is a way to help accelerate China's ability to reach Anthropic's advanced Mythos Preview capabilities." The Mythos Preview model is among Anthropic's most advanced offerings, and its capabilities represent significant R&D expenditure.

This is not the first accusation against Chinese AI labs

Anthropic made similar allegations in February against three other Chinese companies. DeepSeek, the startup whose low-cost model rattled Silicon Valley in January 2025, was accused of conducting over 150,000 exchanges. Moonshot AI allegedly ran 3.4 million exchanges, while MiniMax reached over 13 million. At the time, Anthropic warned that these campaigns were "growing in intensity and sophistication."

The Alibaba accusation dwarfs all previous claims combined. If accurate, 28.8 million exchanges through 25,000 accounts represents industrial-scale extraction, far beyond what could be dismissed as research experimentation or coincidence.

The White House accused China in April of stealing US AI labs' intellectual property "on an industrial scale." Anthropic's letter explicitly supports US government efforts to combat such attacks, including threat-intelligence sharing with private AI companies.

The regulatory backdrop is complicated

Alibaba was added to the Pentagon's Chinese military companies list earlier this month, a designation it is contesting. But the Commerce Department has taken a more cautious approach with other Chinese AI firms. Despite DeepSeek being deemed a national security risk by an interagency committee, Commerce has held off placing it on a trade blacklist to avoid escalating tensions with Beijing.

Two days after Anthropic sent its letter, on June 12, Commerce imposed restrictions on Anthropic's own Mythos and Fable AI models. Officials feared these models could be deployed by military intelligence users in China and other countries of concern. The restrictions forced Anthropic to disable global access to these models. The irony is hard to miss: the same week Anthropic reported Chinese extraction of its capabilities, the US government restricted those capabilities from everyone.

How do you defend against distillation attacks?

Distillation attacks exploit API access. Every time a model responds to a query, it reveals information about its capabilities. Run enough queries, and you can build a training dataset for a student model. The challenge for API providers is distinguishing legitimate high-volume users from adversarial ones.

Anthropic detected the alleged Alibaba campaign, which suggests monitoring systems caught patterns across the 25,000 accounts. But detection after 28.8 million exchanges means substantial data was already extracted. Rate limiting, query pattern analysis, and account verification help, but determined attackers can distribute queries across thousands of accounts and IP addresses.

Anthropic called for "rapid, coordinated action among industry players, policymakers and the global AI community" to address the threat. Whether that coordination materializes remains to be seen.

What happens next?

The Senate hearing will likely address Anthropic's allegations, alongside broader concerns about AI security and Chinese competition. Whether this leads to new export controls, expanded blacklists, or other policy responses depends on how seriously Congress takes the threat.

For Anthropic and other frontier AI labs, the calculus is uncomfortable. API access is a core business model. Enterprise customers pay for programmatic access to models. Restricting that access to prevent distillation attacks means restricting legitimate customers too. The alternative is accepting that adversaries will extract capabilities faster than you can build them.

Frequently Asked Questions

What is AI model distillation?

Distillation is training a smaller AI model to replicate a larger model's outputs. By querying the target model millions of times and using those responses as training data, attackers can create cheaper models with similar capabilities without the original R&D investment.

How did Anthropic detect the alleged Alibaba attack?

Anthropic identified patterns across approximately 25,000 accounts that generated 28.8 million API exchanges over 44 days. The specific detection methods were not disclosed, but unusual query volumes and account clustering likely triggered alerts.

Has Alibaba responded to the accusations?

As of the Reuters report, Alibaba has not responded to requests for comment on Anthropic's allegations.

What is Anthropic's Mythos Preview model?

Mythos Preview is one of Anthropic's advanced AI models. The US Commerce Department recently imposed restrictions on both Mythos and Fable models due to concerns about military intelligence use in China and other countries.

Is model distillation illegal?

The legality depends on how capabilities are extracted. Using fraudulent accounts to circumvent terms of service and extract proprietary model outputs likely violates computer fraud laws and intellectual property protections, though specific liability would depend on jurisdiction and evidence.

Source: Tech-Economic Times / ET