Anthropic Says Alibaba Cloned Claude 29 Million Times. Alibaba Denies It. Here’s What’s Real.
In a nutshell
Yesterday we wrote about Meta building internal walls against distillation — the fear that a rival's model outputs could seep into its own. Today, that same technique appears one level up: as an accusation between an American AI lab and a Chinese technology giant, escalated to the US Senate, and framed as a matter of national security. It is the same word — distillation — at a completely different scale. And because it is a serious, contested accusation, we are going to be careful about what is claimed versus what is established.
The Claim — Attributed Precisely
Everything that follows about the campaign's scale is Anthropic's account, drawn from a letter, not an independently verified finding.
In a letter dated June 10, 2026 to the US Senate Committee on Banking, Housing and Urban Affairs — addressed to Chairman Tim Scott and Ranking Member Elizabeth Warren — Anthropic alleged that operators affiliated with Alibaba and its Qwen AI lab conducted what it called the largest known distillation attack on its models to date. According to Anthropic's letter, the operation ran from April 22 to June 5, 2026 and generated more than 28.8 million interactions with Claude through roughly 25,000 fraudulent accounts.
Anthropic says the campaign targeted Claude's most valuable capabilities — specifically its agentic reasoning, software engineering proficiency and long-horizon task completion. The letter, first reported by Bloomberg and confirmed by CNBC, urged Congress to penalise companies behind such attacks and to tighten controls designed to stop American AI capabilities being siphoned off.
The Denial — Given Equal Weight
Alibaba denies the allegations. The company did not respond to several outlets' requests for comment, and the 28.8 million exchanges and roughly 25,000 fraudulent accounts have not been independently verified. These are Anthropic's figures, presented in a letter that advances Anthropic's policy position — stricter export controls and anti-distillation legislation — from which Anthropic directly benefits. That context does not make the allegation false. But it means the claim should be read as a serious accusation under active dispute, not as an established fact.
It is also worth noting the separate, related conflict: Alibaba has filed a lawsuit against the US Department of Defense seeking removal from the Pentagon's "1260H" list of companies designated as having ties to the Chinese military, arguing the designation has "no basis in fact or law." Alibaba is contesting the American government on multiple fronts simultaneously.
What Distillation Actually Is — And Why It Is Hard to Police
The technique at the centre of the accusation is worth understanding precisely, because it is what makes the dispute so intractable. Distillation involves sending large volumes of carefully designed prompts to a powerful "teacher" model, capturing its responses, and using those question-answer pairs to train a separate, cheaper "student" model. The clone inherits behaviour, not blueprints — the attacker never sees the target's weights, source code or training data.
That is the crux. No firewall is breached. No database is stolen. Everything happens through normal API access — the same front door every paying developer uses. As one analysis put it, the alleged offence is not breaking in; it is the scale and intent of the asking. A distillation query is essentially indistinguishable from a legitimate one, which is exactly why it is so difficult to detect or prevent.
Distillation itself is entirely legitimate when done on your own models — companies routinely compress their large models into smaller, faster versions. The line Anthropic is drawing is between distilling your own model and distilling a competitor's without permission.
Why Anthropic Says It Matters Beyond Competition
Anthropic's argument has two prongs. The commercial one: distillation attacks turn hundreds of billions of dollars in American investment and R&D into what the letter called "a massive subsidy for our geopolitical competitors." The safety one, which is more interesting: a model distilled from Claude can approximate Claude's capabilities without inheriting any of the safety training, usage policies or guardrails built into the original. The dangerous capabilities transfer through the outputs; the months spent teaching the model to refuse harmful requests do not.
This is a genuinely important point that survives the commercial self-interest around it. If a frontier model's capabilities can be cloned but its safety cannot, then adversarial distillation produces capable models stripped of their safeguards — regardless of who is doing the distilling.
The Pattern — This Is Not the First
The Alibaba accusation sits within an established pattern of American labs accusing Chinese ones. In February 2026, Anthropic named three Chinese labs — DeepSeek, Moonshot AI and MiniMax — as having collectively generated more than 16 million Claude interactions through roughly 24,000 fraudulent accounts. OpenAI made similar claims about DeepSeek. Google warned of Chinese-linked attacks without naming companies. Anthropic says the alleged Alibaba campaign, at 28.8 million exchanges, exceeds those three earlier campaigns combined — and describes the pattern as escalating, each campaign better at evading detection than the last.
The timing is also pointed. Anthropic's letter was sent June 10 — two days before the US Commerce Department restricted Anthropic's own Fable 5 and Mythos 5 models. The company was simultaneously accusing China of stealing its capabilities and being locked down by its own government over those same capabilities. Whether those two events are connected is not established, but they unfolded in the same 48 hours.
The European Perspective
The Anthropic-Alibaba dispute is, on its face, a US-China story — but it defines the environment every European AI user now operates in, and it should be read alongside the export-control saga we have tracked all month. The through-line is this: the frontier AI labs are concluding that the only reliable defence against distillation is to restrict who can access their models at all. That conclusion is corrosive for Europe. The commercial logic of AI-as-a-service — open API access, pay per token, use from anywhere — is in direct tension with the security logic of preventing capability extraction. If adversarial distillation becomes the defining threat, labs will gate access more tightly, verify identity more aggressively, and treat every API call as a potential intelligence transfer rather than a revenue event.
European businesses, which are neither the American entities on approved lists nor the Chinese entities being blocked, risk being caught in the tightening middle — subject to access controls designed for a conflict they are not party to. And there is a deeper irony for Europe specifically: the same distillation technique that Anthropic decries as theft is also, in principle, one of the few routes by which a capability-poor region could catch up to frontier models without hundreds of billions in training costs.
Europe will not pursue that route — it is legally and diplomatically committed to the American-aligned side of this divide. But that alignment means European AI access will increasingly be governed by American security concerns about China, decided in Washington, with Europe as neither threat nor beneficiary but bystander. The only exit from bystander status remains the one we return to every week: European frontier capability that does not depend on access to someone else's model. gafam.ai will be watching.
We are not first. We are right.
SOURCES
— CNBC / Yahoo: Anthropic accuses Alibaba of mass distillation attack on Claude AI
— BBC / Dawn: Anthropic accuses Alibaba of mass AI capability 'theft'
— PYMNTS: Anthropic Accuses Alibaba of Running 29 Million Fake Queries to Clone Claude
— Inc.: Anthropic Accused Alibaba of a Distillation Attack. Here's What That Means
— Let's Data Science: Anthropic Accuses Alibaba of 28.8M-Exchange Claude Distillation
🔒 This analysis is for GAFAM Intelligence members only.
Already a member? Log in here