Anthropic says Alibaba-linked operators ran 28.8 million exchanges through nearly 25,000 fraudulent accounts to extract Claude's capabilities, and is urging Congress to act.
Anthropic has accused Chinese technology giant Alibaba of orchestrating the largest campaign ever recorded to illicitly copy, or “distill,” the capabilities of its Claude large language model (LLM), according to a letter the AI company sent to two U.S. senators on June 10. [1]
The letter, addressed to Senators Tim Scott (R-SC) and Elizabeth Warren (D-Mass.) and obtained by Ars Technica, was sent one day before a Senate committee hearing on “AI and the American Dream.” [1] In it, Anthropic described “new, confidential evidence of the largest campaign to illicitly extract Claude’s capabilities we have ever measured.” [1]
According to Anthropic, the attacks took place between April 22 and June 5, during which “operators affiliated with Alibaba and Alibaba Qwen, Alibaba’s AI lab” generated “more than 28.8 million exchanges with Claude through almost 25,000 fraudulent accounts.” [1] The campaign specifically targeted capabilities including agentic reasoning, software engineering, and long-horizon tasks, Anthropic said. [1]
Anthropic alleged that Alibaba evaded detection by “using obfuscation techniques and proxy networks,” and warned that a “growing circumvention economy” is emerging to support future distillation attacks. [1] Distillation attacks involve using a target model’s outputs to train a competing model, effectively transferring capabilities without incurring the original research and development costs. [1]
The alleged campaign unfolded after President Donald Trump publicly warned against such activity. In April, Trump accused China of “industrial-scale” AI theft following earlier Anthropic allegations that Chinese firms DeepSeek, Moonshot, and MiniMax had used similar tactics to generate over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts. [1] OpenAI and Google have also published findings on comparable attacks against their own models, Anthropic noted. [1]
Anthropic pointed out that Alibaba is listed on the New York Stock Exchange and maintains U.S. business operations, yet the alleged activity continued after Trump’s memo warned that cloning attempts were “unacceptable.” [1] Anthropic characterized Alibaba as “brazenly” racing to produce a copycat model despite its exposure to U.S. investors and regulators. [1]
Alibaba has not been passive in its own disputes with the U.S. government. In a lawsuit filed this week, Alibaba accused the Trump administration of wrongly blacklisting the company by linking it to the Chinese military, Reuters reported. [1] Alibaba stated that “its products and services are built for retail, logistics, and enterprise information technology—not weapons, defense, or intelligence.” [1] Alibaba’s stock fell 3 percent after Anthropic’s accusations became public, according to Yahoo Finance. [1]
Anthropic’s letter to Congress outlined three legislative recommendations. First, antitrust laws should be updated to allow AI companies to share intelligence about Chinese tactics. [1] Second, expanded export controls on advanced chips could limit China’s ability to train on U.S. model outputs, potentially making distillation attacks less worthwhile. [1] Third, Congress should pass laws penalizing Chinese labs’ conduct, potentially restricting their access to U.S. models, advanced chips, or data centers outside China. [1]
Anthropic declined to say whether the Alibaba campaign was significant enough to meaningfully accelerate China’s AI capabilities, or to detail specific countermeasures taken. [1] In a statement to Ars Technica, the company said: “We believe combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the Administration to maintain American AI leadership.” [1]
The strategic stakes Anthropic describes extend beyond commercial competition. The company warned that if China closes the capability gap, it could deploy “advanced cyber capabilities” against U.S. government and corporate targets and exploit vulnerabilities faster than previously possible. [1] Anthropic also cautioned that China could release advanced models with weak safety guardrails that are easily manipulated, enabling U.S. adversaries to use them for harmful purposes. [1]
Independent corroboration of China’s urgency came from a cybersecurity conference in Beijing, where 360 Security Technology founder Zhou Hongyi publicly described Anthropic’s Mythos model — which has been restricted from foreign markets — as a “cyber nuclear weapon” and a “terrifying change” in the ability to find security vulnerabilities. [1] Zhou said China’s exclusion from Project Glasswing, a U.S. initiative that gave more than 40 American organizations access to Mythos Preview for cyber defense purposes, left China at a strategic disadvantage. [1] “This means US organizations can use Mythos to scan your vulnerabilities, but you don’t even have the qualification to catch a glimpse of Mythos,” Zhou said. [1] He argued China must develop its own equivalent capability to achieve a form of mutually assured deterrence. [1]
Alibaba’s Qwen family of AI models has been downloaded more than 700 million times, and China’s state-run People’s Daily has described it as “the most popular open-source AI system worldwide.” [1]
Sources
This article was drafted with AI from the cited sources and checked against them before publication. Spot an error? Let us know.
