Anthropic accuses Alibaba of stealing Claude data with 25,000 fake accounts
The largest known AI distillation campaign reveals the risks of model extraction and US-China tech tensions
June 25, 2026 · 4 min read
TL;DR: Anthropic has accused Alibaba of using 25,000 fake accounts to extract capabilities from its Claude model through distillation, generating 28.8 million interactions. It is the largest known attack of its kind and underscores the geopolitical and intellectual property risks in AI.
What happened?
Anthropic, the US company behind the Claude AI model, has accused Alibaba of carrying out a massive data extraction attack using approximately 25,000 fake accounts. According to a letter sent to the US Senate Banking Committee on June 10, the campaign ran from April 22 to June 5, 2026, generating over 28.8 million interactions with Claude. The technique used, known as "distillation," allows a less powerful model to be trained on the responses of a more advanced one, potentially enabling Alibaba to replicate Claude's capabilities at a reduced cost. Anthropic attributes the operation to operators affiliated with Alibaba and its AI lab, Alibaba Qwen.
Why is this important?
This incident represents the largest known distillation attack against Anthropic to date. It is not an isolated case: in February 2026, the company had already identified similar campaigns by DeepSeek, Moonshot AI, and MiniMax, with interaction volumes ranging from 150,000 to over 13 million. The recurrence of these events suggests that model extraction is becoming a systematic practice, posing serious risks to intellectual property and the competitive advantage of AI companies. Moreover, the geopolitical context is key: Anthropic notes that the campaign could accelerate China's ability to reach the level of advanced models like Claude, while US authorities have increased scrutiny of advanced AI due to national security concerns.
Consequences for the industry
Model distillation represents a new risk in the enterprise supply chain. As Sanchit Vir Gogia, chief analyst at Greyhound Research, points out, "The enterprise supply chain no longer ends with software, APIs, and cloud regions; it now includes rented intelligence, and rented intelligence can be copied and redeployed well outside the security controls it was born with." This means that companies using AI models via APIs could be exposed to having their data used to train competing models without their consent. Additionally, distillation allows a weaker model to inherit the capabilities of a stronger one without the same safeguards, potentially leading to unintended uses or the proliferation of less controlled AI systems.
What should readers know?
For companies integrating AI into their operations, this case underscores the importance of reviewing model providers' usage policies and implementing anomaly detection measures. Security teams should be alert to unusual traffic spikes from certain IP addresses or query patterns that may indicate distillation attempts. Likewise, it is crucial for AI companies to strengthen their monitoring systems and collaborate with authorities to identify and block such activities. On a regulatory level, the incident could drive greater international cooperation and the development of specific legal frameworks for protecting AI models.
Historical context and comparisons
Model distillation is not a new phenomenon, but its scale has grown exponentially. In 2023, cases of data extraction from GPT-3.5 were reported, but with much smaller volumes. The difference now lies in the sophistication of attacks and the ability to generate millions of queries automatically. This case also resembles previous conflicts over data scraping, such as Meta vs. Bright Data, but AI distillation adds an extra layer of complexity by enabling the transfer of capabilities, not just data.
"Rented intelligence can be copied and redeployed well outside the security controls it was born with." – Sanchit Vir Gogia, chief analyst at Greyhound Research
Geopolitical implications
Anthropic's accusation comes at a time of rising technological tension between the United States and China. The US government has imposed restrictions on the export of advanced chips and increased scrutiny of AI models that could be used by militaries or intelligence agencies of countries considered adversaries. If confirmed that Alibaba has been extracting capabilities from Claude, this could further tighten policies on access control to AI models and foster fragmentation of the global AI ecosystem.
Recommendations for companies
- Review AI providers' terms of service and ensure they explicitly prohibit distillation.
- Implement detection systems for anomalous patterns in AI API usage.
- Set up alerts for unusually high query volumes from specific origins.
- Participate in industry initiatives to share information on model extraction threats.
The future of distillation
We are likely to see an increase in distillation efforts as more actors seek access to cutting-edge models without investing in their development. AI companies will need to innovate in protection techniques, such as injecting noise into responses, limiting queries per account, or using watermarks in generated data. Collaboration between companies and regulators will be essential to establish standards that deter these practices without hindering innovation.