AI
Anthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
Anthropic told US senators that Alibaba-linked operators ran 28.8 million exchanges with Claude via 25,000 fake accounts, two days after the US pulled Fable 5 and Mythos 5.
Anthropic has told US senators that operators linked to Alibaba and its Qwen AI lab ran what it calls the largest known distillation attack on its Claude models, generating more than 28.8 million exchanges with the chatbot through nearly 25,000 fraudulent accounts between April 22 and June 5, 2026. The accusation, in a letter dated June 10 to the Senate Banking Committee, came two days after the US government ordered Anthropic to disable its most advanced models, Fable 5 and Mythos 5, for any user outside the United States and for Anthropic’s own foreign national staff.
The pair of moves, the letter and the export directive, sit at the centre of a US push to treat AI model weights and the prompts used to train them as strategic assets. Anthropic’s case against Alibaba leans on the same evidence base that the White House used in an April memo on “industrial-scale distillation.” The Department of Commerce is, in turn, using a related set of national-security arguments to justify pulling Fable 5 and Mythos 5.
The Allegation in Anthropic’s Letter
Anthropic addressed its letter on June 10 to Senator Tim Scott, a Republican from South Carolina who chairs the Senate Banking Committee, and to Senator Elizabeth Warren, a Massachusetts Democrat who is the panel’s ranking member. the letter’s contents and Anthropic’s spokesperson quote were viewed by CNBC and first reported by Bloomberg. The letter described the campaign as “brazenly” and “illicitly” carried out, and said operators affiliated with Alibaba and its Qwen AI research division had run 28.8 million exchanges with Claude across about 25,000 fraudulent accounts during the six-week window ending June 5.
The campaign, Anthropic wrote, targeted Claude’s “most prized capabilities,” with a focus on software engineering and agentic reasoning. According to CNBC’s reading of the letter, Anthropic accused Alibaba of ignoring “the Trump Administration’s warnings.” A representative for Alibaba did not respond to CNBC’s request for comment.
We believe combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the Administration to maintain American AI leadership.
An Anthropic spokesperson gave that statement to CNBC after the letter became public. Anthropic’s framing positions its allegation as part of a broader policy argument rather than a private dispute, an appeal for a coordinated response rather than compensation.
Inside the Distillation Playbook
Distillation is a standard technique in modern AI development. A smaller, cheaper model is trained on the outputs of a larger, more capable one, picking up patterns from the stronger model’s responses without having to reproduce the original training run. Frontier labs distill their own models all the time to produce lighter versions. The illicit version, in Anthropic’s framing, is using that technique against a competitor’s model to copy its capabilities without paying for the research.
Anthropic does not currently sell Claude inside China, and labs that want to use it anyway route through commercial proxy services that resell access. In a February blog post, the company called these networks “hydra clusters,” sprawling pools of fraudulent accounts designed so that when one is banned, others take its place. Hydra cluster architectures, Anthropic wrote, can blend distillation traffic with ordinary customer traffic to make detection harder; in one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously.
Anthropic laid out the risks of models trained this way in stark terms. Because the safety filters on Claude are not transferred along with its outputs, a model distilled from Claude “lacks necessary safeguards, creating significant national security risks.” Anthropic’s post warned that distilled capabilities could feed into “military, intelligence, and surveillance systems,” enabling “offensive cyber operations, disinformation campaigns, and mass surveillance.”
| Lab | Approx. exchanges | Primary targets | Attribution method |
|---|---|---|---|
| DeepSeek | 150,000+ | Reasoning; rubric-based grading; censorship-safe rewrites of politically sensitive queries | IP correlation plus request metadata matching specific researchers at the lab |
| Moonshot AI (Kimi) | 3,400,000+ | Agentic reasoning; tool use; computer-use agent development; computer vision | Request metadata matched to public profiles of senior Moonshot staff |
| MiniMax | 13,000,000+ | Agentic coding; tool orchestration | Metadata and infrastructure indicators, corroborated against MiniMax’s public product roadmap |
The table above draws on Anthropic’s full breakdown of the three Chinese distillation campaigns, published in February. In two of the three campaigns Anthropic also says it had help from industry partners who spotted the same actors on their own platforms.
DeepSeek, Moonshot, and MiniMax: The Earlier Round
The Alibaba allegation is not Anthropic’s first. On February 24, 2026, Anthropic published a blog post and a post on X accusing DeepSeek, Moonshot AI, and MiniMax of running industrial-scale distillation attacks against Claude. Across those three labs, the post said, more than 24,000 fraudulent accounts generated more than 16 million exchanges with Claude.
- 16,000,000+ exchanges with Claude attributed to the three labs in total.
- 24,000+ fraudulent accounts set up across the three campaigns.
- 3 named labs in the February post, with attribution Anthropic says was carried out with high confidence.
- Pivoted within 24 hours: MiniMax redirected nearly half of its traffic to a new Anthropic model the day it was released.
Anthropic’s read of each lab’s behaviour was specific. DeepSeek’s operation, the company said, generated “synchronized traffic across accounts” with “identical patterns, shared payment methods, and coordinated timing,” a setup Anthropic described as “load balancing” to increase throughput and avoid detection. Moonshot used “varied account types” to make its campaign harder to spot as a single coordinated effort, and in a later phase tried to “extract and reconstruct Claude’s reasoning traces.”
The most detailed picture came from MiniMax. Anthropic said it “detected this campaign while it was still active, before MiniMax released the model it was training, giving us unprecedented visibility into the life cycle of distillation attacks, from data generation through to model launch.” When Anthropic released a new model during MiniMax’s active campaign, MiniMax, Anthropic wrote, “redirected nearly half their traffic” to capture capabilities from the latest system “within 24 hours.”
Anthropic’s framing in that post was direct: “the apparently rapid advancements made by these labs are incorrectly taken as evidence that export controls are ineffective.” In reality, the company wrote, those gains depend “in significant part on capabilities extracted from American models, and executing this extraction at scale requires access to advanced chips.”
Why the US Pulled Fable 5 and Mythos 5
On June 12, 2026, the US Commerce Department issued an export-control directive to suspend all access to Fable 5 and Mythos 5. Anthropic said it received the order at 5:21pm ET. The directive, the company wrote, applied to “any foreign national, whether inside or outside the United States, including foreign national Anthropic employees,” and “the net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers.”
The government did not specify its concern in the letter itself. Anthropic’s statement on the Fable 5 and Mythos 5 suspension said its “understanding is that the government believes it has become aware of a method of bypassing, or ‘jailbreaking’ Fable 5.” Anthropic reviewed the demonstration and concluded that the vulnerabilities it identified were “minor” and that “other publicly-available models are able to discover them as well without requiring a bypass,” naming OpenAI’s GPT-5.5 specifically.
Fable 5 had been public for three days at that point. Anthropic launched Fable 5 on June 9, 2026, describing it as “a Mythos-class model that we’ve made safe for general use.” The same underlying model powers Mythos 5, which Anthropic is deploying through Project Glasswing with US government partners. Pricing for both models is $10 per million input tokens and $50 per million output tokens. Fable 5’s safety classifiers, Anthropic wrote, “trigger, on average, in less than 5% of sessions.” For related coverage of the launch and the immediate pushback from developers, see Fable 5 launching June 9 with Mythos-class guardrails.
Anthropic called the suspension “a misunderstanding” and said it is “working to restore access as soon as possible.” The company flew senior staff to Washington to meet with the Trump administration in the days after the order, and the two sides remain in talks. For the latest on those meetings, see Anthropic’s White House meeting on the Fable 5 block. The directive lands as Anthropic is already suing the Pentagon over a separate “supply chain risk” designation from US Defence Secretary Pete Hegseth, a label the BBC notes has historically been reserved for companies based in adversarial countries. A US judge has ruled the Pentagon’s directive cannot be enforced while the suit proceeds.
Washington’s Industrial-Scale Policy Track
The White House had been building toward this moment for weeks. On April 23, 2026, the Office of Science and Technology Policy released memorandum NSTM-4, signed by Director Michael Kratsios. According to the OSTP memo and DAAMTA bill text and timing as analysed by Just Security, the memo states that the US government has information indicating “foreign entities principally based in China are engaged in ‘deliberate, industrial-scale campaigns to distill U.S. frontier AI systems.'”
Foreign entities principally based in China are engaged in deliberate, industrial-scale campaigns to distill U.S. frontier AI systems.
One day earlier, on April 22, the House Foreign Affairs Committee advanced the Deterring American AI Model Theft Act of 2026, or DAAMTA. The bill would require an executive-branch determination, within 180 days, of which entities have conducted extraction attacks and which act as “fraudulent account network providers,” create a public “AI Model Extraction Attackers List,” and authorise sanctions under the International Emergency Economic Powers Act. On April 24, the State Department reportedly instructed US diplomats to warn foreign counterparts about alleged model extraction by DeepSeek, Moonshot AI, and MiniMax, and sent a formal message to Beijing.
The timing of the OSTP memo is itself a policy signal. The memo arrived “three weeks before a scheduled Trump-Xi summit on May 14, 2026,” placing AI distillation alongside other trade and security issues already on the table. When Anthropic wrote to the Banking Committee on June 10 and accused Alibaba of ignoring “the Trump Administration’s warnings,” it was tying the company’s alleged behaviour directly to that policy timeline.
Alibaba Lands on the Pentagon List, DeepSeek Stays Off the Blacklist
On June 8, 2026, four days before the Fable 5 directive and two days before Anthropic’s letter, the US Defense Department added Alibaba to the 1260H list of Chinese military companies. The same update added Baidu, BYD, TP-Link, CXMT, YMTC, Unitree Robotics, and WuXi AppTec. Alibaba is challenging the designation.
The trade-blacklist picture is less even. As of mid-June, DeepSeek has not been added to a US trade blacklist, despite being viewed as a national security risk by an interagency committee. Reuters reported on June 17 that the United States has held off blacklisting DeepSeek and “more than 100 firms deemed security risks” to manage diplomatic friction with Beijing. The asymmetry matters because DeepSeek was one of the three labs Anthropic publicly accused in February.
For the Alibaba case, the Pentagon listing arrives alongside the distillation allegation rather than ahead of it. For DeepSeek, no parallel export-control or blacklist action has followed the February accusation, despite the larger exchange totals Anthropic recorded. For background on Alibaba’s recent product moves, see Alibaba’s Qwen3.7-Plus topping GUI vision and going closed-source.
What Changes From Here
DAAMTA, if it becomes law, would force an executive-branch determination of which entities conducted extraction attacks and authorise IEEPA sanctions against them. Anthropic’s blog post in February set out the company’s own next steps: sharing technical indicators with other AI labs, cloud providers, and authorities, and developing product, API, and model-level safeguards to make distillation less effective. The company’s posture in the June letter to senators is that this work needs government backing to scale.
On the Fable 5 front, Anthropic and the Trump administration remain in talks; the Pentagon “supply chain risk” suit continues with a court order preventing the designation from being enforced. The next Anthropic accusation and the next export-control directive will be judged against the same playbook, and the gap between Alibaba’s Pentagon listing and DeepSeek’s non-listing is the first place to watch for what that playbook does next.
Frequently Asked Questions
What exactly did Anthropic accuse Alibaba of doing?
In a June 10 letter to Senators Tim Scott and Elizabeth Warren, Anthropic accused operators affiliated with Alibaba and its Qwen AI lab of carrying out an industrial-scale distillation campaign against Claude, using nearly 25,000 fraudulent accounts to extract capabilities rather than build them independently. Anthropic called it the largest such attack on its models to date.
How large was the alleged distillation campaign in numbers?
Anthropic’s letter said the campaign ran from April 22 to June 5, 2026, and generated more than 28.8 million exchanges with Claude across about 25,000 fraudulent accounts. The exchanges focused on software engineering and agentic reasoning, two of the areas Anthropic highlights as Claude’s strongest capabilities.
What is AI distillation, and when is it illicit?
Distillation trains a smaller, less capable model on the outputs of a stronger one. Labs distill their own models routinely to produce cheaper versions. Anthropic’s position is that distillation becomes illicit when a competitor uses it to copy a rival’s capabilities without permission, which Anthropic says violates its terms of service and bypasses the safety filters built into the original model.
Why did the US government suspend Fable 5 and Mythos 5?
On June 12, 2026, the Commerce Department issued an export-control directive requiring Anthropic to suspend all access to Fable 5 and Mythos 5 by any foreign national, anywhere in the world. The government cited national-security authorities and pointed to a method of bypassing Fable 5’s safeguards. Anthropic reviewed the demonstration and called the underlying vulnerabilities minor, saying other publicly available models can find them without a bypass.
Has Alibaba responded to the allegations?
As of the reporting by CNBC and Bloomberg on June 24, a representative for Alibaba had not responded to requests for comment. Alibaba is separately challenging its June 8 addition to the Pentagon’s 1260H list of Chinese military companies, a designation it disputes.
Smartphones Are Quietly Building Invisible Walls in Vietnamese Homes
iQOO 15R After the Price Hikes: Worth Rs 49,999 in 2026?
Samsung’s Galaxy A27 5G Lands at $349.99 With Six Years of Updates
The Phone Settings That Actually Reduce Screen Time
Spark Deploys US$150 Million to Uniswap v4 Stablecoin Pools
Nothing Cancels CMF Phone 3 Pro as RAM Costs Squeeze Budget Models
Rakuten Wallet Mints a SHIB Souvenir While the Token Slides
Quake’s 30th Anniversary Turned Into John Carmack’s Apology
GTA 6 Amazon Listing Leaks NPC Routines and In-Game Social Networks
Samsung and SK Hynix Prep $646 Billion Decade Investment Plan
Google Search Profiles Build a Follow Graph Inside Discover
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
VinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
DGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Google DeepMind and A24 Sign $75 Million AI Partnership Deal
OpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers
Microsoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
Trump’s AI Memo Strips Vendors of Veto Power Over Military
-
NEWS3 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
AI3 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
APPS2 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
CRYPTO2 months agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
AI3 days agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
AI3 weeks agoOpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers