Anthropic has accused Alibaba’s Qwen AI team of operating the largest model distillation attack in the company’s history, using 25,000 fake accounts and 28.8 million conversations with Claude to train Alibaba’s own models. The accusation, delivered in a letter to U.S. Senators Tim Scott and Elizabeth Warren on June 10, frames the operation as corporate espionage on an industrial scale.
The attack ran from April 22 to June 5, 2026, right through the period when Anthropic was preparing its confidential IPO filing.
How the Attack Worked
Model distillation is a technique where an attacker queries a rival’s AI model through its public API and uses the responses to train a competing system. The output of the target model becomes the training data for the clone. It is a form of intellectual property theft that exploits the fact that AI models reveal their capabilities with every response they generate.
Tom’s Hardware reported that Alibaba’s Qwen team used commercial proxy services to disguise the geographic origin of their traffic, bypassing the rule that blocks Chinese users from accessing Claude directly. The 25,000 accounts were created with fraudulent credentials, and the 28.8 million conversations were structured to systematically extract Claude’s reasoning patterns, knowledge, and behavioral characteristics across a wide range of tasks.
The scale is worth pausing on. Twenty-eight million conversations in 44 days works out to roughly 650,000 queries per day, sustained for six weeks. That volume was large enough to map Claude’s capabilities comprehensively while staying below automated detection thresholds by distributing the traffic across thousands of accounts and proxy endpoints.
This Is Not the First Time
Anthropic has made similar accusations before. Earlier this year, the company claimed that DeepSeek, Moonshot, and MiniMax collectively used 24,000 fraudulent accounts and made 16 million exchanges to distill Claude’s output. The Alibaba operation dwarfs that earlier campaign, both in the number of conversations and in the coordination required to sustain it across a seven-week window.
InfoWorld’s coverage noted that Anthropic directed the letter to lawmakers rather than filing it through regulatory or legal channels, a move that positions the accusation as a policy issue rather than a private dispute. The choice of recipients is deliberate: the Senate Banking Committee and Commerce Committee both have jurisdiction over trade, technology, and national security, and the letter explicitly ties the distillation campaign to broader concerns about Chinese AI companies free-riding on American research.
The Business Model Problem
The distillation threat exposes a structural vulnerability in the API-based business model that Anthropic, OpenAI, and other frontier AI companies depend on. Every API call is a potential training signal for a competitor. The more capable the model, the more valuable its outputs are as distillation targets, and the harder it is to distinguish legitimate commercial use from systematic extraction.
Anthropic can block known bad actors, ban proxy services, and implement behavioral detection systems. But the fundamental tension remains: an AI model that is useful enough to command premium pricing is also useful enough to be worth stealing. The cost of the distillation attack (API credits for 28.8 million conversations) is trivial compared to the cost of training a frontier model from scratch.
For Alibaba’s Qwen team, the calculus is straightforward. If distillation works, they get a model that approaches Claude’s capabilities at a fraction of the research investment. If they get caught, the consequences so far have been limited to public accusations and account bans. No legal action has been filed. No sanctions have been imposed. The risk-reward ratio favors the attacker.
The Policy Dimension
Anthropic’s decision to take this to the Senate rather than to court suggests the company believes the legal framework for protecting AI model outputs is inadequate. Copyright law does not clearly cover model outputs. Trade secret law requires proving that the outputs constitute proprietary information, a difficult argument when the same outputs are available to any paying customer.
The letter is also a pre-IPO move. Anthropic filed its S-1 confidentially in early June. Demonstrating that Chinese competitors are stealing its technology strengthens the national security narrative that justifies both Anthropic’s valuation and its request for favorable regulatory treatment. Whether the accusations lead to concrete policy action or serve primarily as positioning for the IPO roadshow remains to be seen.
What is clear is that model distillation has become the AI industry’s version of corporate espionage, and the defenses against it are still catching up.
The pattern is accelerating. Three Chinese AI labs were accused in early 2026. Now Alibaba, one of the largest technology companies on Earth, is named in a campaign nearly twice the size. If the policy response does not materialize before the next wave of distillation attacks, American AI companies will face an uncomfortable reality: they are building the most valuable technology in the world and handing the training data to their competitors, one API call at a time.