Between 22 April and 5 June, operators linked to Alibaba’s Qwen lab sent 28.8 million interactions through 25,000 fraudulent accounts to extract Claude’s capabilities. Anthropic sent the letter to the Senate Banking Committee on 10 June. The government suspended Fable 5 two days later. Both events are connected.
Anthropic’s Alibaba distillation attack accusation went public — though the letter behind it dates to 10 June. Anthropic sent a letter to the US Senate Committee on Banking, Housing, and Urban Affairs accusing Alibaba of “brazenly” and “illicitly” attempting to extract its artificial intelligence capabilities. The letter was addressed to Senator Tim Scott, R-S.C., and Senator Elizabeth Warren, D-Mass. Anthropic said operators affiliated with Alibaba and its AI lab carried out 28.8 million exchanges with its models using roughly 25,000 fraudulent accounts between April 22 and June 5. The letter alleged that Alibaba sought to illicitly extract Claude’s capabilities in order to train a smaller, less capable AI model — specifically targeting the advanced capabilities of Anthropic’s frontier Mythos Preview model in areas such as coding and digital security. Anthropic described the operation as “the largest known distillation attack on Anthropic to date.” Alibaba did not respond to multiple press requests
What’s Happening & Why It Matters
What Adversarial Distillation Is
Anthropic’s Alibaba distillation attack accusation hinges on a technique that is at the intersection of legitimate AI practice and intellectual property theft. Distillation is an AI training method where a small, less capable model is built using outputs from an existing, stronger model. The technique trains a smaller AI system on the responses of a more powerful one. Companies routinely use it to compress their own large models into smaller, faster versions that run more cheaply. The line Anthropic is drawing is between using it on your own models — which is standard practice — and using it on a competitor’s model without permission.
The difficulty of prevention is structural. Large language models are designed to answer questions. Every answer teaches the user something about how the model behaves. You can’t interact with an AI model without giving up some information about yourself. Normally, that wouldn’t matter, but at the scale Anthropic is claiming, conversations are reverse engineering. The safety consequence is specific. When a lab distils a frontier model without permission, the copy does not inherit the safety guardrails built into the original. The dangerous capabilities transfer through the outputs. The months spent making the model refuse harmful requests do not.
The 25,000 Fake Accounts — How the Operation Ran
Anthropic’s Alibaba distillation attack accusation describes a systematic and coordinated operation. The alleged operation ran from 22 April to 5 June and generated more than 28.8 million interactions with Claude through roughly 25,000 fraudulent accounts. By comparison, Anthropic’s February accusation against three Chinese AI labs — DeepSeek, Moonshot AI, and MiniMax — collectively described 16 million Claude interactions through 24,000 fraudulent accounts. The Alibaba operation, attributed to a single lab, exceeded that previous combined figure by nearly 80% in interactions.
The fake accounts were used to bypass safety barriers and Anthropic’s strict geographic distribution rules, which explicitly prohibit its software from being deployed or accessed inside China. Additionally, the accounts asked Claude specifically complex questions targeting its advanced software engineering and agentic reasoning features — not random general queries. The pattern reveals a purposeful extraction strategy rather than opportunistic over-use.
The Senate Letter. A Connection to the Fable 5 Suspension
Anthropic’s Alibaba distillation attack accusation connects directly to the government action TF covered in its Claude Fable 5 suspension article. Two days after the letter was sent, the Commerce Department imposed strict restrictions on Anthropic’s Mythos and Fable AI models over concerns that China and other blacklisted countries could use their advanced capabilities against US interests. Anthropic has since disabled public access to both models globally, pending clarification from the federal government.
The timeline is precise and revealing. Anthropic sent the Senate letter on 10 June. The government suspended Fable 5 and Mythos 5 on 12 June. The company told CNBC that “both parties are working quickly to get this resolved.” The letter to senators was a lobbying action — requesting Congressional support for tighter enforcement. The government’s response arrived as an executive action two days later. Whether the suspension was a direct response to the letter, or was already planned independently, has not been confirmed publicly.
What Anthropic Wants
Anthropic’s Alibaba distillation attack accusation contains a specific legislative request. Anthropic urged federal lawmakers to implement more stringent enforcement and defensive frameworks to prevent foreign tech labs from systematically stripping intellectual property from domestic AI research firms. Anthropic’s Head of Policy Sarah Heck said the attacks were carried out “illicitly, systematically, and at industrial scale to harvest US AI capabilities across frontier labs and repackage them as their own without incurring the training and R&D costs.”
Anthropic alleged that the Chinese government was complicit in the attacks as part of the country’s desire to assert global dominance in AI, machine learning, and related technologies. The company added that, if successful, such attacks could pose an existential threat to the United States and its allies worldwide. As TF covered in its VivaTech Day 1 article, European governments are reaching similar conclusions — France’s DGSI replaced Palantir with a domestic alternative specifically over fears about US-controlled AI systems being cut off. The Anthropic letter positions distillation attacks as the Chinese equivalent of that same dependency concern.
The Irony — and Alibaba’s Response
The glaring irony that the companies that used enormous collections of publicly available information, including licensed material, to train their AI models are arguing about how those same models are valuable intellectual property is hard to ignore. That observation does not resolve the legal question — company outputs are covered by copyright and terms of service, regardless of what trained the underlying model. By contrast, it does explain why Alibaba’s lawyers will find the case more nuanced than Anthropic’s public depiction suggests. Alibaba did not immediately respond to any press request, which is standard practice when litigation risk is high.
TF Summary: What’s Next
Anthropic expects Senators Scott and Warren to advance legislative proposals through the Senate Banking Committee. The White House Office of Science and Technology Policy‘s AI memorandum — issued two months before the letter — pledged to help AI companies detect and coordinate against industrial-scale distillation. The Commerce Department‘s export control directive on Fable 5 and Mythos 5 is in effect. Anthropic is working with the government to restore access. Alibaba has not commented.
MY FORECAST: Anthropic’s Alibaba distillation attack accusation will produce two durable outcomes. First, Congress will include anti-distillation provisions in the next AI legislation cycle — most likely as an amendment to export control frameworks rather than standalone AI legislation. The Senate Banking Committee is the correct venue for that work given the financial espionage. Second, frontier AI labs — OpenAI, Google DeepMind, Meta AI — will all increase bot detection and rate-limiting specifically targeting coordinated fake-account query patterns. By contrast, those defences will be imperfect. Adversarial distillation that uses genuine user accounts — compromised through social engineering or credential theft — is significantly harder to detect than fake accounts created at volume. The arms race between distillation attackers and detection systems will define AI IP security for the next decade.
Related Stories
- Anthropic Pulls Claude Fable 5 — Four Days After Launch, on Government Order
- VivaTech 2026: Bezos Wants the Moon, Europe Wants AI Sovereignty
- US Places Alibaba, BYD, and Baidu on Military Blacklist