DEV Community

aarhamforensics
aarhamforensics

Posted on • Originally published at twarx.com

Anthropic Claims Alibaba Ran 'Brazen' Campaign to Access Its Claude AI Model

Originally published at twarx.com - read the full interactive version there.

Last Updated: June 25, 2026

Anthropic Claims Alibaba Ran 'Brazen' Campaign to Access Its Claude AI Model — and in doing so handed the entire AI industry its most uncomfortable mirror yet: if 25,000 fake accounts are enough to allegedly siphon the capabilities of a frontier model, then API-first monetization is simultaneously the business model and the existential liability of every Western AI lab.

This is the public face of a shadow war over AI capability extraction. Anthropic, the maker of Claude, has accused operators linked to Alibaba's Qwen AI lab of running what it called the 'largest known distillation attack' on a frontier model — and it took the accusation directly to U.S. government officials in a letter obtained by The Wall Street Journal.

One number reframes everything that follows: a frontier model that cost an estimated $50–100M to train may be partially reconstructable for a low-single-digit-millions API bill. That gap — not the 25,000 accounts — is the real story.

Diagram of AI model distillation extraction attack using thousands of fraudulent API accounts

A conceptual view of the Distillation Extraction Vector: thousands of fraudulent accounts querying a frontier model API to reconstruct its capabilities. Source

Coined Framework

The Distillation Extraction Vector — the emerging attack surface where state-linked or commercially motivated actors systematically query frontier model APIs at scale to reconstruct competitive model capabilities, bypassing billions in R&D investment without a single line of code stolen

It names the structural truth that an API is not just a revenue channel — it is a complete, queryable export of a model's learned behavior. When you sell access to a teacher model, you sell the raw material to build a student.

What Did Anthropic Officially Claim About Alibaba and Claude, and When?

Context for this section: Anthropic (maker of the Claude AI model) accused operators linked to Alibaba's Qwen lab of using roughly 25,000 fraudulent accounts to extract Claude's outputs, via a letter to U.S. officials reported by the WSJ.

The WSJ-obtained letter: exact allegations and official sourcing

According to The Wall Street Journal, Anthropic alleged that operators linked to Alibaba's Qwen AI lab used nearly 25,000 fraudulent accounts to access its Claude models. The company laid out these claims in a letter sent to U.S. government officials — a venue that signals this is as much a policy and national-security play as it is a commercial grievance. You don't write to Washington over a ToS violation.

Anthropic called the alleged behavior 'brazen' and described it internally as the largest known distillation attack against a frontier AI model to date. The WSJ reporting notes this is not the first time the company has said Chinese AI labs are using its technology to train their own models.

The most damaging four words in the report aren't '25,000 fraudulent accounts.' They're 'not the first time' — which implies prior incidents Anthropic chose never to disclose.

That phrasing matters. It implies earlier events Anthropic chose not to publicize — which means this is a pattern they've been watching, not a surprise.

Timeline of events: when the campaign allegedly occurred and when Anthropic reported it

Anthropic's detection of an anomalous, distributed pattern of API usage preceded the letter. The escalation to government officials — rather than a quiet account ban — is the key sequencing detail here. A standard fraud event ends with a Terms-of-Service termination. This ended with a letter to Washington, placing it squarely in the context of the Bureau of Industry and Security's ongoing AI export-control posture. That escalation path is deliberate.

Why does Anthropic call this the 'largest known distillation attack'?

The phrase 'largest known distillation attack' does a lot of work in three words. 'Distillation' is the technical mechanism — covered in the next section. 'Largest known' signals scale: 25,000 accounts is industrial, not opportunistic. And 'attack' reframes what could be dismissed as aggressive scraping into an adversarial security incident with potential legal weight under U.S. statute. The word choice is not accidental.

~25,000
Fraudulent accounts allegedly used to access Claude
[WSJ, 2026](https://www.wsj.com/tech/ai/anthropic-claims-alibaba-ran-brazen-campaign-to-access-its-claude-ai-model-69d7a392)




$3 / $15
Claude 3.5 Sonnet price per million input / output tokens
[Anthropic, 2025](https://www.anthropic.com/pricing)




100+
Qwen model variants released across 2024–2025
[QwenLM GitHub, 2025](https://github.com/QwenLM/Qwen2.5)
Enter fullscreen mode Exit fullscreen mode

An API is not a product you sell. It is a teacher you rent out — and every query is a lesson the student keeps forever.

What Is AI Model Distillation and How Does the Claude Extraction Attack Work?

Context for this section: distillation lets a smaller 'student' model learn from a larger 'teacher.' The Anthropic–Alibaba dispute concerns the adversarial version, where one lab allegedly queries a competitor's Claude API to clone its behavior.

Knowledge distillation vs. capability extraction: the technical distinction

Knowledge distillation is a legitimate, well-documented training technique: a smaller 'student' model learns to mimic the outputs of a larger, more capable 'teacher' model. Done with your own models, it's standard practice — Google DeepMind, OpenAI, and others all use it to compress capability into cheaper, faster deployments. The technique itself is described across the original Hinton et al. distillation paper on arXiv. Nothing exotic about it.

The adversarial version flips the teacher relationship. Instead of distilling your own model, you systematically query someone else's frontier model to generate a large synthetic dataset of prompt-response pairs. That dataset encodes the teacher's reasoning patterns, coding style, and instruction-following behavior. You fine-tune your own model on it — inheriting capability you never paid the R&D cost to develop. No weights stolen. No code exfiltrated. Just outputs, accumulated at scale until they reconstruct something close to the original.

This blurriness is what makes enforcement so hard. As Andrej Karpathy, former director of AI at Tesla and a founding member of OpenAI, has repeatedly noted in public talks and posts, training on synthetic data generated by stronger models is now mainstream practice across the industry. The line between legitimate knowledge transfer and adversarial extraction is genuinely thin — which is precisely why intent and consent, not the technique itself, become the legal hinge.

How the Distillation Extraction Vector operates step by step

The Distillation Extraction Vector — End-to-End Attack Flow

  1


    **Account farming**
Enter fullscreen mode Exit fullscreen mode

~25,000 fraudulent accounts are created and distributed to spread query volume below any single account's rate-limit and anomaly thresholds.

↓


  2


    **Structured prompt generation**
Enter fullscreen mode Exit fullscreen mode

A RAG-style harness generates domain-targeted prompts (coding tasks, reasoning chains) to maximize capability-dense outputs from Claude 3.5 Sonnet.

↓


  3


    **Distributed querying**
Enter fullscreen mode Exit fullscreen mode

Queries fan out across the account pool. Each account looks like an ordinary developer; in aggregate they form an industrial data-extraction pipeline.

↓


  4


    **Synthetic corpus assembly**
Enter fullscreen mode Exit fullscreen mode

Millions of prompt→response pairs are aggregated into a training dataset that encodes the teacher model's behavior.

↓


  5


    **Student fine-tuning**
Enter fullscreen mode Exit fullscreen mode

An open-base model is fine-tuned on the corpus, inheriting capability patterns without the teacher's underlying RLHF and safety research investment.

The sequence matters because no step alone trips a fraud alarm — the attack is invisible at the unit level and devastating in aggregate.

What anomalous extraction looks like from a builder's seat

I've shipped production systems on the Claude API, and the uncomfortable thing is how normal a distillation pipeline looks from the inside. When you actually read Anthropic's usage policies as an operator — not as a lawyer skimming for the indemnity clause — the prohibition on using outputs to train competing models is unambiguous, but nothing in the API surface stops you mechanically. Rate limits bite per key, not per intent. In my own builds, the requests that felt abusive were never the obviously aggressive ones; they were the boringly regular ones — uniform token sizes, evenly spaced calls, a narrow distribution of prompt templates that never deviates. A single account doing that reads as a well-behaved batch job. Twenty-five thousand of them, coordinated, read as a fingerprint only if you're aggregating at the graph level. Most teams aren't, because the per-account dashboards Anthropic exposes simply don't show you the shape of the swarm. That blind spot is the whole game.

Why API access makes frontier models structurally vulnerable

Here's the part most people don't want to say out loud: there's no perfect defense. The output of a frontier model is the product. If you sell access to that output, you're selling the exact signal an attacker needs. Rate limits, verification, and anomaly detection raise the cost of extraction — they don't eliminate it. I've watched teams build increasingly sophisticated abuse-detection layers and still get burned by distributed patterns they weren't looking for at the graph level. This is the contradiction the incident exposes, and nobody in the industry has cleanly solved it.

OpenAI made a structurally identical accusation against DeepSeek in early 2025, alleging ChatGPT outputs were used in training. That precedent — documented by the Financial Times — is part of why the AI safety community is treating Anthropic's claim as credible rather than opportunistic.

Architecture comparison of legitimate knowledge distillation versus adversarial API capability extraction

Legitimate distillation (your own teacher) versus the adversarial Distillation Extraction Vector (someone else's API as the teacher). The mechanism is identical; the consent is not.

How Much Cheaper Is Distilling Claude Than Training It? The Moat-Erosion Math

Context for this section: the economic logic behind the alleged attack. Anthropic spent an estimated nine figures training Claude; the back-of-envelope cost to replicate core behavior via API distillation is dramatically lower.

Here is the calculation the rest of the coverage skips. Training a Claude 3 Opus-class frontier model is widely cited in the $50–100M range for compute alone, before the multi-year RLHF and Constitutional AI research that produces the behavior people actually pay for. Now price the shortcut. Suppose an attacker wants a 10-billion-token synthetic corpus of high-quality Claude outputs — enough to meaningfully fine-tune a strong open base model. At Claude 3.5 Sonnet's published rate of $15 per million output tokens, ten billion output tokens costs roughly $150,000. Add input-side prompt costs at $3 per million and realistic overhead for retries, filtering, and discarded low-quality samples, and you land in the low-single-digit-millions range — call it $1–3M all-in.

~$50–100M
Est. compute to train a Claude-Opus-class frontier model
[Public training-cost estimates](https://arxiv.org/abs/1503.02531)




~$1–3M
Est. API spend to distill a 10B-token synthetic corpus
[Calculated from Anthropic pricing, 2025](https://www.anthropic.com/pricing)




20–100×
The cost gap that makes the attack economically rational
[Twarx analysis, 2026](https://www.wsj.com/tech/ai/anthropic-claims-alibaba-ran-brazen-campaign-to-access-its-claude-ai-model-69d7a392)
Enter fullscreen mode Exit fullscreen mode

A 20–100× cost asymmetry is not a rounding error. It is the entire incentive structure. When replicating the behavioral layer of a frontier model costs one to three percent of training it from scratch, distillation stops being a temptation and becomes a rational business decision for any well-funded competitor willing to absorb the legal risk. That is the gap that turns a $300B valuation built on a capability moat into something far more fragile than the headline number suggests.

What Claude Features Were Allegedly Targeted in the Distillation Attack?

Context for this section: which specific Claude capabilities Anthropic's allegation implies were the extraction targets — primarily coding, reasoning, and Constitutional AI safety behaviors.

Claude's coding and reasoning capabilities as the primary extraction target

Claude is known for long-context reasoning, nuanced instruction following, and high-quality code generation with a safety-conscious style. Those capabilities are expensive to build — they require enormous compute plus proprietary RLHF and Constitutional AI data developed over years. That makes them the highest-value extraction target. Coding especially: it's the easiest domain to generate dense, verifiable synthetic training data for, because you can actually run the code and check whether it works.

Why Claude's Constitutional AI alignment outputs are uniquely valuable

Anthropic's Constitutional AI framework produces a distinctive safety-tuned response style. Distilling those alignment behaviors could let a third party produce a model that mimics Claude's safety posture without funding Anthropic's actual safety research — getting the surface behavior while skipping the science entirely. That's the part that should bother people beyond the commercial IP angle.

What Alibaba's Qwen lab stands to gain: a capability gap analysis

Alibaba's Qwen 2.5-Coder series benchmarked competitively against Claude on programming tasks on a timeline that, per the WSJ reporting, overlaps the alleged extraction window. The most likely targeted models are Claude 3 and Claude 3.5 Sonnet, given their API availability and benchmark dominance during that period. To be clear: correlation isn't proof. Capability parity could be organic. But the timing is the spine of Anthropic's argument, and it's not a weak one.

You can't steal a model's weights through an API. But you can rent it long enough to teach a copy everything it knows.

How Do You Access Claude Legitimately? Pricing, Availability, and API Security

Context for this section: the compliant path to Claude access via Anthropic's Console and partner clouds, and the usage-policy clause at the center of the Alibaba dispute.

Official Claude API access: step-by-step via Anthropic Console

The legitimate path is straightforward:

Python — Claude API quickstart

1. Sign up at console.anthropic.com and create an API key

2. Install the SDK

pip install anthropic

import anthropic

client = anthropic.Anthropic(api_key='YOUR_KEY') # store in env, never hardcode

message = client.messages.create(
model='claude-3-5-sonnet-20241022',
max_tokens=1024,
messages=[{'role': 'user', 'content': 'Explain knowledge distillation in one paragraph.'}]
)
print(message.content[0].text)

Usage is metered per-token and logged for anomaly detection.

Claude pricing tiers in 2025

Per Anthropic's pricing page, Claude 3.5 Sonnet runs $3 per million input tokens and $15 per million output tokens. Haiku is the cheaper, faster tier; Opus sits at the high-capability end. All of it is pay-as-you-go via console.anthropic.com, with enterprise distribution through AWS Bedrock and Google Cloud Vertex AI — each with its own fraud and abuse detection layer on top.

How Anthropic's Terms of Service prohibit distillation

Anthropic's usage policies explicitly prohibit using Claude outputs to train competing AI models — the exact clause at the center of this dispute. Enforcement currently relies on behavioral anomaly detection, rate limiting, and account verification. The 25,000-account campaign was allegedly identified through aggregate behavioral analysis across the account graph, even though each individual account stayed within per-key limits. That's the detection story worth paying attention to.

If you're building production systems that chain model calls — through workflow automation or orchestration layers — staying clearly on the right side of these terms is now a compliance issue, not just an ethics one. You can also explore our AI agent library for compliant patterns, or browse pre-built compliant agent templates designed to stay within third-party API terms.

Screenshot-style view of Anthropic Console API usage dashboard with anomaly detection alerts

Anthropic's behavioral anomaly detection is the production-ready defense layer that allegedly surfaced the distributed account pattern. Source

When Should You Use Claude vs. Qwen After the Alleged Distillation Attack?

Context for this section: a practical post-allegation comparison. The IP dispute concerns alleged extraction methods — it does not, on its own, make Qwen's released open weights illegitimate to use.

Claude vs. Qwen 2.5: honest benchmark comparison

Qwen 2.5-72B scores competitively with Claude 3.5 Sonnet on HumanEval coding benchmarks. That's precisely what raises the question of whether parity was achieved organically or accelerated through extraction. Both interpretations remain open. Anyone telling you the benchmarks alone settle it is overreading the data.

Trust, compliance, and sovereignty considerations

For regulated industries — finance, healthcare, legal — provenance of model training data is becoming a compliance requirement, not just an ethical preference. If a model's capabilities may derive from disputed extraction methods, that's a procurement risk your legal team needs to have an opinion on before you sign a contract, not after.

When open-source Qwen models are a legitimate and appropriate choice

Crucially: many Qwen variants are genuinely open-source under Apache 2.0. For on-premises deployment where data sovereignty is the priority, Qwen is a completely legitimate choice. The IP allegation concerns alleged extraction methods — it doesn't make the released open weights unusable, and conflating the two is a mistake I've seen engineers make under pressure from nervous procurement teams.

ModelBest atLicense / AccessApprox. price (in/out per M tokens)Provenance posture

Claude 3.5 SonnetLong-context reasoning, safe codeAPI (Anthropic, Bedrock, Vertex)$3 / $15Constitutional AI, in-house RLHF

Qwen 2.5-72BCoding, multilingualOpen-source (Apache 2.0)Self-host / cloud-meteredDisputed (extraction allegation)

GPT-4oMultimodal, generalAPI (OpenAI)~$2.50 / $10In-house

Gemini 1.5 Pro1M+ context windowAPI (Google)TieredIn-house (DeepMind)

Llama 3.1 405BOpen frontierOpen weights (Meta license)Self-hostIn-house (Meta)

How Does Alibaba Qwen Compare to Anthropic Claude in the Global AI Race?

Context for this section: the competitive backdrop. Alibaba's Qwen lab iterated unusually fast across 2024–2025; Anthropic argues the alleged distillation campaign compressed a development timeline that normally takes years of safety research.

Alibaba's Qwen lab: history, funding, and stated mission

Alibaba's Qwen team released over 100 model variants across 2024–2025 — an unusually rapid iteration cycle by any measure.

Rapid iteration is not evidence of wrongdoing on its own. But combined with the alleged extraction campaign, it forms the narrative spine of Anthropic's letter to officials. The speed is what made the correlation compelling enough to escalate. When you have spent years and tens of millions of dollars in compute building a behavioral layer through painstaking RLHF, and a competitor appears to reach near-parity on the very benchmarks you dominate inside a window that overlaps an alleged 25,000-account extraction campaign, the pattern stops looking like coincidence and starts looking like a thesis — which is exactly the frame Anthropic chose to put in front of regulators rather than a courtroom.

How Qwen's trajectory compares to Claude's development timeline

Anthropic spent years and enormous compute building the RLHF and Constitutional AI foundations behind Claude. A distillation shortcut, if real, compresses that timeline dramatically. That is the core of why the company frames the moat as being at risk — not just the commercial revenue, but the years of safety research that produced the behavioral layer people actually pay for.

The broader US-China AI competition context

DeepSeek R1 drew the same accusation from OpenAI in January 2025, establishing the precedent. And here's a detail that doesn't get enough attention: Alibaba Cloud's Model Studio has, per its own published service documentation and third-party coverage of its model marketplace, at times offered third-party model integrations as paid services — a commercial relationship existing in parallel with the IP dispute. The regulatory backdrop is U.S. AI export controls administered by BIS and the broader executive-branch posture on frontier AI. This isn't a clean story of adversary versus victim. It's messier than that.

The most consequential line in the WSJ report isn't the 25,000 number — it's 'not the first time.' That phrasing implies prior incidents Anthropic chose not to disclose publicly, suggesting this is a category of attack, not a one-off event.

What Does the Distillation Extraction Vector Mean for Every AI Lab?

Context for this section: the industry-wide implication. Every lab that monetizes API access — OpenAI, Anthropic, Google DeepMind, Mistral — shares the same structural exposure the Claude–Alibaba dispute exposed.

API monetization vs. model security: the structural contradiction exposed

Every major lab — OpenAI, Anthropic, Google DeepMind, Mistral — faces the identical tension: API access is the primary revenue model and the primary attack surface. There's no version of selling model access that doesn't also distribute the model's behavior. You can't have both the business and a perfectly closed system. One of them has to give.

Coined Framework

The Distillation Extraction Vector in practice

It reframes the AI moat: capital and compute build the teacher, but the teacher's value leaks one query at a time. The moat is only as deep as your ability to detect aggregate intent across millions of individually-innocent requests.

How this reshapes AI licensing, API terms, and enterprise contracts

Expect tightened anti-distillation clauses, mandatory provenance attestations in enterprise contracts, and cross-border access restrictions. I'd also expect legal review to become a standard gate on any high-volume pipeline, which is going to slow down some legitimate workflows. Orchestration platforms that chain high-volume calls — LangChain, LangGraph, AutoGen, CrewAI, and n8n — now sit in a gray zone of potential third-party liability that none of them have cleanly addressed in their documentation.

The MCP, RAG, and agentic AI security implications

Model Context Protocol (MCP), agentic frameworks, and vector-database-backed RAG pipelines all create new high-volume query surfaces. The RAG-augmented pattern — structured, domain-specific prompts at scale — is especially efficient for capability extraction in coding and legal reasoning. If you're building with multi-agent systems, RAG architectures, LangGraph orchestration, AI agents, or enterprise AI deployments, treat query volume as a governance signal, not just a cost line. That reframe matters more than it sounds.

  ❌
  Mistake: Treating API ToS as boilerplate
Enter fullscreen mode Exit fullscreen mode

Teams routinely accept anti-distillation clauses without flagging that high-volume synthetic-data generation pipelines may violate them — even unintentionally.

Enter fullscreen mode Exit fullscreen mode

Fix: Add a legal review gate for any pipeline that bulk-generates training data from a third-party model API. Document intent and retention.

  ❌
  Mistake: Assuming open weights = clean provenance
Enter fullscreen mode Exit fullscreen mode

Buyers assume an Apache 2.0 license guarantees the training data was clean. Licensing governs distribution, not how capability was acquired.

Enter fullscreen mode Exit fullscreen mode

Fix: Require provenance attestation in procurement for regulated workloads; map model lineage where defensible.

  ❌
  Mistake: Relying on per-account rate limits alone
Enter fullscreen mode Exit fullscreen mode

Per-account limits are trivially defeated by distributing volume across thousands of accounts — exactly the alleged 25,000-account pattern.

Enter fullscreen mode Exit fullscreen mode

Fix: Deploy aggregate behavioral anomaly detection and output fingerprinting across the whole account graph, not per key.

Expert and Community Reactions: Who Is Saying What About the Claude Allegation?

Context for this section: how named researchers, executives, and the open-source community are reading Anthropic's claim that Alibaba ran a 'brazen' campaign to access Claude.

AI safety and policy community responses

The AI safety community has largely treated the allegation as credible, citing the prior DeepSeek-OpenAI precedent and Qwen's documented capability trajectory. Dario Amodei, co-founder and CEO of Anthropic, has consistently argued in public interviews and his published essays that frontier-model security is a national-competitiveness issue — a framing this letter operationalizes directly. He has been saying this for a while. The letter is him putting it in writing to people who can act on it.

Developer and open-source community pushback

Parts of the open-source community warn that broad anti-distillation enforcement could chill legitimate fine-tuning and knowledge-transfer research. Andrej Karpathy, former Senior Director of AI at Tesla and a founding member of OpenAI, has frequently noted in public talks that synthetic-data training is now mainstream practice — making the line between legitimate and adversarial distillation genuinely blurry. That's not a defense of what Alibaba allegedly did; it's a real problem for anyone trying to write enforceable policy. And Yann LeCun, VP and Chief AI Scientist at Meta and a Turing Award laureate, has long argued in public statements that open models are the safer long-term path — a stance that reframes the question of who 'owns' capability at all. Independent trade-secret attorneys have made a related point in coverage of the DeepSeek dispute: where access controls are circumvented through fraudulent accounts, the conduct can move beyond a contract breach into statutory computer-fraud territory, which is the precise distinction Anthropic's account-fraud framing leans on.

What Alibaba and Qwen have officially stated

As of the latest available reporting, Alibaba had not issued a detailed public rebuttal to the specific 25,000-account allegation. This is a confirmed absence of detailed response — not a denial, not an admission. In disputes escalated to government officials, companies often respond through legal channels rather than press statements. Watch for an official Alibaba or Qwen response; it would materially change the shape of this story.

[

Watch on YouTube
How model distillation works and why frontier labs fear it
AI Explained • model security & distillation
Enter fullscreen mode Exit fullscreen mode

](https://www.youtube.com/results?search_query=anthropic+claude+model+distillation+ip+security)

What Comes Next: Legal, Regulatory, and Technical Fallout

Context for this section: the likely consequences of Anthropic's claim against Alibaba — across U.S. statute, API hardening, and AI export-control policy.

Potential legal pathways

The most likely U.S. frameworks are the Computer Fraud and Abuse Act (CFAA) — particularly relevant given the alleged use of fraudulent accounts to circumvent access controls — and the Defend Trade Secrets Act (DTSA). Account fraud is what potentially elevates this from a contract dispute to a statutory violation. Without the fake accounts, you might have a ToS fight. With them, you potentially have a federal case.

How labs will harden API security

Expect rapid movement toward output fingerprinting, cryptographic watermarking of responses, behavioral honeypotting, and graph-level account analysis. Most of these are currently research-stage, not production-ready at scale. That's the uncomfortable truth defenders have to sit with while they build toward it. The offense is ahead of the defense right now, and I don't expect that to change quickly.

The geopolitical escalation risk

If validated, this becomes evidence for strengthening cloud-API export controls targeting specific entities. OpenAI, Google DeepMind, and Meta are almost certainly auditing their own API logs for similar patterns right now. The strategic implication is the headline: the moat around frontier models may be far narrower than their valuations imply.

2026 H2


  **Mandatory anti-distillation clauses become industry-standard**
Enter fullscreen mode Exit fullscreen mode

Following Anthropic's disclosure and the DeepSeek precedent, expect every major lab to harden ToS and add provenance attestation to enterprise contracts.

2027 H1


  **Output fingerprinting ships to production**
Enter fullscreen mode Exit fullscreen mode

Research-stage watermarking and fingerprinting techniques move into live API defenses, driven directly by competitive pressure from incidents like this.

2027 H2


  **BIS introduces cloud-API access rules**
Enter fullscreen mode Exit fullscreen mode

Building on existing export-control posture, expect targeted restrictions on frontier-API access for designated foreign entities.

2028


  **Moat re-pricing hits AI valuations**
Enter fullscreen mode Exit fullscreen mode

If distillation proves as effective as alleged, investors begin discounting capability-only moats — favoring labs with distribution, data, and regulatory positioning.

If distillation works as well as alleged, the $300B AI investment cycle is funding moats a determined competitor can drain for one-to-three cents on the training dollar.

Timeline graphic of US-China AI capability extraction disputes from DeepSeek to Anthropic Alibaba

The distillation dispute timeline — from OpenAI vs. DeepSeek to Anthropic vs. Alibaba — shows a hardening pattern, not isolated incidents.

Frequently Asked Questions

What exactly did Anthropic accuse Alibaba of doing to Claude AI?

The headline says it plainly: Anthropic claims Alibaba ran a 'brazen' campaign to access its Claude AI model. According to a letter to U.S. government officials obtained by The Wall Street Journal, Anthropic alleged that operators linked to Alibaba's Qwen AI lab used nearly 25,000 fraudulent accounts to access Claude and systematically extract its outputs. Anthropic described this as the 'largest known distillation attack' on a frontier model — meaning the alleged goal was to harvest Claude's responses to train a competing model. The accusation centers on circumventing Anthropic's usage policies, which explicitly prohibit using Claude outputs to train rival AI systems. Importantly, the WSJ noted this is 'not the first time' Anthropic has made such claims about Chinese labs, implying a pattern.

How does AI model distillation work and why is it considered a form of IP theft?

Distillation is a technique where a smaller 'student' model learns from a larger 'teacher' model's outputs. Done with your own models it's legitimate. It becomes alleged IP theft when you systematically query someone else's frontier model API to build a synthetic training dataset, then fine-tune your own model on it — inheriting capabilities you never invested in developing. No weights or code are stolen, which is what makes it legally novel. The harm is economic: a competitor bypasses billions in compute and RLHF research. It's typically framed as a breach of the API's Terms of Service plus, where fraudulent accounts are used, potential violations of computer-fraud and trade-secret statutes.

How many fake accounts did Alibaba allegedly use to access Claude, and how were they detected?

Anthropic alleged that nearly 25,000 fraudulent accounts were used, per WSJ reporting. Spreading queries across thousands of accounts keeps each one below individual rate-limit and anomaly thresholds — making the activity invisible at the unit level. Detection therefore relied on aggregate behavioral anomaly analysis: identifying coordinated patterns across the account graph rather than flagging any single account. This is exactly why per-account rate limiting alone is insufficient against industrial-scale extraction, and why the incident is pushing labs toward graph-level monitoring and output fingerprinting as next-generation defenses.

What is Alibaba's Qwen AI lab and how does it relate to this allegation?

Qwen is Alibaba's frontier AI lab, which released over 100 model variants across 2024–2025, including the Qwen 2.5 series and Qwen 2.5-Coder. Many variants are open-source under Apache 2.0. Anthropic's allegation is that operators linked to Qwen ran the extraction campaign to accelerate Qwen's capability development — particularly in coding, where Qwen benchmarks competitively with Claude. The lab's unusually rapid iteration cycle is cited as circumstantial context. It's important to separate the allegation about methods from the released open models themselves, which remain legitimately downloadable and usable under their license.

Has Alibaba responded to Anthropic's accusations about accessing Claude?

As of the latest available reporting, Alibaba had not issued a detailed public rebuttal to the specific 25,000-account allegation. This is a confirmed absence of detailed response rather than a confirmed denial or admission. In disputes of this kind, companies often respond through legal channels or measured statements rather than immediate public engagement, especially when the matter has been escalated to government officials. Readers should watch for an official Alibaba or Qwen statement, which would materially shape how the dispute proceeds. Until then, the allegation stands as Anthropic's characterization, supported by its internal detection but not independently verified in public.

Is this the first time a Chinese AI lab has been accused of distilling a Western frontier model?

No. In early 2025, OpenAI accused DeepSeek of training on ChatGPT outputs, as reported by the Financial Times — establishing a documented precedent for this class of allegation. Anthropic itself noted this is 'not the first time' it has said Chinese labs used its technology, implying earlier undisclosed incidents. Together these suggest the Distillation Extraction Vector is an emerging category of attack against frontier-model APIs rather than an isolated event. That pattern is why policy professionals are treating the Anthropic-Alibaba claim as part of a broader US-China AI competition narrative rather than a single commercial dispute.

What legal action can Anthropic take against Alibaba for allegedly stealing Claude's capabilities?

The most likely U.S. frameworks are the Computer Fraud and Abuse Act (CFAA) — relevant because fraudulent accounts allegedly circumvented access controls — and the Defend Trade Secrets Act (DTSA). Anthropic can also pursue breach-of-contract claims under its usage policies. Beyond courts, the letter to U.S. officials opens a regulatory pathway: the Bureau of Industry and Security could respond with cloud-API export-control measures targeting specific entities. Cross-border enforcement against a Chinese company is genuinely difficult, which is partly why Anthropic pursued the policy route in parallel with any private legal options. The dispute may ultimately shape regulation more than it produces a courtroom verdict.

About the Author

Rushil Shah

AI Systems Builder & Founder, Twarx

Rushil Shah is the founder of Twarx and an AI systems builder who has spent years designing autonomous workflows, multi-agent architectures, and AI-powered business tools. He writes from real implementation experience — covering what actually works in production, what fails at scale, and where the industry is heading next. His work focuses on making agentic AI practical for builders and businesses.

LinkedIn · Full Profile


This article was originally published on Twarx. Follow for daily deep dives on AI agents and automation.

Top comments (0)