Anthropic says Alibaba ran 28.8M extraction attacks on Claude in largest known distillation campaign

Anthropic sent a letter to the U.S. Senate Committee on Banking, Housing, and Urban Affairs accusing Alibaba of running “the largest known distillation attack” against its Claude models, according to a letter obtained by CNBC. The June 10 letter, addressed to Senators Tim Scott and Elizabeth Warren, says operators affiliated with Alibaba and its AI lab executed 28.8 million exchanges with Claude using roughly 25,000 fraudulent accounts between April 22 and June 5.

Distillation attacks work by querying a stronger model and using its outputs to train a weaker one. Anthropic says the campaign targeted Claude’s most valuable capabilities: its ability to handle longer, more complex tasks and its decision-making approach. The company called the operation “brazen” and “illicit,” and urged Congress to penalize companies behind such attacks and ramp up measures to prevent U.S. technology from being stolen.

The numbers are striking. Twenty-eight million exchanges over 45 days means roughly 640,000 queries per day. Twenty-five thousand accounts suggests a coordinated operation, not a handful of rogue researchers. Anthropic says this is the largest extraction campaign it has identified, and it frames the attack as part of a pattern: Chinese companies harvesting U.S. AI capabilities on “industrial scale” to repackage them as their own.

This is not Anthropic’s first warning. In February, the company said it had identified three “industrial-scale” distillation campaigns from DeepSeek, Moonshot, and MiniMax. Those campaigns, Anthropic said at the time, were growing in intensity and sophistication. Now it names Alibaba, a company with a market capitalization of over $200 billion and a New York Stock Exchange listing.

The timing matters. Two months ago, the White House Office of Science and Technology Policy issued a memorandum pledging to help AI companies detect and coordinate against industrial-scale distillation. Anthropic wrote that Alibaba “ignored the Trump Administration’s warnings” by proceeding with the attacks. The letter lands as the administration itself has taken an unusual step: ordering Anthropic to suspend access to its latest Claude models, Fable 5 and Mythos 5, “by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees.” The government cited “national security authorities” without specifying its concern. Anthropic says senior staff flew to Washington to meet with administration officials, and that “both parties are working quickly to get this resolved.”

The juxtaposition is revealing. The U.S. government restricts Anthropic’s own models from foreign nationals, including its own employees, while Alibaba allegedly runs millions of extraction queries against those same models. The policy response is asymmetric: one company gets an export control directive that disrupts its own operations; the other gets a letter to Congress.

Alibaba has denied previous allegations of military ties. The company this week sued the U.S. government to get its name removed from a Pentagon blacklist that labels it as tied to the Chinese military. The Pentagon has also named BYD and Baidu as having such ties. All three companies deny the allegations.

Anthropic’s letter cites the Defense Department’s claims about Alibaba’s military connections. The company argues that distillation attacks “turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors.” The argument is straightforward: U.S. companies spend billions training frontier models. If Chinese competitors can extract those capabilities for the cost of API calls, the investment advantage collapses.

OpenAI has also accused Chinese groups of using distillation attacks. The practice is not new. What is new is the scale. Twenty-eight million exchanges is not a research project. It is an industrial operation. And it targets the very capabilities that make frontier models valuable: long-context reasoning, complex decision-making, structured outputs.

The technical question is what Alibaba actually extracted. Distillation is not the same as model theft. An attacker cannot extract weights through API calls. What they can extract is a behavioral approximation: a model that mimics Claude’s outputs on a distribution of inputs. If the attacker has access to a large, representative set of queries, they can train a model that reproduces Claude’s behavior on similar tasks. The result is not a copy of Claude, but a model that performs comparably on the tasks the attacker cares about.

That is the threat Anthropic is describing. Alibaba does not need to steal Claude’s weights. It needs to steal Claude’s behavior on the tasks that matter: long-context reasoning, complex decision-making, agentic workflows. If it can train a model that matches Claude on those tasks, it has effectively closed the capability gap without spending billions on training.

The economics favor the attacker. Training a frontier model costs hundreds of millions of dollars. Running 28.8 million API calls against Claude costs, at current pricing, somewhere in the low millions. The return on investment is enormous if the extracted model is commercially useful.

Anthropic’s letter asks Congress to act. What action is unclear. Export controls on model weights already exist. The administration’s export control directive on Mythos 5 suggests the government is willing to restrict access to frontier models. But distillation attacks do not require access to weights. They require access to APIs. And APIs are the primary way AI companies make money.

This is the dilemma. Anthropic sells API access. Alibaba bought API access. Anthropic says Alibaba used that access to extract capabilities. The same transaction that generates revenue for Anthropic also generates the data for an extraction attack. There is no clean way to distinguish a legitimate customer from an extraction campaign until the campaign is underway.

The 25,000 accounts suggest Alibaba was trying to evade detection. Companies like Anthropic monitor API usage patterns for signs of distillation: high query volumes, repetitive prompts, unusual distributions of inputs. Spreading queries across thousands of accounts makes detection harder, though clearly not impossible in this case.

What happens next is unclear. The letter is a public accusation, not a legal filing. Anthropic could pursue civil action. Alibaba could deny the allegations. The Senate committee could hold hearings. The administration could expand export controls. But the underlying technical reality will not change: as long as frontier models are accessible via API, distillation attacks will continue.

The February announcement naming DeepSeek, Moonshot, and MiniMax did not stop Alibaba. The White House memorandum did not stop Alibaba. The question is whether anything short of restricting API access to domestic users will stop these campaigns. And restricting API access to domestic users would break the business model of every U.S. AI company.

Anthropic is making a bet: that public pressure and Congressional action will deter future attacks. The evidence so far suggests otherwise. Distillation campaigns are getting larger, not smaller. The attackers are getting more sophisticated, not less. And the companies being attacked are also being restricted by the same government they are asking for help.