Every conversation Claude has ever had with a legitimate user looks identical to a conversation Claude has with an attacker trying to copy it. That is the fundamental problem Anthropic just placed before the United States Senate — and the reason it is asking for trade law rather than a better API filter.
Anthropic accused Alibaba of conducting the largest adversarial distillation campaign ever documented against its Claude AI models in a letter dated June 10, 2026, addressed to Senate Banking Committee Chair Tim Scott (R-SC) and Ranking Member Elizabeth Warren (D-MA). The company told the committee that operators linked to Alibaba’s Qwen AI lab ran 28.8 million unauthorized exchanges with Claude over a six-week period from April 22 to June 5, using approximately 25,000 fraudulent accounts and commercial proxy services to circumvent the geographic restrictions that bar Chinese entities from accessing the model. Anthropic called the operation “the largest known distillation attack on Anthropic to date” — a campaign the company says dwarfed the combined scale of the three Chinese AI labs, DeepSeek, Moonshot, and MiniMax, Anthropic accused in February of carrying out a similar but smaller series of attacks.
The letter, first reported by Bloomberg on June 24 and now receiving broad coverage, marks the first time a company of Alibaba’s global commercial scale has been named in a distillation complaint, and the first time Anthropic has formally submitted such evidence directly to a Congressional committee rather than a regulator or court. That routing was deliberate.
Key Developments
- Anthropic’s June 10, 2026 letter to the Senate Banking Committee alleges operators affiliated with Alibaba’s Qwen AI lab ran 28.8 million Claude interactions via ~25,000 fraudulent accounts between April 22 and June 5, 2026 — the largest documented distillation attack on any AI company to date.
- The targeted capabilities were Claude’s most commercially valuable: agentic reasoning, software engineering proficiency, and long-horizon task completion.
- Bipartisan legislation is now moving: Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) are pushing a defense bill amendment that would blacklist or sanction entities conducting adversarial distillation campaigns.
- Alibaba has denied the allegations and is separately suing the US Department of Defense to be removed from a military-controlled-entities list, calling the designation baseless.
What Happened
According to The Next Web’s detailed account of the letter, Anthropic described the campaign as a systematic effort to extract Claude’s behavior through adversarial distillation — feeding Claude large volumes of targeted prompts and collecting its responses so that a lower-cost model could be trained to replicate its outputs without access to Anthropic’s actual model weights or training data. The campaign specifically targeted software-engineering and agentic-reasoning capabilities, which Anthropic describes as among its most commercially valuable. The letter notes that the operations relied on proxy services to disguise the geographic origin of requests, circumventing the geographic access restrictions Claude’s terms of service apply to Chinese entities.
In a statement to CNBC, Anthropic said it “believes combating the threat of illicit distillation requires coordinated action between government and industry” and would “continue working with Congress and the Administration to maintain American AI leadership.” Bipartisan legislative action is already moving in response: Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) announced plans to introduce an amendment to must-pass defense legislation that would blacklist or sanction Chinese companies found to be improperly extracting US AI model capabilities. Alibaba has denied the allegations and separately filed a lawsuit seeking removal from the US Department of Defense’s military-controlled-entities list, calling that designation a matter of “no basis in fact or law.”
The Mechanism: Why Distillation Attacks Cannot Be Filtered at the API Level
A distillation attack exploits a structural property of how large language models are deployed commercially. When a legitimate enterprise customer sends Claude a prompt asking it to write code, and when an attacker sends Claude a prompt designed to extract its reasoning patterns for training a competitor model, the two interactions are technically identical at the API level: both arrive as text, both receive a text response, and both can be attributed to a legitimate-looking account with valid payment credentials and plausible use-case framing. The model cannot distinguish between the two, and the API cannot distinguish between them at the time of the request.
That is why geographic access restrictions and terms-of-service prohibitions are not sufficient defenses: both can be circumvented by commercial proxy services and fraudulent account creation at scale, as the Alibaba campaign demonstrates. The attack’s size — 25,000 accounts generating 28.8 million exchanges over six weeks — is not a sign that geographic restrictions failed technically. It is a sign that the economic value of the capabilities being extracted (training an agentic-reasoning model from scratch would cost many millions of dollars) made it worth investing heavily in circumventing them. Anthropic put this directly: “Distillation attacks turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors.” The only enforcement mechanism that closes the gap definitively is one that applies at the trade-law level rather than the API level, which is precisely why Anthropic went to the Senate Banking Committee.
The Backstory
Anthropic was not the first American AI company to raise this alarm in 2026. OpenAI reported in February that DeepSeek employees had bypassed ChatGPT’s access restrictions and obtained responses for distillation. In the same month, Anthropic itself reported three “industrial-scale” distillation campaigns attributed to DeepSeek, Moonshot, and MiniMax, which together used 24,000 fraudulent accounts to generate 16 million exchanges. Google raised similar concerns the same month without naming specific companies. The pattern was sufficiently established by April 2026 that the White House Office of Science and Technology Policy issued a memorandum pledging to help AI companies detect and coordinate defenses against such attacks.
The Alibaba accusation escalates this pattern in two important ways. First, the scale is substantially larger than any previous disclosed campaign: 28.8 million exchanges exceeds the combined total of all three February disclosures. Second, and more significantly, the accused party is not an AI startup but a company with hundreds of billions of dollars in market capitalization and one of the world’s largest e-commerce and cloud infrastructure operations. Alibaba’s Qwen AI lab has been one of the more competitive Chinese AI challengers to Anthropic’s Claude Fable 5 and Mythos 5, releasing models that approach or match Anthropic and OpenAI benchmarks in some categories at a fraction of the cost. The Anthropic letter argues that part of why Qwen can do that is because it extracted the capability from Claude rather than developing it independently.
The letter also cited US Department of Defense assertions that Alibaba — along with Baidu, BYD, Unitree, and 185 other entities — is directly part of China’s military-industrial base. Alibaba disputes that designation and is currently litigating it in federal court. The timing of Anthropic’s Senate letter, arriving less than two weeks after the DoD published its military-entity list in June, suggests Anthropic is deliberately connecting the distillation allegation to the national security framing the DoD designation provides, rather than treating it as a standalone commercial dispute. This connection also speaks to the same landscape as the Miasma worm attack on AI developer tools earlier this month — a pattern of sophisticated, systematic exploitation of AI infrastructure by actors operating across the commercial and national security boundary simultaneously.
Reactions
Anthropic framed the allegation not as a request for legal penalties against a competitor but as a structural argument about the design of US AI policy. The company argued that the current approach — access restrictions plus terms-of-service enforcement — cannot stop industrial-scale distillation because the economics of the attack are decisively favorable relative to the enforcement mechanism: an attacker investing in 25,000 proxy accounts to extract frontier AI capabilities is implicitly calculating that the value of what it captures exceeds the cost of being caught and banned, especially when the ban only removes the API access and not the already-extracted capability.
The bipartisan Hagerty-Kim amendment signals that at least some Senators agree that the appropriate response is not technical but legislative — raising the cost of this kind of attack through trade sanctions and blacklisting rather than trying to detect it in real time at the API level. That response, if enacted, would also apply pressure to the Chinese technology ecosystem more broadly, since a sanctioning framework targeted at AI distillation would have implications for any Chinese AI lab whose model capabilities could be shown to have been built on extracted Western model outputs.
The Dispute: Attribution and the Proof Standard
Alibaba’s denial puts the question of attribution at the center of whatever legal or legislative response follows. Anthropic’s letter attributes the campaign to “operators affiliated with Alibaba’s Qwen lab” — a formulation that is notable for what it does not say. It does not claim that Alibaba’s corporate leadership authorized the campaign, that the accounts were directly operated by Alibaba employees, or that the Qwen models now commercially available demonstrably incorporate the extracted Claude capabilities in a legally cognizable way. Those three evidentiary questions are the ones that would determine whether any actual sanction or blacklisting could survive legal challenge, and none of them are answered by the letter itself.
There is also a methodological tension that the legislative pathway will need to navigate. The Hagerty-Kim amendment would sanction entities conducting adversarial distillation campaigns, but “adversarial distillation” is not currently a defined term in US trade or technology law. Defining it narrowly enough to not capture legitimate AI research that involves generating outputs from commercial models — a standard practice in academic benchmarking and evaluation — while broadly enough to capture the kind of systematic, large-scale extraction Anthropic is describing, is a genuine legislative design problem rather than a simple enforcement decision. The same capability extraction that Anthropic calls theft is, in a different context, exactly what the OpenAI’s own 2026 ChatGPT cross-conversation safety update which also involves retaining and using prior conversation context to shape model outputs — making the definition of the offense the hardest part of the legislative response.
What Happens Next
The Hagerty-Kim defense bill amendment is the clearest near-term legislative marker to watch. Defense appropriations bills move on compressed timelines compared with standalone legislation, which means this amendment could become law considerably faster than a standalone AI-theft statute would. Whether Alibaba mounts a legal challenge to any enacted sanctions, and what evidentiary standard that challenge would require Anthropic to meet, will determine whether the legislative response Anthropic is seeking actually creates the enforcement deterrent the company argues is necessary. In parallel, the Senate Banking Committee — to which the original letter was addressed — has not yet responded publicly, and a committee hearing on AI intellectual property theft is a plausible near-term development given the bipartisan interest the letter has generated.
Why It Matters
The Anthropic-Alibaba dispute is the clearest test yet of a proposition that has been building all year in AI policy circles: that capability theft at the API level is a form of economic and technological harm that existing intellectual property, trade secret, and cybersecurity law is structurally unsuited to address. If Congress moves to create new sanctions or blacklisting authority for adversarial distillation in response to this disclosure, it will mark the first time the US government has formally intervened to protect the capabilities of a specific AI model as a matter of national security rather than commercial IP. That precedent would reach well beyond the Alibaba case — shaping how the US treats any foreign entity that uses commercial AI models in ways designed to extract and replicate their capabilities, with significant implications for how OpenAI’s accelerating model release cadence and the broader frontier AI race evolve over the next several years.
Sources
Bloomberg (June 24, 2026); CNBC; WION; TechTimes; Let’s Data Science; Inc. Magazine.
