Inside Anthropic's Claims of Distillation Attack by Alibaba

Anthropic has accused Alibaba of conducting large-scale distillation attacks against its Claude AI system. The attacks could represent one of the most extensive known instances of model extraction targeting a proprietary language model.

According to a letter dated 10 June and sent to Senators Tim Scott and Elizabeth Warren of the US Senate Banking Committee, actors affiliated with Alibaba executed a campaign to illicitly obtain the capabilities close to that of Claude Mythos Preview, a Reuters report suggests.

The letter says that the operation ran between 22 April and 5 June. Anthropic reported that attackers generated more than 28.8 million exchanges with Claude using approximately 25,000 fraudulent accounts.

Knowledge distillation as attack vector

The threat exploits a legitimate machine learning technique called knowledge distillation. In standard practice, new models learn from larger teacher models through supervised training.

Threat actors weaponise this process by using input-output pairs from proprietary AI systems to train their own student models. The attacks, also known as model extraction attacks, can replicate the performance of the target system at minimal cost.

The technique allows adversaries to bypass the substantial computational and financial resources required to develop frontier AI capabilities independently. Attackers create cheap replicas that mimic the original model's functionality.

Anthropic identified operators affiliated with Alibaba and Alibaba Qwen – the company's AI research division – as responsible for the campaign. Alibaba has not responded to requests for comment from Reuters.

Pattern of sophisticated campaigns

This is not the first time Anthropic has detected such activity. The company previously identified multiple Chinese AI firms attempting to extract capabilities through large-scale distillation operations.

In February, Anthropic alleged that DeepSeek, Moonshot AI and MiniMax collectively generated millions of interactions with its Claude platform. According to Anthropic, Moonshot and MiniMax accounted for the largest volumes in that campaign.

Anthropic stated that the attacks have become increasingly sophisticated over time. The company warned that countering these threats would require closer coordination between AI companies and government agencies.

The security implications extend beyond intellectual property theft. Threat actors who successfully extract model capabilities could deploy them in ways that circumvent export controls and other regulatory safeguards.

National security considerations emerge

The issue has attracted attention from US defence and commerce officials, with the Pentagon added Alibaba to its list of Chinese military companies – a designation the firm is contesting.

Reuters had previously reported exclusively that the US Commerce Department has held off adding DeepSeek to its trade blacklist. An interagency committee reportedly identified the company as a national security concern, but officials are weighing diplomatic implications before implementing tougher measures against Beijing.

The controversy emerges shortly after the White House accused China of industrial-scale extraction of western frontier models. 

Chinese AI development has narrowed the capability gap with western systems. For example, the GLM 5.2 model from Chinese startup Z.ai showed benchmark performance closely trailing western frontier AI, signalling a rapidly escalating geopolitical AI arms race.