Table of Contents
What Is Distillation and Why Is It So Powerful?
Distillation is a legitimate and widely used technique in AI research. The basic concept is simple: instead of training a model from scratch on raw data, you train a smaller model on the outputs of a larger, more capable one. The smaller model learns to mimic the bigger one’s reasoning, responses, and judgment at a fraction of the cost.
Used ethically, distillation helps researchers build efficient models for specific tasks without needing massive compute budgets. Google researchers developed the foundational version of the technique back in 2015. Today it is a standard part of AI development.
How Adversarial Distillation Works: Step by Step
Step 1 – Access: An attacker creates thousands of fake accounts to bypass geographic restrictions and usage limits on a frontier model like Claude.
Step 2 – Query at scale: Automated systems send millions of carefully crafted prompts, targeting specific high-value capabilities like code generation or complex reasoning.
Step 3 – Collect outputs: Every response Claude gives is logged. This creates a massive dataset of frontier-level answers.
Step 4 – Train: A weaker, cheaper model is trained on these harvested responses. It learns to produce Claude-like outputs without Anthropic ever consenting to be a teacher.
Result: A competing AI with significantly improved capabilities, built at a fraction of Anthropic’s R&D cost, and without the safety work Anthropic built in.
The “adversarial” version Anthropic describes works the same way, except nothing about it is authorized. Fake accounts are used to bypass geographic restrictions. Queries are automated and run at industrial scale. And the outputs are used to build a system that will directly compete with the model being queried.
These distillation attacks are carried out illicitly, systematically, and at an industrial scale to harvest U.S. AI capabilities across frontier labs and repackage them as their own without incurring the training and R&D costs required to train U.S. frontier models.” – Anthropic, letter to U.S. Senate Banking Committee, June 10, 2026
What Anthropic Says Alibaba Did
According to the letter, operators affiliated with Alibaba and its AI research division, Alibaba Qwen, ran the campaign between April 22 and June 5, 2026, a window of just 45 days. During that time, nearly 25,000 fraudulent accounts were used to conduct 28.8 million interactions with Claude.
The campaign was not random. Anthropic says it specifically targeted Claude’s software engineering and agentic reasoning capabilities, the two areas most central to Anthropic’s commercial edge, and most directly relevant to Alibaba’s Qwen AI lab, which competes in precisely those domains.
Anthropic has long prohibited use of Claude in China, meaning the fraudulent accounts were also an explicit attempt to bypass geographic restrictions the company enforces. The letter notes that Alibaba proceeded despite the Trump Administration’s warnings, adding a geopolitical dimension to what might otherwise read as a competitive intelligence dispute.
Alibaba’s U.S.-listed shares dropped nearly 3% on the news. The company has not commented.
This Is Not the First Time
Anthropic’s accusation against Alibaba is the largest it has made, but not the first. In February 2026, the company publicly identified three separate “industrial-scale” distillation campaigns linked to other Chinese AI labs: DeepSeek, the startup whose low-cost model sent shockwaves through global tech markets in early 2025, along with Moonshot and MiniMax.
Timeline of Events
January 2025: DeepSeek’s R1 model launches, outperforming many Western models at a fraction of the cost, raising immediate questions about how it was trained.
February 2026: Anthropic discloses distillation campaigns linked to DeepSeek, Moonshot, and MiniMax. OpenAI and Google join in a threat-intelligence sharing coalition.
April 22, 2026: The alleged Alibaba campaign begins. Nearly 25,000 accounts start systematically querying Claude at a scale far exceeding prior attacks.
June 5, 2026: Campaign ends, or is detected and cut off. 28.8 million interactions have been logged.
June 8, 2026: The Pentagon adds Alibaba to its Chinese military companies blacklist. Anthropic cites this designation in its letter two days later.
June 10, 2026: Anthropic sends its letter to the Senate Banking Committee, calling the Alibaba campaign the largest known distillation attack in its history.
June 24, 2026: The letter becomes public. Alibaba’s stock drops nearly 3%. The company does not comment.
The pattern Anthropic describes, multiple campaigns, growing in scale, from multiple Chinese labs, is what it now characterizes as systematic and unauthorized exploitation of leading U.S. AI models to build a rival generation of Chinese chatbots.
The Safety Argument: It Is Not Just About Money
Anthropic’s complaint has an economic dimension. The company is preparing for an IPO at a reported $965 billion valuation, and cheaper imitation products represent a direct commercial threat. U.S. officials estimate that unauthorized distillation costs Silicon Valley AI companies billions of dollars collectively.
But Anthropic raises a second argument that goes beyond intellectual property: safety. When a company trains a model through adversarial distillation, it harvests the capabilities of the original model but not necessarily the safety work built into it. The guardrails, the refusal behaviors, the alignment training, all of that can be lost in translation.
An AI system that can write sophisticated code or execute autonomous multi-step tasks, but which was trained without those safety constraints, is not just a competitive concern. It is, Anthropic argues, a risk to the broader AI ecosystem and potentially to national security, given the military-adjacent applications that advanced software engineering and agentic reasoning unlock.
Washington’s Response: Legislation and Restrictions
The political response has been swift, though its ultimate effectiveness remains unclear.
Senators Bill Hagerty of Tennessee and Andy Kim of New Jersey, a Republican and a Democrat, are jointly advancing an amendment to must-pass defense legislation that would blacklist or sanction any Chinese firm found to be improperly accessing U.S. AI model outputs for competitive training. Whether the amendment will survive the legislative process is uncertain.
A separate bill, the Deterring American AI Model Theft Act of 2026, passed the House Foreign Affairs Committee 43-0 in April. It would direct the Commerce Department to identify and publicly name entities involved in distillation attacks, and give the President authority to impose sanctions under the International Emergency Economic Powers Act.
Anthropic itself has asked for several specific policy responses: clearer antitrust guidelines to allow more information sharing between U.S. AI companies about distillation threats; strengthened chip export controls; and explicit penalties for firms found to be using distillation to extract capabilities from U.S. models.
There is an awkward tension here. Separately from the distillation issue, the Trump administration issued an export control directive this month ordering Anthropic to suspend access to its newest models, Claude Fable 5 and Mythos 5, for any foreign national, including Anthropic’s own non-U.S. employees. Anthropic is simultaneously asking the government to protect its models from foreign extraction while pushing back against restrictions on who can use those models commercially. The company argues these goals are complementary rather than contradictory, but making both cases to the same administration at the same time is a delicate act.
Why This Is Hard to Stop
The deeper problem the Alibaba case exposes is structural. Frontier AI models are extraordinarily expensive to build. Anthropic has raised tens of billions of dollars partly to fund that effort. But once a model is deployed commercially, its outputs can be harvested by anyone with API access and a determined automation script.
The API-as-a-product model that made AI accessible to the world is also the mechanism that makes distillation attacks possible. Every response Claude gives is, in a sense, a small piece of Claude’s intelligence made legible and collectible. At 28.8 million interactions, an attacker has a dataset large enough to meaningfully improve a competing model.
Rate limiting, geographic blocks, and account verification all help. Anthropic clearly uses all of them, given that the attackers needed 25,000 fraudulent accounts to evade detection. But at industrial scale, motivated actors with resources will find ways through.
Legislation can impose costs and consequences. Threat-intelligence sharing between Anthropic, OpenAI, and Google can accelerate detection. But the fundamental asymmetry, building a frontier model costs billions while stealing its outputs costs a few million in API calls, is unlikely to disappear.
Frequently Asked Questions
Is distillation itself illegal?
Not inherently. Distillation is a standard and legal AI research technique used widely in academia and industry. What Anthropic alleges is illegal, or at minimum a serious terms-of-service violation, is the use of fraudulent accounts to bypass geographic restrictions in order to conduct distillation at scale, essentially gaining unauthorized access to a system to harvest its outputs.
What is Alibaba’s Qwen AI lab?
Qwen is Alibaba’s dedicated AI research division, responsible for the company’s large language model development. It competes with Western frontier labs in areas including code generation and agentic AI, precisely the capabilities Anthropic says were targeted in the alleged campaign.
How did Anthropic detect the campaign?
Anthropic has not disclosed the specific detection methods. The company does monitor for anomalous usage patterns, and the scale of this campaign, 28.8 million interactions through 25,000 accounts in 45 days, would generate the kind of signal that unusual activity monitoring systems are designed to catch.
What happens to Anthropic’s IPO plans?
Anthropic filed confidentially for an IPO this month at a reported $965 billion valuation. The distillation attacks represent a named risk factor for investors: if competitors can acquire Claude-level capabilities cheaply by querying Claude, the competitive moat Anthropic’s valuation assumes becomes harder to sustain. The legislative response, if it materializes, would directly affect this risk.
Has Alibaba responded?
No. As of publication, Alibaba has not issued a public statement on the allegations. The letter became public on June 24, and the company may still be formulating a response. Alibaba separately sued the U.S. Defense Department this week to challenge its placement on the Pentagon’s Chinese military companies blacklist, a different but related dispute.
The Bigger Picture
The Anthropic-Alibaba story is, in one sense, a business dispute: a company accusing a competitor of stealing its technology. But the scale, the methodology, and the political context it sits within make it something larger.
What is being contested is not just Anthropic’s intellectual property. It is the question of whether building a better AI model confers any lasting advantage at all, or whether every breakthrough by a frontier lab simply becomes a training dataset for the labs trying to catch up. If adversarial distillation cannot be meaningfully stopped, the hundreds of billions flowing into frontier AI development rest on a shakier foundation than the valuations suggest.
Anthropic has put that question in front of the U.S. Senate. Whether Washington has the tools, the speed, or the appetite to answer it effectively is another matter entirely.
