Twenty-five thousand fake accounts. Six weeks. Nearly 29 million conversations — not casual chitchat about recipe ideas, but targeted queries about multi-step reasoning, advanced coding workflows, and long-horizon planning. That’s what Anthropic described in a June 10 letter to the U.S. Senate Banking Committee, alleging operators linked to Alibaba’s Qwen AI lab orchestrated what it calls “the largest known distillation attack” on Claude, according to reporting by CNBC and the Wall Street Journal. The accounts were proxy-routed to dodge geo-blocks and rate limits, disguised as ordinary users. These remain allegations. Alibaba has not offered a point-by-point rebuttal.
What “Distillation Attack” Actually Means
The technique is standard inside any AI lab — until someone aims it at a competitor’s API.
- Distillation trains a cheaper “student” model on a stronger “teacher” model’s outputs, approximating its behavior without touching its weights or original training data. This mirrors the competitive dynamics seen across AI-powered websites that leverage frontier model capabilities.
- Labs legitimately use this internally to build smaller, faster variants of their own models.
- The illicit version harvests a competitor’s input-output pairs at industrial scale, then fine-tunes a rival model on that dataset — copying capability without paying for it.
- Anthropic says the alleged queries targeted frontier capabilities — agentic reasoning, software engineering chains, long-horizon planning — not commodity translation or small talk.
- Separately, Anthropic has named DeepSeek, Moonshot AI, and MiniMax in similar campaigns totaling roughly 24,000 fake accounts and over 16 million exchanges.
Distillation is downstream by definition — you cannot distill a model that doesn’t exist yet. If Anthropic’s account holds, Qwen was training on Claude’s yesterday while Anthropic ships tomorrow. Technical analysts covering the allegations have framed the cross-lab version plainly: “When you do it across an API boundary against a competitor’s frontier model, it’s basically copying without paying.” Worth noting: Alibaba has since banned Claude for internal employee use — a curious move for a company with nothing to answer for.
The DeepSeek episode offers a useful parallel. In early 2025, claims of a competitive model trained for under $6 million wiped hundreds of billions off Nvidia and US AI stocks in a single session. Markets assumed copying meant overtaking. It didn’t. Frontier labs kept shipping, and cheaper inference pulled more demand forward rather than displacing the leaders. The reflex triggered by the Alibaba story is identical — and so is the structural reality underneath it.
What This Means Beyond the Headline
The real policy gap isn’t chips — it’s API-level capability extraction that no export control currently reaches.
If you’re reading the next Chinese frontier benchmark as proof US labs are falling behind, ask one question first: whose answers did that model learn from? Anthropic frames the alleged operation as turning American AI investment into “a subsidy for a geopolitical competitor” — echoing concerns raised around the Stargate Project — and is pushing Congress toward API-level governance tools beyond hardware export controls. Chip embargoes cannot stop someone from scraping outputs. That’s the regulatory gap this story actually opens — and the reason Anthropic is lobbying for stricter account verification, anomaly detection, and usage monitoring at the API layer, a strategy that parallels efforts behind AI age laws targeting platform-level accountability.
The most persuasive evidence that Claude remains the reference standard for frontier AI is that a major competitor allegedly built a 25,000-account, six-week operation just to approximate it. Distillation attacks don’t threaten the economics of frontier labs; they reinforce them, because both leaders and imitators ultimately depend on the same compute infrastructure. That’s not a sign of US AI leadership eroding. That’s a receipt for it.




























