--- title: "Anthropic Accuses Alibaba of 'Brazen' Industrial-Scale Distillation of Claude: 28.8M Exchanges, ~25,000 Fraudulent Accounts, April 22 to June 5" description: "Anthropic published a blog post on 2026-06-24 (https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks) accusing Alibaba of an industrial-scale distillation campaign against Claude. Anthropic says the campaign ran from April 22 to June 5, 2026 and produced over 28.8 million exchanges with Claude through almost 25,000 fraudulent accounts. The accusation is the second in Anthropic's public distillation disclosures: the first, on 2026-02-23, named DeepSeek, Moonshot AI, and MiniMax as attackers behind 16 million exchanges across 24,000 fraudulent accounts. Reuters (Krystal Hu, Eduardo Baptista) and Bloomberg (Saritha Rai) reported the new allegation on 2026-06-24; WSJ ran Anthropic Claims Alibaba Ran 'Brazen' Campaign to Access Its Claude AI Model the same day. Alibaba has not yet issued a public statement at time of writing." date: 2026-06-25 image: "/images/heroes/2026-06-25--anthropic-alibaba-qwen-claude-distillation.png" author: lschvn tags: ["ai", "security"] tldr: - "Anthropic's blog post on 2026-06-24 ([Detecting and preventing distillation attacks](https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks)) accuses Alibaba of running an industrial-scale distillation campaign against Claude between April 22 and June 5, 2026: over 28.8 million exchanges with Claude, through almost 25,000 fraudulent accounts. Anthropic frames the campaign as 'brazen' and ties it to the broader pattern it first disclosed on 2026-02-23, when it named DeepSeek, Moonshot AI, and MiniMax as the operators behind 24,000 fraudulent accounts that generated 16 million exchanges." - "The new allegation lands four months after the February disclosure and one day after Anthropic separately disclosed that [a June 12 US export control directive forced it to suspend Fable 5 and Mythos 5 worldwide](/articles/2026-06-13--anthropic-fable-mythos-suspended-us-government), including for foreign nationals inside the United States. The pairing is striking: in one week Anthropic has gone from publicly contesting a US export control directive to publicly naming a Chinese frontier-lab customer as a distillation attacker. The Bloomberg, Reuters, and WSJ coverage frames the allegation as the first time Anthropic has named a single large public company in a distillation disclosure." - "Other concrete elements of the disclosure: Anthropic says the fraudulent accounts were tied to specific API-usage patterns it now detects automatically; the company says it has implemented new detection on the Claude API surface; the post outlines the detection method (a pattern of exchanges with reproducible structural similarity that exceeds the natural variance of independent API consumers) but does not publish the model weights or detection signatures. The Alibaba Qwen team has not responded to requests for comment as of 2026-06-24 23:00 UTC. The story is on the Hacker News front page with 448 points and 782 comments at time of writing." faq: - question: "What is Anthropic actually alleging Alibaba did?" answer: "Anthropic's blog post says Alibaba ran a coordinated campaign against the Claude API between April 22 and June 5, 2026, generating more than 28.8 million exchanges through approximately 25,000 fraudulent accounts. Anthropic's framing is 'industrial-scale distillation': training a less capable model on the outputs of a stronger one. The accusation is that the 25,000 accounts were not independent API consumers but a coordinated set whose exchange patterns showed reproducible structural similarity that exceeds what natural variance among independent consumers would produce. The post is the first time Anthropic has named a single large public company in a distillation disclosure; the earlier February 23 disclosure named three companies (DeepSeek, Moonshot AI, MiniMax) and gave the same order of magnitude (~24,000 accounts, ~16 million exchanges)." - question: "What is 'distillation' in this context, and how does it differ from ordinary API use?" answer: "In the AI developer context, distillation is the practice of using a frontier model's outputs as training data for a smaller model, so the smaller model learns to imitate the larger model's behavior on the same inputs. The legal status of distillation is contested: training a model on outputs you paid for through an API is, by default, permitted under most commercial API terms of service. Anthropic's allegation is that the Alibaba campaign violated the API terms in two ways: first, by using fraudulent accounts (which Anthropic says misrepresent the true consumer of the API), and second, by using the API in a pattern that violates the prohibition on training competing models. The Anthropic blog post says the company can now detect the pattern automatically and has implemented new detection on the Claude API surface. Other AI labs (OpenAI, Google DeepMind) have similar terms-of-service prohibitions and similar detection work in progress, though Anthropic's disclosure is the first public naming of a specific large public company." - question: "How does this differ from the earlier February 23 distillation disclosure?" answer: "On 2026-02-23, Anthropic [published a tweet](https://x.com/AnthropicAI/status/2025997928242811253) and a thread on its account naming DeepSeek, Moonshot AI, and MiniMax as the operators behind 24,000 fraudulent accounts that generated 16 million exchanges with Claude. The June 24 post extends the same investigation: Anthropic now says it has identified a separate, larger campaign it attributes to Alibaba, with 25,000 fraudulent accounts and 28.8 million exchanges over a tighter six-week window (April 22 to June 5, 2026). The new disclosure is also the first one published as a full blog post on the Anthropic news site rather than a thread on X; the technical detail in the post is greater than what the February thread provided." - question: "What evidence is Anthropic providing?" answer: "Anthropic's blog post says it can now detect the pattern automatically and that the 25,000 fraudulent accounts share structural exchange patterns that exceed the natural variance among independent API consumers. The post does not publish the detection signatures, the weights, or the specific account identifiers; it says the company has implemented new detection on the Claude API surface and is willing to share detection signatures with other frontier labs under NDA. Reuters' reporting notes that Anthropic declined to provide the underlying account logs to Reuters; the WSJ piece notes the same. The HN thread on the Reuters story (https://news.ycombinator.com/item?id=48664814) is dominated by skepticism about whether Anthropic's pattern-detection methodology can distinguish coordinated distillation from legitimate API use at scale, with multiple commenters arguing that the patterns Anthropic describes are consistent with both explanations." - question: "Why does this land now, one day after the Fable 5 / Mythos 5 export control directive?" answer: "Timing is not explained in either the export control post ([2026-06-13 Fable Mythos suspended](/articles/2026-06-13--anthropic-fable-mythos-suspended-us-government)) or the distillation post; the two are unrelated in their stated subject matter. But the paired disclosure is striking: Anthropic is simultaneously pushing back against a US export control directive (the Fable/Mythos suspension) and naming a Chinese frontier-lab customer as a distillation attacker. The Anthropic blog post does not connect the two stories; the connection is being drawn in the trade press and on X. Bloomberg's reporting on 2026-06-24 frames the allegation as 'part of a broader Anthropic effort to demonstrate it is taking action against unauthorized access to its models', which is the closest the trade press has come to drawing the explicit connection. The pairing will likely be a topic of the EU and US regulatory conversations about AI export controls over the next two weeks." - question: "How should Claude Code / Claude API users react?" answer: "Nothing changes for legitimate Claude API or Claude Code users in this disclosure. The fraudulent accounts Anthropic is describing were tied to specific usage patterns (coordinated exchange structure across many accounts) that the company says it can now detect automatically; the new detection is on the Claude API surface, not on the Claude.ai consumer or Claude Code surface. Developers using Claude through the official API, the Anthropic SDK, or Claude Code should not see any change in their account or usage. The disclosure also does not change Anthropic's commercial API terms of service, which already prohibit training competing models on Claude outputs. Developers who were already respecting those terms are unaffected." - question: "Has Alibaba responded?" answer: "Alibaba has not issued a public statement as of 2026-06-24 23:00 UTC. The Qwen team (@Alibaba_Qwen) has not posted on X about the allegation; the Alibaba Group press contact has not returned Reuters' request for comment. The Bloomberg piece notes that Alibaba did not respond to a request for comment outside business hours in China. The story is fast-moving; an Alibaba response is likely by 2026-06-26." --- [Anthropic published a blog post](https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks) on 2026-06-24 accusing Alibaba of running an "industrial-scale" distillation campaign against Claude between April 22 and June 5, 2026, generating more than 28.8 million exchanges with the model through almost 25,000 fraudulent accounts. Reuters ([Krystal Hu, Eduardo Baptista](https://www.reuters.com/world/china/anthropic-says-alibaba-illicitly-extracted-claude-ai-model-capabilities-2026-06-24/)), Bloomberg ([Saritha Rai](https://www.bloomberg.com/news/articles/2026-06-24/anthropic-accuses-alibaba-of-illicitly-accessing-its-ai-models)), and the Wall Street Journal ([Anthropic Claims Alibaba Ran 'Brazen' Campaign to Access Its Claude AI Model](https://www.wsj.com/tech/ai/anthropic-claims-alibaba-ran-brazen-campaign-to-access-its-claude-ai-mod-69d7a392)) reported the allegation the same day. The story sits on the Hacker News front page with 448 points and 782 comments at time of writing, and is the first time Anthropic has named a single large public company in a public distillation disclosure. The disclosure is the second in a series. On 2026-02-23, Anthropic [tweeted](https://x.com/AnthropicAI/status/2025997928242811253) that it had "identified industrial-scale distillation attacks on our models by DeepSeek, Moonshot AI, and MiniMax" and that "these labs created over 24,000 fraudulent accounts and generated over 16 million exchanges with Claude, extracting its capabilities to train and improve their own models." The June 24 post is the full blog form of the same investigation, with technical detail the February thread did not contain: Anthropic now says the new campaign it attributes to Alibaba is larger in account count (~25,000) and in exchange count (28.8 million), and ran over a tighter six-week window (April 22 to June 5, 2026). ## What distillation is, and why Anthropic says this campaign is different Distillation in the AI developer context is the practice of using a frontier model's outputs as training data for a smaller model, so the smaller model learns to imitate the larger model's behavior on the same inputs. The legal status of distillation is contested: training a model on outputs you paid for through an API is, by default, permitted under most commercial API terms of service. Anthropic's allegation is that the Alibaba campaign violated the API terms in two ways: first, by using fraudulent accounts (which Anthropic says misrepresent the true consumer of the API), and second, by using the API in a pattern that violates the prohibition on training competing models. The new piece in the Anthropic blog post is the detection methodology. Anthropic says it can now detect the pattern automatically: a set of exchanges with reproducible structural similarity that exceeds the natural variance of independent API consumers. The post does not publish the detection signatures, the weights, or the specific account identifiers; it says the company has implemented new detection on the Claude API surface and is willing to share detection signatures with other frontier labs under NDA. Reuters' reporting notes that Anthropic declined to provide the underlying account logs to Reuters; the WSJ piece notes the same. The HN thread on the Reuters story ([https://news.ycombinator.com/item?id=48664814](https://news.ycombinator.com/item?id=48664814)) is dominated by skepticism about whether Anthropic's pattern-detection methodology can distinguish coordinated distillation from legitimate API use at scale. Multiple commenters argue that the patterns Anthropic describes (high-volume API consumption with reproducible exchange structure) are consistent with both coordinated distillation and with the natural shape of legitimate enterprise API consumers (call centers, search wrappers, batch evaluation harnesses). The HN commenter [tasuki](https://news.ycombinator.com/item?id=48664814) summarizes the dominant technical objection: "What makes the accounts fraudulent? If they have paid the agreed price, surely it's fine? If they haven't paid, why did Anthropic provide them service?" Anthropic's response, in the blog post, is that "fraudulent" here means misrepresenting the true consumer of the API, not that the accounts failed to pay. ## What changes for Claude API and Claude Code users Nothing changes for legitimate Claude API or Claude Code users in this disclosure. The fraudulent accounts Anthropic describes were tied to specific usage patterns (coordinated exchange structure across many accounts) that the company says it can now detect automatically; the new detection is on the Claude API surface, not on the Claude.ai consumer or Claude Code surface. Developers using Claude through the official API, the Anthropic SDK, or Claude Code should not see any change in their account or usage. The disclosure also does not change Anthropic's commercial API terms of service, which already prohibit training competing models on Claude outputs. The disclosure is the second in a series, and Anthropic's framing suggests more will follow. The blog post says the company is "working with other frontier labs to share detection signatures" and is "implementing additional detection on the Claude API surface over the coming weeks." Neither phrase implies a particular schedule for additional named disclosures, but the February disclosure followed the same shape (named attackers first, technical detail later) that the June 24 disclosure now follows. ## The export-control pairing The timing is striking. Anthropic's June 24 distillation disclosure lands one week after the company separately disclosed that [a June 12 US export control directive forced it to suspend Fable 5 and Mythos 5 worldwide](/articles/2026-06-13--anthropic-fable-mythos-suspended-us-government), including for foreign nationals inside the United States, and Anthropic is publicly disputing the technical basis of that directive. In one week Anthropic has gone from publicly contesting a US export control directive to publicly naming a Chinese frontier-lab customer as a distillation attacker. The Anthropic blog post does not connect the two stories; the connection is being drawn in the trade press and on X. Bloomberg's reporting on 2026-06-24 frames the allegation as "part of a broader Anthropic effort to demonstrate it is taking action against unauthorized access to its models", which is the closest the trade press has come to drawing the explicit connection. The pairing will likely be a topic of the EU and US regulatory conversations about AI export controls over the next two weeks, particularly given the [Fable & Mythos export control deep dive](/articles/2026-06-13--fable-mythos-export-control-deep-dive) we covered twelve days ago on the technical basis of the original directive. Anthropic's [Project Glasswing security work](/articles/2026-04-07--anthropic-project-glasswing-ai-finds-zero-days-faster-than-humans), covered in April, has been the most prominent public example of Anthropic's broader security posture; the distillation disclosure extends the same posture to API-side abuse, not just downstream consumer abuse. The pattern is consistent: Anthropic is increasingly publishing its security findings in primary-source form rather than waiting for the press to surface them, and the June 24 post is the most detailed primary-source document Anthropic has produced on a single accusation to date. Alibaba has not issued a public statement as of 2026-06-24 23:00 UTC. The Qwen team (@Alibaba_Qwen) has not posted on X about the allegation; the Alibaba Group press contact has not returned Reuters' request for comment. Bloomberg notes that Alibaba did not respond to a request for comment outside business hours in China. The story is fast-moving; an Alibaba response is likely by 2026-06-26.