I don’t usually get surprised by the scale of AI theft attempts anymore. But 28.8 million exchanges. That number stopped me.
Anthropic has accused Alibaba, the Chinese e-commerce and cloud giant, of running the largest known distillation attack against its Claude AI models. The letter, dated June 10 and sent to US Senators Tim Scott and Elizabeth Warren, alleges that Alibaba and its AI lab Qwen used nearly 25,000 fraudulent accounts to pump 28.8 million queries through Claude between April 22 and June 5, 2026.
For context, that is not a small operation. That is industrial-scale extraction.
What is distillation?
Model distillation is a well-known technique in machine learning. You take a powerful teacher model (in this case, Claude) and feed its outputs into a smaller student model. The student learns to mimic the teacher’s capabilities. It is a legitimate research tool when used properly. When done through thousands of fake accounts against a company’s terms of service, it is theft.
Anthropic says Alibaba targeted Claude’s most advanced features: coding, reasoning, autonomous agent capabilities, and complex planning. The goal ? accelerate China’s ability to reach Anthropic’s Mythos Preview level of performance without doing the research and development themselves.
This is not a first offence
In February 2026, Anthropic revealed it had identified three earlier industrial-scale distillation campaigns from Chinese AI labs. DeepSeek ran 150,000 exchanges. Moonshot AI managed 3.4 million. MiniMax went further with 13 million. Anthropic noted at the time that these campaigns were growing in “intensity and sophistication.”
The Alibaba operation dwarfs all three combined.
The timing matters. In April 2026, the White House Office of Science and Technology Policy issued a memorandum pledging to help AI companies detect and coordinate against industrial-scale distillation. Anthropic’s letter specifically states that Alibaba “ignored the Trump Administration’s warnings” by proceeding anyway.
And just last week, the Commerce Department imposed controversial restrictions on Anthropic’s own Mythos and Fable models, citing fears of deployment by military intelligence users in China and other countries. Anthropic disabled global access to those models in compliance.
So here is the situation: the US government restricts Anthropic’s models from being exported, while simultaneously a Chinese tech giant is caught trying to extract those same capabilities through the back door. And earlier this month, the Commerce Department reportedly held off blacklisting DeepSeek to avoid escalating tensions with Beijing.
The contradiction is hard to miss.
What this means for Australian enterprises
Three things.
First, if you are using AI models from any provider, you need to understand the supply chain risk. A model that has been distilled from a safer frontier model may have had its safety guardrails stripped out. Anthropic’s own blog post on distillation warns that “illicitly distilled models lack necessary safeguards, creating significant national security risks.” That applies to enterprise security as much as national security.
Second, the scale of these attacks tells us that AI capability theft is not going to slow down. If a company as large as Alibaba is running 25,000 fake accounts over six weeks, the incentive to extract frontier AI capabilities is enormous. Every organisation building on top of AI needs to verify where their models come from and what safety measures were removed in the process.
Third, the regulatory picture is only getting more complex. Export controls, distillation attacks, and geopolitical tensions are creating an environment where the rules can change overnight. If your business relies on AI infrastructure, you need contingency plans for model access being restricted, not just for price increases.
The real story here is not just about one company versus another. It is about the escalating arms race in AI capabilities, where the line between competitive intelligence and outright theft has been crossed at a scale we have not seen before.
Twenty-eight million exchanges. Twenty-five thousand fake accounts. One clear message: the fight over who gets frontier AI capabilities is already here, and it is bigger than most people realise.
Related Reading
- Security Experts Warn Washington: Banning Anthropic AI Models Could Open the Door to Chinese Cyberattacks
- Amazon’s Anthropic Research Triggered White House Export Ban on AI Models
- AI Agents, Copilot and the New Security Risk: When Helpful Becomes Dangerous
- Anthropic, OpenAI and the Race to Weaponise AI Against Insecurity