Anthropic has accused Alibaba of orchestrating “the largest campaign to illicitly extract Claude’s capabilities,” according to a letter sent to US Senators Tim Scott and Elizabeth Warren dated June 10. The San Francisco-based AI company said operators linked to Alibaba conducted almost 29 million exchanges with Claude using thousands of fraudulent accounts.

The attacks used a technique known as distillation, where a weaker model is trained by systematically extracting answers from a stronger one. According to Anthropic, the Alibaba-linked operators specifically targeted Claude’s most valuable capabilities: its handling of longer, more complex tasks and its approach to decision-making.

The Distillation Problem at Scale

Distillation attacks are not new. US AI developers have previously accused Chinese competitors of using the technique to train models that rival American AI at a fraction of the cost. OpenAI has made similar accusations. What distinguishes the Anthropic complaint is the scale: 29 million exchanges represents an industrial-grade extraction operation, not opportunistic scraping.

Anthropic’s letter described these attacks as occurring on an “industrial scale” and argued they allow Chinese companies to “harvest and repackage US AI capabilities as their own.” The company urged Congress to penalise companies behind such operations and strengthen measures to prevent US technology theft.

The Geopolitical Context

The accusation lands in an already charged environment. Anthropic’s letter cited the US Department of Defense’s claims that Alibaba, along with carmaker BYD and tech company Baidu, are tied to the Chinese military. All three companies have denied those allegations.

Alibaba has pushed back on the broader US pressure campaign. The company sued the US government this week seeking removal from the Pentagon blacklist, a designation that restricts US investment in the company.

Anthropic framed the stakes in national security terms: “Distillation attacks turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors.” The letter also cited other alleged attacks that Anthropic said posed a direct threat to the US military, though the BBC report did not specify their nature.

The Enforcement Gap

The accusation highlights a structural problem for AI labs. Distillation attacks exploit API access, the same interface that paying customers use legitimately. Detecting and blocking coordinated extraction campaigns requires identifying patterns across thousands of accounts, each individually indistinguishable from normal usage.

For agent platforms and AI infrastructure operators, the implications are concrete. Any system that exposes model capabilities through an API faces the same vulnerability. The question is whether the industry’s response will be technical (better anomaly detection, rate limiting, capability fingerprinting) or political (export controls, sanctions, Congressional action), or both.

Anthropic is currently preparing for a stock market debut alongside OpenAI, which adds a commercial dimension to the public accusation. Demonstrating that it takes IP protection seriously matters to potential investors evaluating the durability of its competitive moat.