Alibaba Accused of Distilling Claude with 25,000 Fake Accounts in Largest Known Model Theft Case

On June 10, 2026, Anthropic sent a letter to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, accusing Alibaba of大规模 distilling the Claude model through 25,000 fake accounts and 28.8 million interactions between April 22 and June 5, 2026. According to Reuters and CNBC, if confirmed, this case would be the largest known attack by a Chinese company on a U.S. AI firm, also involving three Chinese AI companies: DeepSeek, Moonshot AI, and MiniMax.

On June 10, 2026, Anthropic sent a letter to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, accusing Alibaba of大规模 distilling the Claude model through 25,000 fake accounts and 28.8 million interactions between April 22 and June 5, 2026. According to Reuters and CNBC, if confirmed, this case would be the largest known attack by a Chinese company on a U.S. AI firm, also involving three Chinese AI companies: DeepSeek, Moonshot AI, and MiniMax.

Technical Path of Model Distillation Attacks

The core of a distillation attack lies in exploiting the target model's public API outputs, repeatedly querying to collect high-value responses, which are then used to train the attacker's own weaker model. Alibaba's operations covered the Tongyi Qianwen team, with a peak daily interaction volume far exceeding normal user patterns. In its letter, Anthropic listed evidence such as account creation times, query template repetition rates, and output length distributions, which directly point to organized batch operations.

In comparison, DeepSeek's distillation activities after January 2025 recorded only 150,000 interactions, Moonshot AI 3.4 million, and MiniMax 13 million. Alibaba's single operation alone exceeded the combined scale of the previous three.

Current Protection Status and Weaknesses of Claude Models

The Claude series relies on rate limits, anomaly detection, and account verification to block batch queries. However, 28 million fake accounts indicate that existing verification processes can be bypassed at low cost. According to the official blog, attackers used real corporate email addresses and phone numbers for initial registration, then maintained sessions through proxy IPs and scripts.

This fact exposes a practical issue in API design: developers relax initial verification to improve ease of use, leading to systematic collection of high-value model outputs. An Anthropic spokesperson clearly stated that government and industry coordination is necessary to effectively counter such threats.

Comparison with Other AI Products

DeepSeek quickly gained market attention through low-cost models, with a relatively limited distillation scale, relying more on publicly available benchmark data rather than targeting a single entity directly. Moonshot AI and MiniMax also focused on output collection in their actions, but their interaction counts did not exceed the tens of millions.

On the U.S. side, on June 12, 2026, the Department of Commerce imposed export restrictions on Anthropic's latest Mythos and Fable series models, showing that policy tools have shifted from simple blacklisting to targeted technical controls. A previous memorandum from the White House Office of Science and Technology Policy pledged to help companies detect large-scale distillation, but actual enforcement still depends on companies voluntarily reporting.

Practical Recommendations for Developers

Developers should add query pattern analysis at the API level, such as detecting high-frequency repetition of the same semantic template and concentrated requests during abnormal time periods. Combining device fingerprints with behavior baselines can intercept script-driven account clusters at an early stage.

Second, model outputs should default to including watermarks or perturbation mechanisms to degrade the quality of data used for distillation training. Anthropic has begun testing such techniques but has not yet fully deployed them.

  • Limit daily token quotas per account and implement gradual release for new accounts.
  • Share suspicious IP and email address lists with cloud service providers to establish an industry blacklist.
  • Regularly audit logs, focusing on non-natural language structured queries.

Strategic Recommendations for Enterprises

Enterprises need to incorporate model security into supply chain risk assessments. The Alibaba incident shows that relying solely on legal warnings has limited effect; detection capabilities must be enhanced at the technical level. It is recommended to establish information-sharing channels with companies like Anthropic to promptly learn about known attack patterns.

For Chinese AI companies, distillation can temporarily improve performance, but relying on a single source brings compliance and sustainability risks. Developing proprietary foundational models remains the long-term path.

According to the letter disclosed by Bloomberg News, Anthropic has characterized this case as "the largest known model distillation attack to date" and emphasized that the disregard for the Trump administration's warnings has escalated the severity of the situation.