Skip to content

Alibaba Opened 25,000 Fake Accounts to Talk to Claude. Anthropic Took It to the Senate.

DS
LDS Team
Let's Data Science
7 min
In a June 10 letter to the Senate Banking Committee, Anthropic accused operators tied to Alibaba's Qwen lab of running 28.8 million conversations with Claude through roughly 25,000 fraudulent accounts between April 22 and June 5. The stated goal was to copy Claude's most valuable skills. It is the largest extraction campaign Anthropic has ever reported, nearly double the one it pinned on three Chinese labs in February.

The letter did not go to a court or to a regulator. It went to Congress.

On June 10, Anthropic sent a document to the senior members of the US Senate Banking Committee, Chairman Tim Scott and Ranking Member Elizabeth Warren, laying out an accusation that surfaced publicly on June 24 through Reuters. The claim: operators affiliated with Alibaba and its Qwen AI lab had spent six weeks systematically pulling capabilities out of Claude, Anthropic's flagship model, by talking to it nearly 29 million times across tens of thousands of fake accounts.

The campaign ran from April 22 to June 5, used roughly 25,000 fraudulent accounts, and generated more than 28.8 million exchanges with Claude, according to the letter. Anthropic says it targeted the exact areas where Claude is strongest: agentic reasoning, software engineering, and long-horizon tasks that unfold over many steps. Alibaba did not respond to requests for comment.

The Word Anthropic Used Was Distillation

The technique at the center of the accusation is called model distillation: training a smaller, cheaper model on the outputs of a more powerful one so the smaller model learns to imitate it. The attacker never sees the target's source code, its weights, or its training data. They simply ask it millions of carefully chosen questions, record the answers, and use those question-answer pairs to teach a separate model. The clone inherits behavior, not blueprints.

That distinction matters, because it means no firewall was breached and no database was stolen. Everything happened through normal API access, the same front door every paying developer uses. The alleged offense is not breaking in. It is the scale and intent of the asking. This is the same dynamic that makes fine-tuning a model on another model's outputs so powerful and so hard to police.

Anthropic argues the practice is dangerous for a reason that goes beyond competition. A model distilled from Claude can approximate Claude's abilities without inheriting any of the safety training, usage policies, or access controls that Anthropic built around the original. The capability transfers. The guardrails do not.

This Is the Second Time, and It Is Bigger

The Alibaba accusation is not Anthropic's first. In February 2026, the company said it had caught three other Chinese AI labs running similar campaigns against Claude: DeepSeek, Moonshot AI, and MiniMax. The activity in that disclosure ranged from more than 150,000 exchanges attributed to DeepSeek to more than 13 million attributed to MiniMax.

The Alibaba campaign, at 28.8 million exchanges, is larger than that entire earlier set combined. Anthropic describes the pattern as escalating, with each campaign better at evading detection than the last. The targeting has also sharpened. Where the February campaigns went after general Claude performance, the alleged Alibaba effort zeroed in on the high-value agentic and coding capabilities that are the most commercially important part of Anthropic's business and the hardest to build.

CampaignReported byScalePrimary target
DeepSeek, Moonshot, MiniMaxFebruary 202616 million-plus exchanges, ~24,000 accountsGeneral Claude capabilities
Alibaba / QwenJune 202628.8 million exchanges, ~25,000 accountsAgentic reasoning, coding, long-horizon tasks

Why a Working Engineer Should Care

The case reframes a risk most teams have never put on a list. When a company builds on a frontier model through an API, it is renting intelligence it does not own and cannot fully audit. If that intelligence can be copied at scale, the supply chain a business depends on extends far past its own code.

"The enterprise supply chain no longer ends at software, APIs, and cloud regions," said Sanchit Vir Gogia, chief analyst at Greyhound Research. "It now includes rented intelligence, and rented intelligence can be copied and redeployed well outside the safety controls it was born with."

Gogia argues distillation should be a board-level concern, because a weaker model trained on a stronger one inherits its capabilities without the governance around the original. Pareekh Jain, CEO of Pareekh Consulting, put the downstream danger in concrete terms: a rival that clones the model a company relies on can probe it for blind spots, attack the automated systems built on it, or trigger the vendor to panic and pull services that a business needs to function.

Jain's advice for buyers is practical. Press vendors on how they detect and block large-scale extraction, demand contractual bans on distillation and incident disclosure, and negotiate audit rights and refunds if a service is compromised or abruptly shut down. Anand Joshi, an AI analyst at TechInsights, added that publishers will likely need watermarking built into both models and their outputs, so a stolen set of "skills" can be traced back to its source.

The Other Side

Anthropic's claims are unproven. The company has presented usage data and an inference about who was behind the accounts, not a verdict, and Alibaba has not answered the charge publicly. Distillation is notoriously hard to prove from the outside, because the evidence is a pattern of API traffic rather than a smoking gun, and attributing tens of thousands of accounts to a specific corporate actor is an interpretive step, not a fingerprint.

The timing also invites questions. The letter landed amid intense US-China technology tensions, shortly before Washington moved to tighten access to advanced American models, and as Anthropic itself prepares for a public offering after filing confidentially for an IPO. A company arguing to senators that its intellectual property is a national security asset has commercial and political incentives that sit alongside the technical claim. None of that makes the accusation false. It does mean the audience for the letter, Congress rather than a courtroom, is part of the story.

There is also a legal gray zone underneath all of it. The outputs a model generates are not clearly protected the way code or copyrighted text is, which is part of why Anthropic is asking lawmakers for new rules rather than simply suing.

The Bottom Line

Strip away the geopolitics and a stark fact remains. Anthropic spent enormous sums building Claude's most valuable abilities, and it says a competitor reproduced a meaningful slice of them for the price of an API bill and some patience. Whether or not the specific accusation against Alibaba holds, the method is real, it is getting cheaper, and the February-to-June jump in scale suggests it is becoming routine.

For everyone building on top of a frontier API, the lesson is uncomfortable but clarifying. The model you rent is also a model that can be copied, and the safety controls you assume travel with it may not survive the copy. As Anthropic framed it to the Senate, the question is no longer whether intelligence can be extracted. It is who gets to decide what happens when it is.

Sources

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems