You've probably seen the headline: Anthropic accused Alibaba of stealing Claude. But the technical term at the center of it — AI model distillation — is not a dirty word. It's been a standard AI research technique for over a decade. What makes the Anthropic case significant isn't distillation itself; it's what the company says happened to get there: fake accounts, proxy routing, and nearly 29 million interactions designed to harvest Claude's most valuable capabilities without authorization.
This article explains what distillation actually is, where it crosses the line, how the alleged attack worked, and why the legal picture is murkier than the headlines suggest. If you build on AI APIs, sell prompts, or run any kind of AI-powered product, this story touches you directly.
What Anthropic Says Alibaba Did
On June 24, 2026, Reuters reported on a confidential letter that Anthropic sent to U.S. Senate Banking Committee leaders — Senator Tim Scott and Senator Elizabeth Warren — dated June 10. According to Reuters and the Financial Times, both of which reviewed the letter, Anthropic alleged that operators linked to Alibaba and its AI lab Qwen conducted a coordinated campaign to extract Claude's capabilities.
The numbers Anthropic cited are striking:
- Nearly 25,000 fraudulent accounts were created to access Claude
- More than 28.8 million exchanges with Claude were generated
- The campaign ran from April 22 to June 5, 2026
- The activity specifically targeted Claude's software engineering, agentic reasoning, and long-horizon task capabilities
Anthropic described it as the largest known distillation attack on the company to date — larger than the combined campaigns it had disclosed in February 2026 against DeepSeek, Moonshot, and MiniMax.
How This Fits a Broader Pattern
This isn't an isolated event. In February 2026, Anthropic publicly posted that it had identified what it described as "industrial-scale" distillation campaigns by three Chinese AI labs: DeepSeek, Moonshot, and MiniMax. Those earlier campaigns, Anthropic said, involved roughly 24,000 fake accounts and more than 16 million interactions with Claude. The April 2026 White House memo accused China-based entities broadly of systematic campaigns to extract U.S. frontier AI capabilities, according to Reuters.
The Alibaba allegations, if borne out, would represent an escalation — both in scale and in corporate profile.
What AI Model Distillation Actually Means
The concept was formalized by Geoffrey Hinton, Oriol Vinyals, and Jeff Dean in a 2015 paper, Distilling the Knowledge in a Neural Network. The idea is simple: a smaller, faster "student" model can be trained on the outputs — rather than the raw training data — of a larger "teacher" model. The student learns to approximate the teacher's behavior at a fraction of the computational cost.
Done legitimately, this is a normal part of AI development. DeepSeek's January 2025 R1 technical report openly describes releasing a family of smaller models distilled from its own R1 system. No controversy there — they owned the teacher model and published everything openly.
The legal and ethical line is about authorization and acquisition method. Distillation from your own model, or from outputs you've licensed, is accepted engineering. Distillation from a competitor's model — especially using fake accounts, proxy routing, and automated bulk querying that explicitly violates that platform's terms — is a different matter.
Distillation vs. Model Extraction vs. API Scraping
These three terms get tangled in coverage, and they're not the same thing:
| Technique | What it involves | Legal risk | Detectability |
|---|---|---|---|
| Knowledge distillation | Training a smaller student model on a teacher's outputs — standard ML technique when authorized | Low when authorized; high when outputs were obtained fraudulently or to build a competing product | Hard from behavior alone without lineage evidence or watermarking |
| Model extraction | Reproducing a model's behavior from black-box API access via systematic querying and student training | High when paired with fake accounts, anti-circumvention, or reverse-engineering facts | Visible via systematic query patterns, capability probing, and high-volume harvesting |
| API scraping | Automated bulk collection of model outputs through an API, often feeding later extraction or distillation | Variable; contract violations and fraud (fake accounts, proxies) increase risk sharply | Usually the most visible layer — leaves traffic, account, and automation traces |
| Prompt engineering | Designing better inputs to get better outputs from an existing model | Generally low when used within platform terms; misuse can still violate policies or law | N/A for ordinary use |
Prompt engineering is not model theft. Prompt extraction — trying to recover a hidden system prompt from model behavior — is a real and separate security concern, but it's not the same as training a surrogate model.
How Illicit Extraction Can Work in Practice
The mechanism isn't complicated, which is part of the problem. Here's how a coordinated campaign to copy a frontier model's behavior can work:
- Create access at scale. Fraudulent accounts get around geographic restrictions and rate limits. In Anthropic's allegation, this reportedly involved nearly 25,000 accounts — enough to distribute the query load and avoid detection thresholds.
- Run capability-targeted prompts. Rather than asking random questions, attackers design prompts that probe the model's most commercially valuable behaviors: complex reasoning, code generation, multi-step tool use, long-horizon planning. Anthropic's February and June disclosures both highlight this targeting as deliberate and economically rational.
- Collect outputs at scale. The query corpus becomes a dataset of high-quality inputs and outputs — pseudo-labeled training data that the attackers didn't have to generate themselves.
- Clean and deduplicate. Raw scrapes are noisy. Before fine-tuning, the corpus gets filtered.
- Fine-tune a student model. The cleaned output dataset is used to train or fine-tune a smaller internal model, giving it behaviors it never had to earn through expensive pretraining.
OpenAI's early 2026 memo about DeepSeek — reported by Reuters in February — described employees using obfuscated third-party routers to disguise the origin of programmatic queries. Anthropic's June allegation points to a similar playbook: proxy routing and fake accounts to bypass geographic and contractual restrictions.
Why Reasoning Traces and Agentic Outputs Are Particularly Valuable
Anthropic specifically said the alleged campaign targeted agentic reasoning and long-horizon tasks. That focus is economically significant: reasoning-style outputs and detailed intermediate explanations can provide richer training supervision than final answers alone.
However, visible reasoning should not be treated as a faithful map of a model’s internal process. Research has shown that chain-of-thought explanations can be plausible yet misleading. Their value to a student model comes from the structured examples they provide, not from giving a literal view into how the teacher model “thinks.”
Is It Illegal? What the Law Actually Says
This is where coverage often oversteps. There is no single law that cleanly says "unauthorized AI model distillation is a crime." The legal situation is genuinely unsettled, and framing this as a clear-cut IP theft case gets ahead of where courts and regulators actually are.
What the Terms of Service Say
The clearest enforcement path currently available to AI providers is contractual. Anthropic and OpenAI both publish terms that restrict model extraction, automated output harvesting, reverse engineering, and the use of their services to develop competing AI models.
Anthropic’s Commercial Terms prohibit customers from accessing its services to build a competing product, train competing AI models, reverse engineer the services, or support a third party attempting to do so.
The OpenAI Services Agreement similarly restricts customers from using outputs to develop competing AI models, extracting data outside the permitted service functionality, circumventing usage limits, or bypassing protective measures.
If Anthropic can show that the accounts involved accessed Claude under terms containing these restrictions, it may have a relatively direct contractual argument. The alleged use of fraudulent accounts and proxy routing could strengthen that argument by suggesting deliberate circumvention rather than ordinary platform use.
Trade Secret and Computer Access Claims
Beyond contract, the more significant legal theories involve trade secret misappropriation and computer access abuse. Courts have found that even publicly queryable systems can support trade-secret claims when the acquisition method involves deception or improper means. The Eleventh Circuit's decision in Compulife v. Newman, discussed in Reuters' legal analysis, is one relevant precedent for how scraping a seemingly available system can still constitute misappropriation when it involves bad-faith conduct.
The Computer Fraud and Abuse Act picture is more complicated. The Supreme Court's Van Buren decision and the Ninth Circuit's hiQ v. LinkedIn ruling have both narrowed the scope of CFAA liability for scraping in some contexts. But those cases largely involved public data on platforms that didn't require accounts. The Anthropic situation — fake accounts, authenticated access, explicit contractual bans, geographic restrictions being evaded — sits in a different territory.
Regulatory and Government Framing
The White House memo from April 2026, reported by Reuters, accused China-based entities of conducting "deliberate, industrial-scale campaigns to distil US frontier AI systems." A day after that, Reuters reported that the State Department launched a diplomatic push warning foreign governments about these activities. The Senate Banking Committee hearing that Anthropic's June 10 letter was written ahead of adds a further layer of congressional attention.
Anthropic's letter also tied distillation attacks to its existing argument for export controls on advanced AI chips — namely, that chip restrictions matter not just for limiting raw training capacity but also for limiting the scale at which distillation attacks can be operationalized.
Why This Matters Beyond Anthropic and Alibaba
The Anthropic-Alibaba story will eventually fade from the news cycle. The underlying dynamic won't.
If a sufficiently capable model can be partly replicated through harvested outputs, then raw pretraining spend is not a sustainable moat on its own. The battle shifts toward security infrastructure, provenance tracking, account controls, distribution, product integration, and trust. Every major lab is going to spend more on detecting and blocking extraction campaigns after this disclosure.
What It Means for Frontier AI Labs
Detection capabilities are becoming nearly as important as model capabilities. Identifying coordinated activity across thousands of accounts requires account verification, traffic analysis, behavioral monitoring, and information sharing between platforms.
If Anthropic’s account of the campaign is accurate, the scale of the activity suggests that frontier AI providers will need to invest more heavily in detecting automated output harvesting and coordinated attempts to bypass access restrictions. The disclosure is also likely to prompt other AI labs to review their own account controls and monitoring systems.
Anthropic has urged Congress to consider legislation that would penalize entities found to be conducting unauthorized distillation campaigns. Whether those proposals become formal legislation will depend on congressional action and the evidence made available to lawmakers.
What It Means for AI Product Builders and Prompt Creators
Here's the less-obvious angle that most coverage misses: this story applies on a smaller scale too. If you build a valuable AI workflow, a premium custom GPT, a paid Claude project, or a system prompt that powers a real product, you're operating in the same ecosystem. Prompt extraction research has shown that hidden system prompts can often be reconstructed from model behavior — meaning the valuable IP isn't only the base model, but also the scaffolding around it.
Protecting your own AI-powered products means thinking about the same layers that labs think about: what does your system expose through its outputs? How much does your interface reveal about how you've instructed the model?
If you build AI products on top of third-party models, do not treat a hidden system prompt as a secure secret. Keep sensitive business logic server-side, limit unnecessary output detail, monitor repeated probing, and use authentication, rate limits, and abuse detection to protect valuable workflows.
The Open vs. Closed Tension
DeepSeek publicly released a family of smaller models distilled from outputs generated by its own R1 system, along with an accompanying technical report.
That is a different situation because the teacher model and the distillation process were controlled by the same developer.
FAQ: AI Model Distillation and the Anthropic-Alibaba Case
The Real Battle Is About Permission and Provenance
AI model distillation has long been a legitimate engineering technique. What has changed is the scale at which companies say it can be combined with automated output harvesting, fraudulent access, and attempts to bypass platform restrictions.
If Anthropic’s allegations are accurate, a campaign involving tens of thousands of fraudulent accounts, proxy routing, and millions of capability-targeted queries would be better described as unauthorized model extraction than ordinary optimization research. The claims have not been adjudicated, and no publicly available evidence currently proves that Claude’s outputs were used to train a released Alibaba or Qwen model.
The Anthropic–Alibaba dispute may influence congressional discussions, platform policies, export controls, and future litigation. But its lasting significance goes beyond the two companies. It raises a broader question about where AI's competitive advantage lies when a model’s behavior can be studied and partially imitated through an interface.
If that advantage depends only on model weights and expensive training runs, it may be more vulnerable than companies assume. Security controls, output provenance, account monitoring, product integration, and defensible system design could become just as important as training compute.
For developers and AI product builders, the practical lesson is clear: read the API terms, monitor how your product is being queried, and think carefully about what your outputs reveal. For readers following AI industry news, the distinction matters too. Distillation is not automatically theft. The central questions are whether the model owner authorized the process, how the outputs were obtained, and what they were ultimately used to build.
Stay ahead of AI tools, prompts, and industry shifts
AI Promix covers practical AI tools, prompt engineering, automation workflows, and the news that actually matters for AI product builders.
Explore AI Promix →

