In the largest known AI model heist, operators linked to Alibaba generated 28.8 million exchanges with Anthropic's Claude over 44 days — using 25,000 fraudulent accounts to steal the model's most advanced reasoning and coding capabilities through a technique called distillation.
On June 24, 2026, Anthropic sent a confidential letter to U.S. Senators Tim Scott and Elizabeth Warren, revealing what it calls the most aggressive industrial-scale AI theft attempt ever detected. The attack ran from April 22 to June 5, targeting Claude's crown-jewel capabilities: agentic reasoning, software engineering, and long-horizon task execution. This story is reshaping AI security, reigniting US-China tech tensions, and forcing a reckoning over how we protect frontier AI models.
What Actually Happened?
Between April 22 and June 5, 2026, a coordinated cluster of nearly 25,000 fraudulent accounts bombarded Anthropic's Claude with 28.8 million queries. These weren't ordinary users asking casual questions. The accounts exhibited a telltale pattern: repetitive prompt structures, identical capability targets, and massive volume — all routed through commercial proxy services designed to mask their origin.
Anthropic's internal detection systems — behavioral fingerprinting, coordinated activity analysis, and chain-of-thought elicitation classifiers — flagged the activity within weeks. But by then, the damage was done: gigabytes of Claude's most sophisticated outputs had been siphoned and fed into a rival model training pipeline.
The Distillation Arms Race Is Escalating Fast
Model distillation is a legitimate technique where a smaller model learns from a larger one's outputs — companies distill their own models all the time to make them faster and cheaper. The line Anthropic draws is between distilling your own model (standard practice) and distilling a competitor's proprietary model without permission using fraudulently obtained access.
What makes this attack staggering is its sheer scale compared to previous incidents:
| Attack | Date | Queries | Accounts |
|---|---|---|---|
| DeepSeek | Feb 2026 | 150K | ~500 |
| Moonshot | Feb 2026 | 3.4M | ~4K |
| MiniMax | Feb 2026 | 13M | ~19K |
| Alibaba (alleged) | Apr-Jun 2026 | 28.8M | ~25K |
In just four months, the scale of detected attacks ballooned from 150K queries to nearly 29 million. The combined February 2026 attacks by DeepSeek, Moonshot, and MiniMax totaled 16.5 million exchanges from roughly 24,000 accounts — numbers the Alibaba-linked operation now dwarfs by itself.
Video: Anthropic Accuses Alibaba of Massive AI 'Theft' Campaign
The Geopolitical Chessboard
This story doesn't exist in a vacuum. It unfolds against a backdrop of escalating US-China AI competition that touches everything from AI cybersecurity to model governance:
- April 23, 2026: The Trump administration issued NSTM-4, a White House memo declaring industrial-scale AI theft an "unacceptable threat."
- June 23, 2026: Alibaba separately sued the U.S. Pentagon over its designation as a "Chinese military company" — just one day before the distillation allegations went public.
- June 24, 2026: Anthropic's letter to Congress kicked off a new wave of bipartisan scrutiny. Senators Hagerty and Kim are now moving to amend defense legislation to blacklist distillation operators.
- June 25, 2026: 360 Security founder Zhou Hongyi called Anthropic's flagship Mythos model a "cyber nuclear weapon" that China must replicate — inadvertently validating exactly the fear Anthropic had raised.
Alibaba stock dropped roughly 3% after the allegations broke. The company has not directly responded to the distillation claims, but its parallel Pentagon lawsuit suggests a broader strategy of pushing back against US restrictions while expanding its AI capabilities.
The Safety Paradox Nobody Is Talking About
Here's what keeps AI safety researchers up at night. When you distill a frontier model, the student model inherits capabilities — including dangerous ones like vulnerability discovery, surveillance logic, and bioweapon knowledge — but it doesn't inherit the safety guardrails.
Anthropic's Mythos can find 271 zero-day vulnerabilities in Firefox. It can reason through complex biological pathways. It can write sophisticated social engineering scripts. All of these capabilities come wrapped in layers of refusal training and safety alignment in the original model. A distilled copy gets the raw capability without those constraints.
This relates to broader questions of AI safety and reward model integrity — when capabilities and alignment get decoupled through theft, the results can be unpredictable and dangerous.
The Irony Debate: Who's the Real Villain?
The Hacker News discussion around this story reveals a deeply polarized community. One camp argues that calling this an "attack" is a PR maneuver by Anthropic to manipulate Congress. Their reasoning: AI companies trained their models on copyrighted data scraped from the entire internet — if Anthropic can use everyone's IP, why can't Alibaba use Anthropic's outputs? "Distillation is not an attack," one commenter wrote. "It's just using the model as intended."
The counterargument is equally forceful: 25,000 fraudulent accounts systematically violating terms of service at industrial scale is unequivocally abuse. Terms of service violations crossed with fraud and IP theft at this volume don't become legitimate just because the upstream training data was also scraped.
This central tension — the AI industry built on everyone else's content now crying foul when its own content gets taken — is the story's most uncomfortable question and one without a clean answer.
Video: Anthropic Accuses Alibaba of Distillation Attack on Claude — Full Analysis
Anthropic's Three-Point Policy Response
In its letter to Congress, Anthropic proposed three concrete actions it says are needed to prevent future attacks:
- Update antitrust laws to allow AI firms to share threat intelligence on Chinese evasion tactics — current law prevents companies from coordinating on security responses.
- Tighten chip export controls to deny Chinese labs the compute capacity needed to run distillation operations at scale.
- Penalize bad actors by limiting access to U.S. models, chips, and data centers for entities caught conducting industrial-scale distillation.
These demands come as Anthropic gears up for a blockbuster IPO alongside OpenAI. The company is simultaneously trying to protect its technology, prove its security credentials to investors, and navigate a geopolitical minefield.
What This Means for AI's Future
This attack marks a turning point. The era where frontier AI models could be protected by simple rate limits and terms of service is over. Detection systems that worked for 150K-question attacks are being redesigned for a world where adversaries launch 29 million queries across 25,000 accounts.
For everyday users, the immediate impact is invisible — Claude isn't shutting down, and Anthropic's countermeasures are already in place. But the broader AI agent economy will be shaped by these security battles. If frontier models can't be protected, the most advanced AI capabilities may become increasingly locked behind government-controlled systems, slowing innovation for everyone.
For comparisons on how different frontier models stack up amid this escalating security landscape, check out our full AI model comparison for 2026.
Resources & Further Reading
- Anthropic says China's Alibaba stole Claude model — Ars Technica
- Anthropic accuses Alibaba of 'industrial-scale' AI theft — BBC News
- Anthropic says Alibaba behind massive AI model theft — PYMNTS
- Understanding recent distillation attacks — Anthropic Blog (Feb 2026)
Featured image: Alibaba Group headquarters in Hangzhou, China. Photo via Wikimedia Commons (CC BY-SA 4.0).
This article was published on June 28, 2026. Follow GetYourDozAi for the latest in AI model security, comparisons, and industry analysis.