25,000 Fake Accounts, 28.8 Million Hits on Claude — Anthropic Took Alibaba to the Senate

A new way to "steal" a model — knock on the API 28.8 million times

Here's the deal: Anthropic accused China's Alibaba of "the largest known adversarial distillation campaign" against Claude, telling the U.S. Senate. Bloomberg broke it on June 24, surfaced through a June 10 letter Anthropic sent to the Senate Banking Committee's chair and ranking member. The gist: operators tied to Alibaba's Qwen lab used roughly 25,000 fake accounts and commercial proxies to run 28.8 million unauthorized exchanges with Claude over six weeks.

First, what "distillation" even is. You throw millions of questions at a powerful model (Claude), collect its answers, and use them as a textbook to train your own model. Picture taking a genius tutor's solutions to millions of problems, then teaching another student from those notes. You don't steal the model weights directly — you copy the model's "intelligence" through API calls alone. That's exactly why it's so hard to block.

The scale is genuinely staggering. That 28.8 million figure is larger than the combined suspicious activity of three other Chinese labs (DeepSeek, Moonshot, MiniMax) that Anthropic disclosed back in February. And it specifically targeted Claude's most advanced abilities — software engineering and agentic reasoning — with the bullseye on Anthropic's frontier "Mythos Preview" model.

So here's what we'll unpack: what distillation actually is, how Alibaba allegedly did it, why Anthropic went to the Senate instead of court, and what it means for U.S.–China AI competition and model security. Three players and the picture comes into focus.

The players — Anthropic, Alibaba, and 'Mythos'

First, Anthropic. The safety-focused maker of Claude. The key point: Anthropic is currently the loudest voice in the U.S. AI camp on "security and export controls." It has steadily argued to Washington that advanced AI capability must be kept from leaking to China. This accusation isn't a mere corporate dispute — it's Anthropic walking into politics with the "evidence" to back that argument.

Next, Alibaba. One of China's biggest tech firms and the maker of the powerful Qwen open-model series. Qwen is famous as one of the top performers in the global open-model ecosystem. But if Anthropic's claim holds, the suspicion is that some of Qwen's capability could be "distilled out of Claude." For Alibaba, that's a heavy charge that could shake the legitimacy of its own models.

Third, the targeted model: Mythos. Anthropic's frontier preview model, known for state-of-the-art coding and agentic reasoning. That the campaign aimed at Mythos specifically means this wasn't generic data collection — it was a targeted grab for "the most expensive, hardest capability." Of all the genius tutors, they picked the one teaching the hardest subject and copied its notes.

One sentence to tie it together: the company that has argued hardest for model security and export controls (Anthropic) accused China's biggest open-model maker (Alibaba) of distilling its frontier model (Mythos) by knocking on it 28.8 million times — and took it to the U.S. Senate. That's the backbone.

What's alleged

Words scatter, so here are the reported claims in a table.

Item	Detail
Accuser	Anthropic
Accused	Alibaba (operators tied to Qwen lab)
Method	Adversarial distillation
Scale	~28.8 million unauthorized exchanges
Fake accounts	~25,000
Evasion	Commercial proxy services (to bypass geo-restrictions)
Window	April 22 – June 5, 2026 (~6 weeks)
Targeted skills	Software engineering, agentic reasoning
Targeted model	Frontier "Mythos Preview"
Channel	June 10 letter to Senate Banking Committee chair and ranking member
Comparison	Larger than the February DeepSeek/Moonshot/MiniMax total

Line by line. First, "25K fake accounts + proxies" is the core method. Anthropic blocks Chinese-entity access to Claude via geo-restrictions; mass-create fake accounts and mask IPs with commercial proxies, and you route around that. So an army of automated accounts disguised as normal users hammered Claude nonstop for six weeks. Not a couple of curious users — organized, industrial scale. That's the crux.

Second, "the targeting was precise" is telling. It didn't ask random things — it concentrated on coding and agentic reasoning, the highest-difficulty, highest-value abilities. That means whoever did it knew exactly "what to extract to make our model stronger." Closer to "targeted capability theft" than data collection — that's the weight behind Anthropic's claim.

Third, the choice of "the Senate, not the courts" reveals the political nature of this. Rather than sue Alibaba civilly, Anthropic wrote to the Senate Banking Committee. That's a strategy to frame this beyond "corporate dispute" as a "national-security / export-control issue." Anthropic is trying to grow this from "our loss" into a policy agenda: "America's AI lead is leaking."

What each side gets

Start with Anthropic. First, policy leverage: this accusation gives Anthropic a hard, empirical case for its long-running "stop AI capability leaking to China" argument. Not abstract worry but a concrete "28.8 million." Second, a reinforced safety-leader image: "we're the company that detects and blocks these attacks" is a trust asset for security-minded government and enterprise customers. Third, a rationale for tighter export controls: this can fuel a stronger debate that "even API access should be controlled."

Alibaba's loss and response are clear too. If the charge hardens, Qwen's legitimacy and trust wobble and its global reputation takes a hit. But Alibaba has counter-cards — "distillation happens everywhere in the industry, and we didn't direct it," or "those accounts aren't our official activity." Because distillation is inherently hard to prove, Alibaba has room to argue "the link is only circumstantial."

The unexpected stakeholder is U.S. policymakers. The letter went to the Senate Banking Committee — which handles exactly export controls and sanctions. By choosing that channel, Anthropic signaled "let's treat AI model access within the framework of financial/tech sanctions." Policymakers could use this as grounds for legislation extending China AI export controls "down to the API level." It points, curiously, in the same direction as today's GPT-5.6 government-control story.

Precedents — successes and failures

Distillation disputes aren't new. The most famous is OpenAI vs DeepSeek. OpenAI once alleged DeepSeek trained by distilling its models. When a powerful new model appears suddenly, "did you copy ours?" now follows as an industry pattern. Distillation suspicion has become a recurring front in frontier competition.

Another is Anthropic's own February disclosure of three Chinese labs (DeepSeek, Moonshot, MiniMax). It detected and disclosed suspicious bulk access then too. The Alibaba case is an extension — and a far larger version. Anthropic is repeatedly building the narrative that "Chinese labs are systematically distilling U.S. frontier models." Once is chance, twice is a pattern, and this is at least the third.

On the flip side, the "limits of distillation control" failure looms. Distillation is just doing the normal act of API calls at massive scale, so blocking it perfectly is nearly impossible. Ban accounts, they make new ones; block IPs, they swap proxies. Like 1990s crypto export controls that ultimately couldn't stop the tech spreading, API-level control risks becoming whack-a-mole. Anthropic's accusation is a strong warning, but whether you can technically seal off distillation is another question.

Competitors' counter-plays

The most directly affected are other frontier labs (OpenAI, Google). Their models can be distillation targets too, so they'll likely follow Anthropic's detect-and-accuse model. Tracking and disclosing "who hammered our model and how much" could become a new standard. They may also form a common front for tighter export controls, arguing "we're exposed to the same threat." Picture the U.S. frontier camp uniting around an "API distillation defense" agenda.

Chinese labs' counter splits two ways. One is flat denial — "we didn't distill, no proof" — exploiting the limits of circumstantial evidence. The other is emphasizing self-reliance — "our models come from our own data and research." Meanwhile they can push open-weights harder, using an "we publish models for everyone" openness narrative to dilute the "distillation thief" framing.

The regulatory and policy camp will treat this as "a new front in AI export controls." Controls have centered on hardware like chips and tools; this opens a new dimension: "control API access itself." The catch is execution — how to identify and block fake accounts and proxies, and how to distinguish normal users from distillation attacks, is a brutally hard technical task. The policy direction is set, but enforcement lags far behind.

So what actually changes

If you're a regular AI user, little changes immediately. But this is one piece of a bigger trend toward "tighter and tighter model access." Expect stronger sign-up, verification, and geo-restrictions on more powerful models. Even normal users may face more onerous verification under the banner of "distillation defense." The price of security is always a little inconvenience.

If you're an AI developer or startup, watch two things. One is "API terms risk." Using model outputs to train another model usually violates terms, and enforcement will tighten after this. Know the line between legal fine-tuning and illicit distillation. The other is "the value of open models." Cleanly-licensed open weights, free of distillation controversy, gain practical value.

If you watch U.S.–China AI competition, the core is "how AI capability crosses borders." You can block chips, but "intelligence" can leak through a single line of API. That's the real message. Just remember Anthropic's claim is still a "claim," with Alibaba's rebuttal and independent verification pending. Don't conclude from one side's narrative — distillation is hard to prove.

One step further — "leaking intelligence" as a new security problem

To read this right, see the fundamental question: "what can you actually control?" For years, U.S. China-AI strategy centered on "hardware denial" — block advanced chips and tools and China can't build powerful models. This case cracks that premise. If, even without chips, you can copy the "intelligence" of an already-built powerful U.S. model by knocking on its API 28.8 million times, then hardware control alone can't stop capability leaking. The security frontier shifts from "silicon" to "software behavior."

Another easily missed angle is "distillation's ethical ambiguity." Distillation itself isn't illegal. Many companies legally teach smaller models from a bigger model's outputs. The problem is "violating terms, bypassing geo-restrictions, and disguising with fake accounts at massive scale." It's the method, not the technique, that's at issue. That ambiguity lets Alibaba defend "distillation is an industry practice" while Anthropic counters "not practice, but organized theft." Where that line gets drawn will set the rules for the whole AI industry.

But there are cold variables. First, proof. Whether the link between the fake-account army and Alibaba HQ is circumstantial or conclusive hasn't been disclosed. Whether the pattern Anthropic detected was an official Alibaba directive, or a third party or rogue employee, must be sorted out. Second, political timing. Sending this letter to the Senate amid an active export-control debate aims at policy influence as much as fact-finding. Separate the weight of fact from the weight of politics.

In the end, the real question is "can the nation that built powerful AI stop that intelligence from crossing borders?" If the answer leans toward "no," America's AI lead could level out faster than expected. If it leans toward "yes," we enter a far more closed AI era that controls even API access. The June 24 accusation is the event that first made that fork clearly visible.

🥄 Three Things You're Probably Wondering

— Is distillation really that bad? Doesn't everyone do it? Distillation itself is legal and common. The problem is the method — terms violations, geo-bypass, 25,000 fake accounts, an "organized evasion." "Learning from a big model" and "secretly extracting at massive scale" are different stories.

— Is it certain Alibaba actually did it? It's still at the "Anthropic's claim" stage. Detecting 28.8 million accesses appears factual, but whether it was an official Alibaba HQ directive awaits independent verification and Alibaba's rebuttal. Separate circumstantial from conclusive.

— Does this mean Chinese models are all fakes? No. Chinese labs build powerful models from their own research and data too. "Distillation may have contributed to some capability" and "they copied everything" are entirely different claims. Too early to conclude.

References

• Anthropic Accuses Alibaba of 'Illicitly' Accessing AI Models — Bloomberg
• Anthropic claims China's Alibaba used 25,000 fake accounts and 28.8 million exchanges to illicitly 'distill' its Claude model — Tom's Hardware
• Alibaba Ran Largest Known AI Theft Campaign Against Claude, Anthropic Tells Senate — TechTimes
• Anthropic accuses Alibaba of large-scale AI theft using ~25,000 fraudulent accounts — Free Press Journal
• Anthropic accuses Alibaba of stealing Claude AI model — Swarajya

Numbers are as of announcement and may change.