Explainer: How the 28.8 Million-Exchange 'Distillation Attack' on Claude is Reshaping AI Security

The most valuable asset in the artificial intelligence industry is no longer just the underlying code or the massive data centers powering it. It is the answers the models generate. As frontier AI labs pour billions of dollars into developing systems capable of complex reasoning, a new battleground has emerged over who gets to keep the fruits of that labor.

On June 10, Anthropic, the San Francisco-based maker of the Claude AI model, sent a stark warning to the United States Senate. The company alleged that Alibaba, the Chinese e-commerce and technology behemoth, had executed the "largest known distillation attack" to date against its systems.[1][6][7]

Between April 22 and June 5, operators affiliated with Alibaba's Qwen AI lab allegedly deployed roughly 25,000 fraudulent accounts to bypass Anthropic's security measures. Over those six weeks, the accounts conducted 28.8 million exchanges with Claude, systematically harvesting its outputs.[1][3]

The goal of this massive operation was not to hack Anthropic's servers or steal its source code. Instead, it was an industrial-scale effort to perform "model distillation"—a technique where a cheaper, less capable "student" model is trained on the high-quality answers generated by a state-of-the-art "teacher" model.[1][2]

By feeding Claude's outputs into its own systems, Alibaba could theoretically replicate Anthropic's advanced capabilities without incurring the massive research, development, and compute costs required to build a frontier model from scratch. Anthropic noted that the campaign specifically targeted Claude's most valuable skills, including agentic reasoning, software engineering, and long-horizon tasks.[1][3]

"These distillation attacks are carried out illicitly, systematically, and at industrial scale to harvest US AI capabilities across frontier labs and repackage them as their own without incurring the training and R&D costs," wrote Sarah Heck, Anthropic's head of policy, in the letter addressed to Senators Tim Scott and Elizabeth Warren.[1]

The Alibaba accusation represents a massive escalation in a trend that has been quietly reshaping the AI landscape. In February 2026, Anthropic accused three other Chinese AI startups—DeepSeek, Moonshot AI, and MiniMax—of similar extraction campaigns.[2][5][6]

However, the scale of the Alibaba operation dwarfs those previous incidents. DeepSeek's alleged operation involved roughly 150,000 exchanges, while Moonshot AI and MiniMax were accused of harvesting 3.4 million and 13 million interactions, respectively. The 28.8 million queries attributed to Alibaba represent more than double the previous largest attack.[5][6]

For enterprise security analysts, the incident highlights a fundamental shift in how digital assets must be protected. When a frontier model is exposed through an Application Programming Interface (API), the attack surface changes entirely. The model's outputs themselves become a strategic asset that competitors will inevitably try to capture.[4]

"Beyond the Anthropic-Alibaba distillation allegation, enterprises should be more concerned about their own AI leakage risks," noted Kashyap Kompella, CEO of RPA2AI Research. He emphasized that public-facing AI applications can inadvertently leak sensitive business logic and proprietary workflows if they are systematically probed.[4]

The challenge for AI companies is that distillation is incredibly difficult to stop. It requires distinguishing between a legitimate enterprise customer running millions of queries for a complex business application and an automated script designed to harvest training data.[4]

Complicating matters further is the fact that distillation itself is not inherently malicious. It is a standard, widely used technique within the AI research community to create smaller, more efficient models that can run locally on smartphones and laptops. The controversy arises when the technique is used to cross corporate and geopolitical boundaries without permission.[4]

Some open-source advocates argue that the panic over distillation is overblown, suggesting that a copy is a lagging indicator of leadership. Because a distilled model is always chasing the capabilities of the original teacher, it can never surpass it. In this view, the massive effort to copy Claude simply confirms Anthropic's significant technological lead.[5]

Nevertheless, the geopolitical stakes have transformed what might otherwise be a corporate terms-of-service dispute into a matter of national security. The US government recently placed export controls on Anthropic's most advanced models, Mythos 5 and Fable 5, to prevent foreign entities from accessing capabilities that could be used to compromise critical infrastructure.[2]

Anthropic is now urging lawmakers to go further. The company is calling for coordinated action between the government and the private sector, including threat-intelligence sharing, stronger export controls, and the creation of formal legal penalties for industrial-scale distillation.[2][6]

As the AI industry moves forward, the era of frictionless, open API access may be coming to an end. Frontier labs are increasingly likely to implement draconian vetting processes for high-volume users, fundamentally altering how developers and enterprises interact with the world's most powerful AI systems.