Anthropic accuses Alibaba of massive attack to clone Claude using 28.8 million exchanges

Anthropic claims Alibaba defied Trump to attack Claude and steal capabilities

Anthropic has accused the Chinese firm Alibaba of launching the largest attack yet attempting to clone Claude, as China races to match the capabilities of Anthropic's leading model following Mythos' release and subsequent restriction from foreign markets. Ars obtained a June 10 letter sent to Senators Tim Scott (R-S.C.) and Elizabeth Warren (D-Mass.) one day ahead of a Senate committee hearing on "AI and the American Dream." In the letter, Anthropic shared "new, confidential evidence of the largest campaign to illicitly extract Claude's capabilities we have ever measured." The attacks occurred between April 22 and June 5, when "operators affiliated with Alibaba and Alibaba Qwen, Alibaba's AI lab" allegedly generated "more than 28.8 million exchanges with Claude through almost 25,000 fraudulent accounts," Anthropic said. Violating Claude's terms of service and access restrictions, this campaign "targeted some of Claude's most valuable capabilities, such as agentic reasoning, software engineering, and long-horizon tasks." According to Anthropic, Alibaba evaded detection by "using obfuscation techniques and proxy networks." As Chinese demand for reliable obfuscation techniques increases, Anthropic warned there's already "a growing circumvention economy" to fuel an ever-expanding web of future distillation attacks. Alibaba allegedly ignored Trump warning Like other Chinese labs attempting to copy US frontier models, Alibaba's aim, Anthropic alleged, was to extract Claude's capabilities "without incurring the training and R&D costs required to train" their own frontier model. These attacks have become "widespread" and "turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors," Anthropic said. Importantly, Anthropic said, the Alibaba campaign occurred after Donald Trump took steps to curb such illicit distillation attacks and defend US national security. Back in April, Trump accused China of "industrial-scale" AI theft after Anthropic accused Chinese firms DeepSeek, Moonshot, and MiniMax of using the same tactic as Alibaba allegedly used to generate "over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts." OpenAI and Google have published findings on similar attacks on their models, Anthropic said. Anthropic accused Alibaba of "brazenly" racing to make a copycat Claude, seemingly unfazed by Trump's threats to crack down on foreign efforts to copy US frontier models despite depending on US investors. "Alibaba is listed on the New York Stock Exchange, maintains business operations in the United States, and is accountable to US investors and regulators," Anthropic's letter noted, "yet this activity unfolded in the weeks after" Trump's memo warned that cloning attempts were "unacceptable." Ars could not immediately reach Alibaba for comment. Anthropic wants firms like Alibaba punished Alibaba is already preparing to clash with Trump, though. In a lawsuit filed Tuesday, Alibaba accused the Trump administration of blacklisting the company after falsely linking the company to the Chinese military, Reuters reported. Alibaba is seeking to remove the Trump designation, which they claimed has "no basis in fact or law." "Alibaba is governed by an independent board, none of whom has any military affiliation," Alibaba said. "Its products and services are built for retail, logistics, and enterprise information technology -- not weapons, defense, or intelligence." Anthropic appears unconvinced, however, that Alibaba isn't working with the Chinese government. In the letter, Anthropic warned that without stronger interventions, these distillation attacks will "help China reach Mythos Preview-level capabilities sooner." To keep the US ahead of China, Anthropic recommended that Congress pass legislation with three objectives. First, antitrust laws must be updated to allow AI firms to share information about evolving Chinese tactics to deter more threats. Second, the US needs more export controls on chips to hamstring Chinese access to advanced compute so that they simply can't train on US model outputs. That could make conducting distillation attacks pointless, Anthropic suggested. Finally, Congress should pass laws penalizing Chinese labs' "bad behavior" so that it's "more difficult and costly" to rely on distillation attacks to advance Chinese models. Penalties could include limiting Chinese firms from accessing US models or advanced US chips or from relying on data centers outside of China, Anthropic suggested. Anthropic declined to clarify whether Alibaba's alleged attacks were significant enough to help meaningfully accelerate China's AI capabilities or comment on any specific steps taken to thwart the attacks. Instead, a spokesperson provided a statement to Ars, echoing sentiments expressed in the letter to senators. "We believe combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the Administration to maintain American AI leadership," Anthropic said. China races to match Mythos' capabilities Anthropic's letter positions the AI firm as intent on helping the US hold the line so that China cannot surpass US capabilities. If that happened, Anthropic warned that China could blindside a defenseless US -- suddenly possessing "advanced cyber capabilities to deploy against the US government and American companies and exploit vulnerabilities faster than previously possible." It's important to keep the US as far ahead as possible, Anthropic's letter said, because "the larger the capability gap," the "more time the US government will have to harden cyber defenses and adopt AI systems across national security domains" as China's AI advances. Additionally, Anthropic warned that if the US ignores distillation attacks, China could release advanced AI models "with weak safeguards that are easily jailbroken, enabling other US adversaries to use these models for a wide range of activities that run contrary to US interests." Alibaba's models have been downloaded more than 700 million times and are at the frontier of China's AI industry. The official newspaper of the Central Committee of the Communist Party of China (CPC), People's Daily, recently hyped Alibaba's Qwen family of AI models as "the most popular open-source AI system worldwide." The AI firm will likely maintain a defensive posture as US scrutiny escalates, but the company risks hobbling its business the longer its US fights endure. Alibaba's stock dropped 3 percent after Anthropic's accusations became public, Yahoo Finance reported. Anthropic's suspicions that China is racing to build models to match Claude's capabilities have been confirmed by at least one major Chinese tech founder. At a cybersecurity conference in Beijing yesterday, 360 Security Technology founder Zhou Hongyi likened Anthropic's Mythos to a "cyber nuclear weapon," the South China Morning Post reported. Zhou told the audience that Mythos' sudden giant leap in its ability to find cybersecurity vulnerabilities was a "terrifying change" that had effectively "democratized" cyberattacks, SCMP reported. For China, having no access to Mythos was a significant disadvantage, Zhou said. He bemoaned that Project Glasswing, which granted more than 40 US organizations access to Mythos Preview to strengthen cyber defenses, excluded China. "This means US organizations can use Mythos to scan your vulnerabilities, but you don't even have the qualification to catch a glimpse of Mythos," Zhou said. China's only way forward is to create its own Mythos-like model, Zhou said, warning that such a "game-changing weapon in cyber warfare" cannot "be held solely in the hands of others." According to Zhou, China must race to copy Mythos' capabilities so that there's mutually assured destruction should its rival attempt to seize gains using its advanced AI. SCMP noted that "Zhou's remarks marked the first time a prominent Chinese technology founder has publicly warned about the strategic risks posed by the US frontier AI model." Right now, Zhou said that Chinese firms are "well short of Mythos-level capabilities," SCMP reported. He then positioned his own company as developing a solution, which focuses "on AI agent systems that combined existing foundation models with specialist security data sets and vulnerability knowledge bases," instead of "trying to match the US in frontier model capability and computing power."

Anthropic Urges Congress to Crack Down on AI Distillation By Chinese Rivals

The letter comes as lawmakers consider legislation targeting unauthorized access to U.S. frontier AI models. Anthropic is calling on Congress to strengthen protections against AI model distillation after claiming that Alibaba-affiliated operators carried out the largest known effort to extract capabilities from its Claude chatbot. In a June 10 letter to Senate Banking, Housing, and Urban Affairs Committee Chairman Tim Scott and Ranking Member Elizabeth Warren, Anthropic alleged that operators affiliated with Alibaba and its Qwen AI lab generated more than 28.8 million exchanges with Claude between April 22 and June 5 using nearly 25,000 "fraudulent accounts," or those not representing real, organic users. Known as a distillation attack, Anthropic said the operations targeted Claude's agentic reasoning, software engineering, and long-horizon planning capabilities, allowing competitors to reproduce advanced model behavior without the cost of training a frontier AI system. "Beyond its scale, this campaign was striking for its brazen nature," Anthropic wrote. "Alibaba is listed on the New York Stock Exchange, maintains business operations in the United States, and is accountable to U.S. investors and regulators." Anthropic said the campaign went beyond intellectual property concerns, framing large-scale model distillation as a national security issue that could accelerate China's military and cyber AI capabilities while narrowing the United States' technological lead. The letter comes as Washington intensifies efforts to protect U.S. AI leadership. Earlier this month, President Donald Trump signed an executive order expanding AI-powered cybersecurity initiatives after delaying the measure over concerns it could weaken America's competitive position against China. "When PRC labs distill these capabilities from U.S. models, they capture the returns on American investments without bearing the costs or risks associated with training frontier AI models," Anthropic wrote. "This inverts the economic logic that underwrites American AI leadership, turning billions of dollars' worth of research and development, compute, and other U.S. investments into a subsidy for our competitors." Anthropic urged lawmakers to expand intelligence sharing between frontier AI developers and the U.S. government, clarify antitrust rules to allow AI companies to share information about distillation attacks, strengthen export controls on advanced AI chips and compute, close loopholes that allow Chinese firms to access overseas data centers, and impose penalties on companies responsible for large-scale model extraction. A spokesperson for Anthropic declined to comment specifically on the letter, but told Decrypt, "We believe combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the administration to maintain American AI leadership." The letter also builds on Anthropic's claims in February that Chinese AI developers DeepSeek, Moonshot AI, and MiniMax generated more than 16 million Claude exchanges using roughly 24,000 fraudulent accounts. Those allegations drew criticism from observers who argued that AI companies rely on similar techniques when training their own systems. Anthropic has countered that conventional distillation is a legitimate method for producing smaller, cheaper models, while unauthorized extraction of frontier model capabilities through fraudulent access violates its terms of service. The broader debate over distillation has become more complicated in recent months. In April, Elon Musk testified in federal court that xAI had "partly" used OpenAI models while training Grok, underscoring that distillation is an established industry practice -- even as companies dispute where legitimate model training ends and unauthorized model extraction begins.