Alibaba Reportedly Copied Claude with 28.8 Million Queries; Anthropic Accuses Chinese Giant of Biggest Distillation Attack

Artificial intelligence brain concept
American startup Anthropic has accused Chinese tech giant Alibaba of the largest coordinated attack to date on its AI model Claude. According to Anthropic, operators connected to Alibaba's Qwen lab generated over 28.8 million exchanges with Claude through approximately 25,000 fake accounts — all with a single goal: to copy the capabilities of a model for whose development Anthropic paid hundreds of millions of dollars.

What is a "distillation attack" and why is it so dangerous?

The technique Anthropic is talking about is called adversarial distillation. Simply put: instead of spending years training your own AI model from scratch, you repeatedly query a stronger model — such as Claude — and use its responses to train your own, less powerful system. The result is a model that "sucks" from a competitor's research and development without paying a single penny for it.

It's a similar principle to someone photographing every page of an otherwise inaccessible book and then publishing their own version. Technically, it's not hacking — all you need is API access and a lot of patience. That's why defense is so difficult.

Anthropic published a detailed analysis of distillation attack detection and prevention methods on its blog, but attackers are constantly adapting.

28.8 million exchanges: a record attack

According to a letter Anthropic sent to two US senators from the Senate Committee on Banking, Housing, and Urban Affairs on June 10, 2026, the attack took place from April 22 to June 5, 2026. Operators connected to Alibaba's Qwen AI lab created approximately 25,000 fraudulent accounts and used them to conduct 28.8 million exchanges with Claude.

The goal was not random answers to general queries — according to Anthropic, the attack targeted very specific capabilities: software engineering and agentic reasoning, areas in which Claude excels and which are the most expensive to develop.

Anthropic also reported the incident to the White House and urged Washington to implement stricter regulatory measures. According to CNBC, Alibaba has not yet responded to requests for comment.

Alibaba is not the first — but it is the biggest

This case is not an isolated incident. Already in February 2026, Anthropic publicly accused three Chinese AI labs — DeepSeek, Moonshot AI, and MiniMax — of sustained distillation attacks. At that time, it involved approximately 24,000 fraudulent accounts and over 16 million exchanges. Now, Alibaba has almost doubled that record.

The distribution of previous attacks was technically interesting: MiniMax focused on agentic coding (over 13 million exchanges), Moonshot AI on agentic reasoning and tools (3.4 million exchanges), and DeepSeek on fundamental logic and alignment. Each company went after a different "piece" of Claude's capabilities — as if they were collaborating to assemble a complete puzzle.

OpenAI is experiencing the same situation, having warned US lawmakers in an open letter about DeepSeek's attempts to distill their models.

Qwen: what is it, actually?

Alibaba's lab Qwen (formerly Tongyi Qianwen) develops a family of open-source language models that are available on the Hugging Face platform and have become very popular worldwide — including Europe and the Czech Republic. Developers use them as base models for their own applications. Paradoxically, there is a chance that some of the capabilities that Alibaba allegedly distilled from Claude could have ended up in open-source versions of Qwen accessible to anyone.

While the latest version of Qwen 3 achieves decent results in benchmarks, it still lags behind Claude Opus or GPT-4o — especially in complex reasoning and agents. This is precisely why these capabilities are so attractive to Chinese labs.

Technological war in a new guise

The Anthropic vs. Alibaba case is far more than a corporate dispute. It symbolizes a deeper structural tension: American AI labs invest billions in frontier research, while their Chinese competition tries to cut corners through distillation. The result is models that achieve comparable results at a fraction of the cost — and this naturally affects the business model of the entire industry.

As Euronews points out, the whole situation resembles a technological cold war — with the difference that the weapons are queries and API keys, not missiles. American companies are therefore urging Congress to enshrine distillation attacks as a clearly illegal category and enable their prosecution at an international level.

What does this mean for Czech users and companies?

Directly? Nothing dramatic yet. Claude is available to Czech users via claude.ai (free plan and Pro subscription for approx. 20 USD/month), while Qwen models are available for free as open-source. However, if distillation campaigns lead AI companies to tighten access to their APIs or significantly increase the price of enterprise plans, developers and companies integrating Claude or GPT-4o into their products will feel it.

In a broader context, it's also a question for Europe and the EU AI Act: who bears responsibility if an open-source model — such as Qwen — contains capabilities distilled from a proprietary system without the originator's consent? This legal gray area is still awaiting a definitive answer.

How does Anthropic defend itself?

Anthropic employs a combination of technical and legal measures. On the technical side, this involves detecting suspicious behavior patterns — sudden surges of structured queries from new accounts are a red flag. Fake accounts are blocked and access is revoked. On the legal side, the company actively communicates with the US government and lobbies for regulation that would classify distillation attacks as a violation of terms of use with legal consequences.

However, real protection runs into limits: anyone can create thousands of accounts and distribute traffic so that it doesn't exceed detection thresholds. It's an arms race where the attacker holds the initiative.

What exactly is AI model distillation and is it legal?

Distillation is a technique where you train a smaller or less powerful model on the outputs of a stronger model. By itself, it is not illegal — for example, Google uses distillation when developing smaller versions of its models. The problem arises when someone circumvents the terms of service by creating thousands of fake accounts and systematically extracting the capabilities of another model on a large scale. Such actions violate contractual terms and may constitute unfair competition or theft of trade secrets — although the specific legal framework is not yet fully clarified in the US or the EU.

Can Alibaba defend itself by claiming Qwen is open-source?

The open-source nature of Qwen does not mean that the method of its training was automatically legal. If the model was trained on data obtained in violation of Claude's terms of use, it is a problem regardless of the license of the final product. It's similar to software: open-source code can contain parts whose origin is disputed. Alibaba has not yet responded to the accusations, so it is unclear what defense strategy it will choose.

Is there a risk that Claude or GPT-4 will become more expensive or less accessible due to these attacks?

An immediate price increase is not on the horizon, but distillation campaigns increase operational costs (processing millions of fake queries) and force companies to invest in security infrastructure. If attacks continue to recur on an ever-larger scale, AI labs may resort to stricter user verification or restrict access for certain regions. For corporate customers in the Czech Republic, this would mean more complicated onboarding.

Add AI Jarvis as a preferred source on Google
X

Don't miss out!

Subscribe for the latest news and updates.