Anthropic Says Alibaba Tried To Mine Claude For Qwen
Published: 06/25/2026 • 10 min read
Tech Article • NeuralKnot Archive
A secured blue AI model core behind glass is siphoned through thousands of account tokens into a shadow training cluster glowing orange.

Anthropic Says Alibaba Tried To Mine Claude For Qwen

The frontier model became an extractable industrial asset.


At 11:57 AM Pacific, I had the Business Insider story open, a Stanford security program in the next tab, and that particular newsroom feeling where the browser starts looking less like a research tool and more like a crime scene with tabs.

The number on the screen was 28.8 million.

That is how many Claude exchanges Anthropic says Alibaba-linked operators made between April 22 and June 5, according to a June 10 letter from Anthropic policy chief Sarah Heck to Senators Tim Scott and Elizabeth Warren. Business Insider says it obtained the letter. The New York Post, citing Bloomberg, reports the same rough outline: about 25,000 fraudulent accounts, operators affiliated with Alibaba and its Qwen AI lab, and what Anthropic called its largest known distillation attack to date.

Alibaba has not publicly answered the charge, at least not in the reporting I could verify on June 25. So keep the legal posture clean: this is Anthropic’s allegation, reported through outlets that say they saw or described the letter. The underlying Senate letter does not appear to be posted as a public committee document.

Still.

Twenty-five thousand fake accounts is not somebody scraping a chatbot from a dorm room with a loop and a bad idea. That is an industrial pattern. It turns the API into a mine, the rate limit into a fence, the trust system into border control, and the model output into raw material for somebody else’s training run.

Welcome to the part where the frontier starts leaking through the billing system.

Distillation Got Political

Distillation is old machine-learning plumbing with a new bruise on it.

The clean textbook version sounds harmless enough: use a stronger model’s outputs to train or improve a smaller model. A teacher model helps a student model learn. Efficient, practical, useful, and in many contexts completely normal.

Then the teacher is Claude, the student is allegedly tied to Qwen, the account graph is fake, the interaction count is in the tens of millions, and the letter goes to the Senate Banking Committee.

Now distillation stops being a technique and starts acting like a sanctions problem with JSON.

Anthropic’s reported claim is direct. Heck allegedly wrote that Alibaba-affiliated operators tried to extract Claude’s capabilities to train Alibaba’s own systems, harvesting U.S. AI capabilities across frontier labs without paying the research and development cost of building them. Business Insider says the letter warned that these attacks could help Chinese models reach Claude Mythos Preview-level capabilities sooner, including in cybersecurity-relevant domains.

That phrasing matters.

It frames model output as national capability. It frames API access as an export path. It frames fraud detection as industrial defense. It frames the chat endpoint as a controlled border that can be crossed with enough accounts, enough requests, and enough patience.

The frontier model is no longer only software.

It is a thing you can steal by talking to it.

The API Became The Border

Export controls are supposed to have a boundary people can understand. Chips. Weights. Cloud access. Foreign nationals. Data centers. Procurement lists. Somebody puts a box around the thing and declares who can touch it.

APIs make that uglier.

An API endpoint is both product and exposure. It is how customers get value, how developers build, how enterprises automate, and how the lab turns a model into revenue. It is also how an attacker can interrogate the system millions of times, collect behavior, sample reasoning patterns, harvest completions, tune a competitor model, or map the guardrails until the guardrails start to look tired.

This is why the account count is the story.

If the allegation is accurate, the attack did not require a breach in the cinematic sense. No hooded person in a server room. No stolen root password glowing under red light. It required the ordinary machinery of a scaled product: accounts, requests, quotas, payments, fingerprints, fraud systems, abuse detection, and policy enforcement.

The moat was the product surface.

That is a miserable place to put a moat, because real customers need to cross it all day.

Anthropic can tighten account verification. It can detect clusters. It can throttle suspicious patterns. It can watermark outputs, log behavior, require enterprise review, segment geographies, tune abuse classifiers, and put more friction between anonymous demand and high-capability models.

Every one of those measures also changes the product.

Friction is security until it becomes sales leakage. Identity is risk control until it becomes surveillance. Export control is policy until it becomes a bad user experience with a flag on it. The frontier lab has to keep the machine open enough to make money and closed enough that it does not train the next competitor through the front door.

That is the trap.

Qwen Is The Wrong Kind Of Rival

The name Qwen matters because it is not vapor.

Alibaba Cloud’s Qwen family has become one of the major Chinese model lines, especially in the open and enterprise ecosystem. It has weights, developers, benchmarks, variants, and distribution. A charge involving Qwen is not a charge against a hypothetical startup with a slideshow and a grant application. It points at a real competitor with cloud infrastructure behind it.

That makes Anthropic’s ask obvious: more government help.

Business Insider says Heck asked lawmakers for stronger legislation against distillation attacks, including limits on China’s access to advanced U.S. computing infrastructure and penalties for Chinese entities that launch them. The Post report quotes an Anthropic spokesperson saying the company wants coordinated government and industry action to maintain American AI leadership.

There it is, clean as a broken window.

When model labs talk about safety, they are often also talking about market structure. When they talk about export control, they are also talking about who gets to rent capability. When they talk about illicit distillation, they are also talking about whether the lead they spent billions building can be reproduced through the customer interface.

That does not make the concern fake.

It makes it more serious.

The same event can be a real security threat, a real policy issue, a real commercial threat, and a real lobbying opportunity. Mature industries are excellent at being several things at once. AI is catching up, the poor thing.

The Fraud Team Is Now Part Of Frontier Defense

The funny part, if your sense of humor has been damaged by infrastructure work, is that the defensive stack here looks less like science fiction and more like payments fraud.

Account creation velocity. Device fingerprints. Payment rails. Geo patterns. IP reputation. Behavioral clustering. Request timing. Prompt similarity. Output collection patterns. Suspicious retries. Shared infrastructure. Disposable identities. Rate-limit evasion.

This is the boring machinery that decides whether frontier AI stays metered.

That should make security people nervous and product people nauseous. The lab’s best model can be protected by the same category of systems that stop sneaker bots and fake coupon farms. Except the prize is not inventory. It is capability.

This is also where the story gets uncomfortable for developers.

The more labs treat model access as a controlled strategic asset, the more normal users get sorted. Verified users. Trusted organizations. Research partners. Enterprise contracts. Higher-risk geographies. Lower-risk geographies. Sensitive domains. Safety tiers. Tool permissions. Audit retention. Identity claims.

The open web version of AI access starts to shrink.

Some of that is necessary. Some of it will be power wearing a safety vest. The annoying part is telling which is which while the dashboard is screaming.

Open Models Are The Shadow In The Room

This story lands two days after I wrote about GLM-5.2 and the open frontier leaking into downloadable weights. That timing is rude, which is to say useful.

The closed-lab answer to model risk is usually access control. Keep the strongest systems behind APIs. Monitor usage. Block bad actors. Refuse some requests. Wrap sensitive capabilities in policy and contracts.

The open-weight answer is different: hold the thing yourself.

Distillation attacks sit between those worlds like a crowbar. If a closed model can be queried enough times to train an open or semi-open rival, then the API gate is not a wall. It is a toll booth with a blind spot.

That does not mean distillation can perfectly clone a frontier system. It usually cannot. Training data, architecture, post-training, tool behavior, system prompts, eval feedback, reinforcement loops, and infrastructure all matter. A student model trained on outputs is still a student with missing childhood records.

But the point is not perfect cloning.

The point is acceleration.

If a rival can buy or fake enough access to harvest high-quality outputs, it may narrow the gap on specific behaviors: reasoning style, coding patterns, cyber tasks, refusal boundaries, agent plans, and the weird tacit texture of what makes a model useful. The model does not have to become Claude. It has to become better faster, cheaper, and under another company’s control.

That is enough to scare people who spent billions building the teacher.

The Senate Letter Is The Product Roadmap

The Senate Banking Committee is an odd stage until you remember finance is one of the places export controls, sanctions, and national-security commerce actually get teeth.

Anthropic did not only report abuse to the public. It reportedly sent lawmakers a story with numbers, actors, dates, national-security framing, and legislative asks. That is how a technical abuse report becomes a policy object.

The next version of frontier AI access may be written as much by letters like this as by model cards.

Expect more verified access. More cloud restrictions. More contractual anti-distillation terms. More abuse-detection spend. More arguments that model outputs should be treated like controlled know-how. More labs asking Washington to help enforce the border that their own business model needs people to cross.

Also expect workarounds.

The internet has never met a gate it did not eventually route around, monetize, mirror, or misunderstand into disaster. If frontier capability is valuable enough, somebody will try to extract it. If extraction gets harder, they will use more accounts, better infrastructure, cleaner cover traffic, synthetic identities, compromised access, resellers, brokers, or whatever new rotten channel appears once the money gets large enough.

The attack surface is not the model.

The attack surface is the economy around the model.

The Machine Learns Who Can Ask

By 12:42 PM, the hero image was in the repo: a blue model core behind glass, thousands of little account tokens streaming through an API checkpoint into an orange training furnace on the other side. Too clean, maybe. The real version is probably a spreadsheet, a fraud queue, legal language, and one very tired policy person rewriting the word “illicit” until it looks normal.

But the image gets the pressure right.

Anthropic’s accusation against Alibaba is the AI race becoming less romantic. Fewer grand speeches about intelligence. More account graphs, terms-of-service enforcement, Senate letters, export controls, cloud access, model outputs as contraband, and API abuse teams suddenly standing between a frontier lab and a competitor’s training run.

The model is still the center of the story.

The border is moving outward.

It now runs through the login form, the billing system, the fraud model, the usage logs, the senator’s inbox, the cloud contract, the export-control rule, and the little box where a developer pastes an API key at 1:13 AM because the build has to ship.

That is where the next fight lives.

The API is the border now.

And everybody is testing the fence.


Sources