Anthropic Told the Senate That Alibaba Queried Claude 28.8 Million Times

The attack didn't look like an attack. That's the detail worth sitting with.

Between April 22 and June 5 of this year, operators Anthropic links to Alibaba's Qwen lab ran approximately 28.8 million interactions with Claude through roughly 25,000 fraudulent accounts. No passwords stolen. No servers breached. Just API calls, at industrial scale, for six weeks. Anthropic described it in a June 10 letter to the Senate Banking Committee as "the largest known distillation attack" on the company to date, and CNBC confirmed the letter's contents on June 24.

Distillation, as a technique, is legitimate in normal use: you run a bigger model, collect its outputs, and train a smaller model on those outputs to get a cheaper approximation. Labs do it to themselves all the time. What Alibaba-linked operators allegedly did was the adversarial version: use a competitor's frontier model as an unwitting teacher. The specific capabilities they targeted were software engineering, agentic reasoning, and long-horizon task completion. In other words, the parts of Claude that took the most effort to develop.

The scale matters for understanding how much it costs. One analyst estimate puts 28.8 million exchanges at roughly 14.4 billion tokens of extracted training data, assuming an average of about 500 tokens per exchange. That's not enough to train a frontier model from scratch, but it's potentially enough to meaningfully push an existing model family like Qwen into territory it hadn't reached on its own. The attack didn't copy Claude. It tutored a competitor using Claude's outputs as curriculum.

This is the second time Anthropic has gone to Congress with distillation allegations. In February, the company reported smaller incidents involving DeepSeek (over 150,000 interactions), Moonshot AI (over 3.4 million), and MiniMax (over 13 million). Alibaba's alleged campaign dwarfs all three combined. The escalation in scale is the thing to notice: if this is the pattern, what was 150,000 interactions in February looks like a proof of concept.

The technical defense problem is harder than it sounds. You can't just block large query volumes from single IP addresses: the operation reportedly used 25,000 separate accounts, implying email infrastructure, payment methods, IP rotation, and session management. That's a coordinated operation, not an individual running a script. Anthropic's terms of service prohibit exactly this kind of extraction. The terms existed. They didn't stop it.

The policy ask in Anthropic's letter is for the US government to share threat intelligence with private AI companies. That's a reasonable request and also a signal: Anthropic is saying it can't catch these campaigns quickly enough on its own. The February incidents, by comparison, weren't disclosed publicly until months after the fact.

I find the framing of this as a security breach somewhat misleading, not because it isn't serious, but because it obscures what kind of problem it is. The attack surface is the API itself. Every prompt sent to a frontier model is a potential data point for a competitor. The more capable the model, the more valuable each interaction. You can add rate limits and behavioral detection, and those help at the margins, but the fundamental dynamic is that access and extraction are the same action viewed from different angles.

Anthropic's real leverage here is regulatory: get Claude classified as a controlled technology, put export restrictions on API access from certain regions, and make the legal cost of running 25,000 fake accounts high enough to deter future campaigns. The Commerce Department had already moved to restrict Anthropic's frontier models from foreign nationals. This letter is asking Congress to go further.

Alibaba has not publicly responded to the allegations.