Alibaba stole 28.8M Claude responses to train Qwen, Anthropic tells Senate

iEXExchanger
Alibaba stole 28.8M Claude responses to train Qwen, Anthropic tells Senate

From April to June 2026, Alibaba used 25,000 fake accounts to run 28.8 million exchanges against Claude — harvesting its reasoning to train Qwen. Anthropic calls it the largest distillation attack ever filed.

For 45 days straight — from April 22 to June 5, 2026 — operators linked to Alibaba's Qwen AI lab ran 28.8 million exchanges against Claude using nearly 25,000 fraudulent accounts. The goal was to systematically harvest Claude's reasoning patterns and feed them into Qwen training pipelines, bypassing Anthropic's explicit ban on access from China. Anthropic disclosed the campaign in a letter reviewed by Reuters, then briefed both the Senate and the White House, calling it the largest known distillation attack in the company's history.

Distillation isn't hacking in the conventional sense — no servers were breached, no source code stolen. The method is subtler: train a weaker model on millions of responses from a stronger one. Feed the target model with carefully crafted prompts, record its answers, teach your own model to replicate that behavior. What you extract isn't data — it's reasoning style, calibration, the way the model handles ambiguous questions. In February 2026, Anthropic had already named three Chinese AI labs in connection with similar attempts. Those now look minor by comparison.

According to Anthropic, the specific target was Mythos Preview — an advanced model the company has not released publicly. The alleged objective: accelerate Qwen's capabilities toward parity with that system. Anthropic doesn't frame this as an opportunistic experiment. The infrastructure of 25,000 fake accounts, built specifically to evade detection at scale, points to a deliberate, multi-week operation with a clear objective.

Anthropic is now pushing Washington for concrete countermeasures: mandatory screening of high-volume API traffic for distillation signatures, export controls on access to frontier AI models, and formal coordination between AI developers and government agencies to detect future campaigns. Alibaba has not publicly responded to the allegations.

The uncomfortable question this raises isn't about intent — it's about architecture. Frontier AI models are commercially available by design, and distinguishing a large legitimate user from an adversarial operation is genuinely hard. Volume alone doesn't prove intent. If Anthropic's claims gain traction in Congress, the debate over hard limits on who can access US AI systems — and at what scale — will shift from theoretical to legislative fast.

Questions and answers

Frequently asked questions about this article

What is AI model distillation in plain terms?

Distillation means training a weaker model on the outputs of a stronger one. Instead of building from scratch, you flood the target model with prompts, record its responses, and teach your own model to mimic that behavior. No code is stolen — what transfers is reasoning style and calibration.

Why did Alibaba need fake accounts?

Anthropic explicitly prohibits access to Claude from China. To bypass that restriction, operators linked to Alibaba created nearly 25,000 fake accounts that masked the true origin of the traffic, evading Anthropic's geographic controls.

What is Anthropic asking US authorities to do?

Anthropic is requesting mandatory screening of high-volume API traffic for distillation patterns, export controls on access to frontier AI models, and formal coordination between AI developers and government agencies to detect and respond to future campaigns.

How does this attack compare to previous distillation incidents?

In February 2026, Anthropic named three Chinese AI labs in connection with distillation attempts. The current campaign — 28.8 million exchanges over 45 days — dwarfs all of them combined. Anthropic calls it the largest such attack the company has ever documented.

Read also