The numbers are specific. Whether they’re independently verifiable is a different question.
In a letter dated June 10, 2026, and made public on June 24, Anthropic told the US Senate Banking Committee that operators it linked to Alibaba’s Qwen lab used approximately 25,000 fraudulent accounts to run more than 28.8 million exchanges with Claude over a 45-day window, according to the Financial Times’ account of the letter. Anthropic characterized the campaign as adversarial distillation, a technique in which a model is queried at scale, with the outputs used to train a smaller or competing model to replicate the original’s behavior.
Anthropic alleged the campaign was designed to extract Claude’s capabilities in agentic reasoning and software engineering for use in Alibaba’s Qwen models. That attribution, the claim that the extracted outputs fed Qwen training, is Anthropic’s characterization, not an independently confirmed fact. Alibaba hasn’t publicly responded. The mechanisms Anthropic used to link the 25,000 accounts to Alibaba Qwen operators are proprietary and haven’t been verified by third parties.
Why it matters
Adversarial distillation doesn’t require a vulnerability. It exploits a frontier model’s core function, answering queries, by issuing those queries at scale through accounts that violate terms of service. No firewall catches it at the network layer. Detection requires behavioral analysis across millions of sessions, which is exactly the kind of monitoring most API providers don’t publish details about. If Anthropic’s account is accurate, the campaign ran for 45 days before detection. That gap is the operational story for AI developers and compliance teams thinking about their own model deployments.
Adversarial Distillation Dispute, Stakeholder Positions
Anthropic also urged Congress to penalize Chinese AI labs responsible for distillation attacks and to close loopholes allowing them to access US cloud infrastructure, according to the FT’s reporting. That’s a policy ask with real downstream consequences, cloud access restrictions would affect far more than the labs named in the letter.
Context
This isn’t Anthropic’s first allegation of this type. According to InfoWorld’s reporting on the letter, Anthropic identified prior campaigns it attributed to other Chinese AI labs, approximately 150,000 exchanges attributed to DeepSeek and approximately 13 million attributed to MiniMax. Those figures, like the Alibaba numbers, derive from Anthropic’s own account and haven’t been independently verified. Moonshot AI was also named in the prior campaign list. The pattern Anthropic describes, if accurate, suggests adversarial distillation has become a routine extraction strategy rather than an isolated incident.
What to watch
Three things matter here: whether Alibaba responds, whether Congress moves on Anthropic’s cloud-access ask, and whether any independent technical review of Anthropic’s attribution methodology becomes available. The Senate Banking Committee is the immediate venue to watch. A non-response from Alibaba isn’t the same as a denial, but it’s also not corroboration. Independent verification of both the account counts and the attribution logic would substantially change the evidentiary weight of this allegation.
Unanswered Questions
- How did Anthropic attribute 25,000 accounts to Alibaba Qwen operators, what behavioral signals triggered detection?
- Does existing US law cover adversarial distillation, or would new legislation be required for Anthropic's congressional ask to have teeth?
- Will cloud access restrictions, if enacted, apply to existing contracts or only new ones?
TJS synthesis
Don’t treat the specific figures as established fact, treat them as Anthropic’s stated position in a policy dispute. The adversarial distillation technique itself is real and documented; the scale and attribution of this particular campaign are not independently confirmed. For teams managing API access to frontier models, the operational takeaway is cleaner than the legal one: behavioral monitoring across session patterns is the detection mechanism Anthropic is implying it used. If your model deployment doesn’t have equivalent monitoring, that’s the gap worth closing before the next letter to a Senate committee names a different target.
Sources: Reuters, BBC, CNBC, Forbes, Financial Times.