The lab's June 10 letter to two US senators alleges Ant Group, Alibaba's fintech affiliate, routed employee Claude logins through its own intranet to distill rival models — a training technique that copies one AI's outputs into a rival — exploiting
The story Anthropic is selling to Washington is about a Chinese rival stealing America's frontier AI. The story Anthropic actually alleges in its own letter to two US senators is smaller, and more uncomfortable for the lab: someone walked out the front door wearing a corporate badge.
In a June 10 letter to Sens. Elizabeth Warren (D-MA) and Tim Scott (R-SC), Anthropic accused Alibaba of what it called the largest known distillation attack against Claude. The mechanism Anthropic describes is not a hack. It is the exploitation of a gap in Anthropic's own terms of service: corporate accounts that nominally belong to paying customers, but that Anthropic now alleges were used at industrial scale to generate training data for rival Chinese models.
Distillation itself is uncontroversial. It is a standard machine learning technique in which a smaller model is trained to imitate a larger one's outputs. US frontier labs permit distillation from open-source models. They prohibit it for proprietary systems like Claude. Anthropic goes further: its usage policy bars Chinese companies from accessing its models at all. The corporate-account program is where that prohibition breaks down, and that gap is where the alleged campaign ran.
Anthropic's account, as reported by CNBC, is that tens of thousands of unauthorized accounts generated millions of interactions with Claude to train competing models. The path Anthropic singles out is specific. Ant Group, the Alibaba-affiliated fintech, "provided employees with corporate Claude accounts that were accessed through the company's intranet," the Financial Times reported, summarized in Newser's account of the dispute. An employee logging into a paid business-tier seat from behind a corporate firewall looks, to Anthropic's access logs, like a legitimate enterprise customer. The company only learned the customer was a Chinese firm when the volume and the patterns looked wrong.
The Washington Post's national security desk and the New York Times both ran their July 6 stories under geopolitical headlines: a US-China race for AI capability, distillation as the new industrial espionage. Both papers also documented Anthropic's response to the alleged abuse. The lab embedded hidden code in Claude outputs to fingerprint users it suspected of being China-based, then walked that back last week after privacy complaints, the Washington Post reported.
The fingerprinting retreat is the operational tell. Anthropic cannot reliably tell, from inside its own product, who is on the other end of a corporate seat. The BBC's account of the letter frames the same complaint in plainer language: Anthropic's terms forbid the activity; the architecture does not enforce them. The result is a system that is closed by contract and open by design.
Business Insider's reporting and cybersecurity trade coverage pick up the same structural problem: export controls on frontier AI are being written around a corporate-sales motion that frontier labs run themselves. The New York Times points to a parallel complaint from OpenAI against Chinese startup DeepSeek, suggesting Anthropic's Alibaba case is the loudest instance of a broader pattern rather than a single rogue actor. Anthropic's own writeup of how it detects and tries to prevent distillation attacks is candid about how partial those defenses are.
Alibaba's response has been procedural. CNBC reported that Alibaba told staff it would block employee use of Anthropic's tools for work beginning Friday, July 10. That move concedes the activity happened. It does not address whether training data already produced from those sessions has been folded into a competing model. An on-record rebuttal from Alibaba or Ant Group disputing the specific allegations was not present in the reporting collected as of July 7.
The policy question the letter is built to force is not whether distillation is theft. The technique is legitimate, and US labs use it themselves against open-source systems. The question is what a frontier lab is selling when it sells a corporate seat. Anthropic is asking the Senate to treat corporate-tier access as a controlled export category. The mechanism the Alibaba case actually exposed is that today, in practice, it is not.
The next concrete trigger is the senators' offices. Warren and Scott now hold the letter. What they do with it, and whether any of Anthropic's proposed remedies make it into legislation or enforcement guidance, will determine whether the corporate-account loophole gets closed at the contract layer or only policed case by case.