In a June 10 letter to Senators Tim Scott and Elizabeth Warren, Anthropic says Alibaba's Qwen AI team ran the largest 'distillation' campaign it has ever measured, in which a rival model is trained by mass querying Claude, and asks Congress to punish the company.
Anthropic has asked two US senators to punish Alibaba for what it calls the largest campaign it has ever detected to copy Claude, the AI lab's flagship assistant. In a June 10 letter to Senators Tim Scott (R-SC) and Elizabeth Warren (D-Mass.), the company alleged that Alibaba's Qwen artificial intelligence team used roughly 25,000 fraudulent accounts to send 28.8 million messages to Claude between April 22 and June 5, 2026, a six-week window. The technique is called model distillation, in which a rival system is trained by mass-querying a target model and learning from its answers, and Anthropic has separately published guidance on how it tries to detect and prevent such attacks.
The letter landed one day before a Senate committee hearing titled "AI and the American Dream," which converted what would normally be an internal enforcement matter into a formal legislative ask. That timing is the structural surprise of the episode. Most US AI labs treat large-scale distillation as a violation of their terms of service and pursue it through account bans, IP litigation, or quiet legal threats. Anthropic chose instead to name a specific Chinese counterpart in writing to a bipartisan committee, attach quantified counts, and request punishment.
What the alleged campaign targeted tells readers why the value was worth stealing. According to CNBC's coverage of the letter and the BBC's reporting, the requests focused on three capabilities: agentic reasoning, the ability to plan and execute multi-step tasks; software engineering, specifically writing and debugging code; and long-horizon work, tasks that require sustained attention across many steps. These are the same capabilities that frontier labs now treat as their most commercially valuable, and the hardest to defend, because they show up clearly in any large corpus of model outputs.
The mechanism, as Anthropic described it, was designed to evade detection. The accounts used obfuscation techniques and routed traffic through proxy networks to hide their origin, according to Tom's Hardware's account of the letter. Anthropic told Benzinga that demand for these circumvention services inside China is rising, a "growing circumvention economy" that the company treats as a structural threat to its business model. The technical specifics, including how Anthropic tied the obfuscated accounts to Alibaba or Qwen rather than to a third-party reseller, have not been published.
Anthropic also framed the alleged campaign as a response to its own policy choices. The accusation followed the company's decision to restrict its newest model, called Mythos, from foreign markets. With Mythos off-limits abroad, Claude becomes the next-best target for any Chinese developer who wants frontier-level reasoning without buying it directly. Anthropic argues, in effect, that its own export controls created the demand that the alleged campaign then met.
Two pieces of adjacent context frame this as a US-China industrial-policy story rather than a pure cybersecurity incident, but neither is evidence of the alleged distillation campaign. Alibaba is separately suing the US Department of Defense over its designation as a Chinese military company, a case filed June 23, 2026. And 360 founder Zhou Hongyi recently warned that China's cybersecurity industry needs its own "Mythos-class" model to compete. Anthropic's letter also cites earlier accusations against DeepSeek, Moonshot, and MiniMax, and notes that OpenAI and Google have reported similar attacks, a pattern that gives the Alibaba allegation scale without independently verifying it.
The story remains, for now, one-sided. Alibaba has not, on the record in the available coverage, responded to the accusations. That absence shapes how the episode should be read: a named but not yet defended accusation, with specific counts that come entirely from the accuser's own access logs.
What to watch next is whether Alibaba or Qwen publishes an on-record denial, defense, or technical rebuttal; whether the Senate committees that received the letter, including Banking and Commerce, ask Anthropic to testify or turn over logs; whether the "AI and the American Dream" hearing produces a bipartisan or committee-level response; and whether other Chinese AI labs receive similarly public disclosure letters. The underlying technical question is whether access controls, terms of service, and obfuscation detection can hold against a determined and well-funded adversary, or whether frontier AI capability will increasingly leak through sheer query volume, regardless of whose name is on the letter.