Anthropic Takes Accusations Against Alibaba to U.S. Senate, Claims 28.8 Million Distillation Calls Targeted Claude

In a letter dated June 10, revealed this week to the United States Senate Banking Committee, Anthropic accuses Alibaba of conducting the largest documented distillation attack against Claude. Operators associated with the Qwen lab, according to Dario Amodei's company, generated 28.8 million interactions with the model from around 25,000 fraudulent accounts, between April 22 and June 5, 2026.

The letter was addressed to the committee's chairman, Tim Scott (R-SC), and senior Democratic leader Elizabeth Warren (D-MA), and garnered public attention following an initial report by Bloomberg on Wednesday. Sarah Heck, head of public policy at Anthropic, told senators that the operation was "executed unlawfully, systematically, and on an industrial scale to harvest U.S. AI capabilities at zero cost for training and R&D." Alibaba had not publicly commented on the accusation by the time of this report's publication.

What Anthropic Claims to Have Observed

Distillation is the technique of training a smaller model using the outputs of a larger model. In this case, Anthropic states that the operators used commercial proxy services to mask the geographic origin of the calls and bypass access restrictions for users in mainland China. The targeted capabilities were precisely the most commercial attributes of Claude: agentive reasoning, programming, and executing lengthy tasks, which are the features that distinguish a cutting-edge model from its predecessors.

In February, the company had already cited three other Chinese labs—DeepSeek, Moonshot, and MiniMax—in smaller distillation cases. According to Anthropic, the Alibaba incident alone surpasses the combined volume of the three previous cases in call numbers. The accusation has not yet been corroborated by an American regulatory agency, and none of the figures have been confirmed by third parties.

The Contrast with the Directive on Mythos 5

The timing of the revelation is particularly concerning for Washington. On June 12, the Bureau of Industry and Security of the U.S. Department of Commerce ordered Anthropic to suspend access to Fable 5 and Mythos 5 for any foreign entities, whether inside or outside U.S. territory. The company disabled both models globally the following day.

While Washington restricts access for foreign entities to the most capable American models, Anthropic highlights that a Chinese lab managed to evade existing restrictions on Claude using commercial proxies. "The same jailbreak could be utilized to extract similar capabilities from other publicly available models, including OpenAI's GPT-5.5," the company wrote in a public statement regarding the Mythos case, signaling that the control issue is not unique to them.

Those working in technology policy on both sides have a less heroic perspective. For the National Security Commission on AI, purely legal controls without technical traffic auditing instruments have always been porous. For Chinese analysts like Helen Toner, now at the Center for Security and Emerging Technology, prosecuting a foreign company for violating U.S. service terms on Chinese soil is almost legally unfeasible.

Implications for Washington, Beijing, and Brussels

In the U.S., the Banking Committee is expected to decide in the coming weeks whether to convert the letter into a formal hearing. The short-term bet is to pressure the Treasury to include the commercial use of proxies for AI access on the list of sanctionable practices.

In China, the case hits Alibaba at a sensitive moment. Qwen had been portrayed as evidence that the Chinese industry closed the gap with the American frontier without Nvidia chips or American models. The accusation, even if denied, shakes the narrative and creates regulatory risk for the upcoming round of releases. Independent papers indicate that part of Qwen’s gains in programming benchmarks are compatible with training through distillation, although this does not prove authorship.

In Europe, where the broad oversight phase of the AI Act begins in August, the case adds pressure to general-purpose models. CISOs of European banks already operating Claude via AWS Bedrock will need to review data confidentiality agreements for training data. In delivery hubs in India and Poland, where Big Four firms operate Acceleration centers, the episode anticipates discussions on who is accountable if an AI vendor detects massive extraction originating from a local client. The next risk window for Qwen is the upcoming corporate roadshow of 3.5 with Western clients, now under scrutiny.