#AI Security#Intellectual Property#Tech Competition

The Great AI Heist: How 25,000 Fake Accounts Were Used to Copy Claude's Capabilities

Inside the largest known AI distillation attack: how Alibaba allegedly used 25,000 fake accounts to generate 28.8 million queries against Anthropic's Claude model.

M

M Zeeshan

8 min read
The Great AI Heist: How 25,000 Fake Accounts Were Used to Copy Claude's Capabilities
#AI Security#Intellectual Property#Tech Competition

"Building a frontier AI model costs billions. Stealing one, apparently, just takes fake accounts and patience."

The Incident That Shook the AI Industry

In June 2026, the AI world learned of what may be the largest known "distillation attack" in history. Anthropic, the company behind the Claude AI model, publicly accused Chinese tech giant Alibaba of orchestrating an industrial-scale operation to copy its technology.

According to Anthropic's letter to the US Senate, operators linked to Alibaba and its Qwen AI lab created approximately 25,000 fraudulent accounts to generate 28.8 million queries with Claude between April 22 and June 5, 2026.

The scale of the operation—nearly 29 million conversations over 44 days—represents a new frontier in the US-China AI competition: the industrial-scale theft of AI capabilities.

Understanding Model Distillation

To understand why this matters, it's helpful to understand how AI models can be copied.

What is Distillation?

Distillation is a technique where a smaller, less capable AI model is trained on the outputs of a more advanced one. Think of it as a student copying homework from the smartest student in the class.

The key insight is that you don't need access to the original model's internal workings. The outputs alone—the responses the model generates—can be used to train another model to mimic its behavior.

Why This Attack Was Unprecedented

What made this operation different from typical AI training:

  • Scale: 25,000 accounts and 28.8 million interactions
  • Targeted Approach: The queries were specifically designed to extract advanced capabilities
  • Industrial Organization: The operation was too large and coordinated to be a casual effort

The attack targeted Claude's most valuable capabilities: software engineering, agentic reasoning, and long-horizon task planning.

The Response and Denials

Alibaba's Position

Alibaba has denied any wrongdoing. Chinese state media and experts have pushed back against the allegations, describing them as "technological hegemony anxiety" intended to hinder China's AI advancement.

A Chinese expert argued that "distillation is a widely adopted model compression technique across the AI industry" and that Chinese companies have advanced "through lawful data sources and algorithm optimization under a compliant framework."

The Irony Pointed Out

Observers noted a significant irony: Anthropic has faced legal challenges for its own training practices. In September 2025, the company agreed to pay $1.5 billion to settle a class-action lawsuit from authors who accused the company of using their copyrighted books to train Claude without permission.

Elon Musk highlighted this on X: "Anthropic has had to pay multi-billion dollar settlements for stealing training data at massive scale."

The Broader Pattern of AI Theft

The Alibaba attack wasn't an isolated incident. In February 2026, Anthropic had already identified similar distillation campaigns by other Chinese AI labs:

CompanyNumber of Queries to Claude
DeepSeek150,000+
Moonshot AI3.4 million
MiniMax13 million+

The Alibaba campaign dwarfed them all.

Since then, Anthropic, OpenAI, and Google have formed an alliance to share intelligence on such attacks and coordinate countermeasures.

Why This Matters for the AI Race

The Value of Innovation

A 28.8 million query operation aimed at one model is a strange way to prove the American lead has vanished. As analysts have noted, "You don't copy what isn't valuable."

The Copy Always Lags

Analysts pointed out a crucial limitation of distillation: it only runs in one direction. A distilled model is inherently downstream from the original.

By the time a copy is trained and deployed, the frontier lab has already advanced. As one analyst put it: "You can approach the thing you copied. You do not pass it by copying it."

Market Lessons

When DeepSeek released a cheap model in January 2025, trained in two months for under $6 million, Nvidia lost $589 billion in a single day. But within months, the affected stocks were back at record highs.

The lesson was not that the Chinese model was fake. It was that the market mistook a cheaper copy for a changing of the guard.

The Regulatory Response

Anthropic used the letter to push for stronger action from the US government:

  • Penalties against organizations conducting distillation attacks
  • Restrictions on access to advanced US computing infrastructure
  • Strengthened protections for advanced AI systems

The White House had already issued a memorandum in April 2026 accusing China of "industrial-scale campaigns to distill US frontier AI systems."

Alibaba has also been added to the Pentagon's Chinese military companies list—a designation it is challenging.

The New Supply Chain Risk

Industry analysts identified a broader implication: this represents a new type of supply chain risk.

"This is a supply chain risk that is now moving to AI," said Sanchit Vir Gogia, chief analyst at Greyhound Research. "The enterprise supply chain no longer ends at software, APIs, and cloud regions. It now includes rented intelligence, and rented intelligence can be copied and redeployed well outside the safety controls it was born with."

If a rival can copy the AI your business relies on, they can find its blind spots, hack your automated systems, or cause the AI vendor to shut down services your business needs.

Key Takeaways

What This Means for AI Development

  1. The US lead is real: You don't try to copy something that isn't valuable
  2. Copies are always behind: The frontier keeps moving forward
  3. Security is the new frontier: AI companies must protect their models as aggressively as they develop them
  4. Regulation is coming: Both countries are escalating their responses

What This Means for Businesses

  1. Rented intelligence can be copied: Be aware of the security risks in your AI supply chain
  2. The copy always lags: If you're relying on a copied model, you're using yesterday's technology
  3. Trust remains essential: Ultimately, AI security depends on the integrity of AI companies

Looking Forward

The Alibaba incident represents a turning point in the AI industry. It confirms that advanced AI capabilities are valuable enough to steal. It shows that industrial-scale copying is possible. And it demonstrates that the AI race is no longer just about innovation—it's about protection.

As one commentator concluded: "The frontier labs keep shipping the next capability while the imitators are still training on the last one. A copy is a lagging indicator of leadership, not a leading one."


🔐 The AI Security Conversation Continues

This article explores the technical and strategic implications of the Alibaba-Anthropic incident. The AI industry is at a turning point where security is becoming as important as innovation.

Found this helpful? Share it with your network!

M

About M Zeeshan

Writing about e-commerce fraud prevention, security, and helping businesses protect their revenue.

E-Commerce SecurityFraud Prevention