Anthropic sent a letter to senior members of the US Senate Banking Committee on June 10, 2026, accusing Alibaba’s Qwen AI lab of conducting what it called the largest known distillation attack ever carried out against a commercial AI model. The letter, addressed to Committee Chair Tim Scott and Ranking Member Elizabeth Warren, alleged that operators connected to Alibaba ran 28.8 million exchanges with Claude through approximately 25,000 fraudulent accounts over a 44-day window between April 22 and June 5, 2026.

Anthropic described the operation as “brazen” and “illicit” — industrial-scale capability extraction designed specifically to train Alibaba’s Qwen model to match the performance of Anthropic’s frontier Mythos Preview model in software engineering, multi-step reasoning, and cybersecurity tasks.

The disclosure is now driving both legislative action and, many observers believe, contributed to the Commerce Department’s decision to place export controls on Fable 5 and Mythos 5 in June — suspending global access to Anthropic’s two most capable models in an unprecedented government intervention against a commercial AI product.

What a Distillation Attack Actually Is

A distillation attack — sometimes called model extraction — works by querying a target AI system at scale with carefully crafted prompts and then using the outputs to train a smaller, cheaper model. The attacker never sees the source code, model weights, or training data. They do not need to. If you ask a model the right questions millions of times, the answers become a training set.

The technique is not new. AI researchers have understood distillation as both a legitimate efficiency technique (training smaller models from larger ones) and a potential vector for IP theft for years. What is new is the scale of what Anthropic is alleging.

The 28.8 million exchanges attributed to the Alibaba campaign is more than the combined scale of every prior distillation allegation Anthropic has publicly named, including the three Chinese AI labs the company flagged in February 2026. Across 25,000 fraudulent accounts, operating over roughly six weeks, someone systematically tried to extract everything Claude knows about writing code, reasoning through complex problems, and identifying security vulnerabilities.

Anthropic’s framing in the Senate letter was pointed: this is not an opportunistic hack. It is a strategic effort to turn hundreds of billions of dollars in American AI investment into a subsidy for a geopolitical competitor.

The Connection to the Export Control Ban

When the Commerce Department issued an export control directive on June 12 suspending all access to Fable 5 and Mythos 5 for foreign nationals, the public explanation focused on Mythos 5’s autonomous cybersecurity capabilities — specifically, NSA findings from a red-team exercise. The Alibaba letter adds a second layer to that story.

Anthropic disclosed to the Senate that the distillation campaign specifically targeted Mythos Preview’s capabilities in advanced coding and cybersecurity tasks. The implication is that Alibaba was not only aware of what Mythos could do — they were actively building toward it. From a government policy standpoint, a model capable of autonomously breaching classified systems becomes a different kind of risk when a foreign competitor has been systematically studying its outputs for six weeks.

The combination of those two facts — a powerful autonomous capability plus evidence of sustained foreign extraction efforts — appears to have cleared the threshold for the export control intervention.

What Congress Is Doing

The Anthropic letter has already produced legislative movement. Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) are working to attach an amendment to defense legislation that would enable the government to blacklist or sanction entities found to have conducted large-scale AI distillation campaigns against US companies. The bipartisan support is notable: both sides of the aisle appear to have converged on the view that AI capability extraction is a national security issue, not just a terms-of-service violation.

Alibaba has not publicly responded to the specific allegations as of the time of writing.

What This Means for Business

The Alibaba-Claude story lands differently depending on which side of the enterprise AI stack you sit on.

If you are an AI developer or enterprise building proprietary models, this is a reminder that your model’s outputs are as much your IP as the weights themselves. If you are running a system that external parties can query, you need rate limits, behavioral fingerprinting, and anomaly detection capable of flagging systematic extraction — not just blocking individual bad actors. A campaign of 25,000 accounts running for six weeks should, in theory, be detectable long before it reaches 28.8 million exchanges.

If you are an enterprise buyer of AI services, the more pressing question is vendor stability. The Fable 5 and Mythos 5 export control ban directly affected enterprises that had built workflows on top of Anthropic’s most capable models. The Alibaba allegations suggest that the geopolitical dimension of frontier AI is not receding. The companies at the frontier are now routinely writing letters to Senators, engaging with the NSA, and navigating export control proceedings. That is a different operating environment than buying cloud infrastructure.

If you are evaluating AI vendors, the security posture of your AI provider is now a legitimate procurement consideration. How does this company detect and respond to adversarial queries? What happens to your enterprise data if the vendor is drawn into a national security proceeding? Who is accountable if a model your business depends on goes offline because of a government directive?

These are not hypothetical questions anymore. One of the most capable AI labs in the world has been unable to serve its flagship products to the majority of its global customers for two weeks.

The Bigger Picture: AI IP in a Contested World

The Anthropic-Alibaba situation is a specific example of a structural tension that has been building since large language models became commercially viable. AI capability is now a form of national competitive advantage, and the methods for extracting it are increasingly accessible.

You do not need a state-backed program to run a distillation attack. You need compute, API access, and a systematic prompt strategy. The fact that Anthropic detected this one is good news. The inference that many others are running smaller, harder-to-detect versions of the same campaign is not unreasonable.

For enterprises, the practical implication is not to avoid AI — it is to understand that the AI layer of your tech stack is now operating inside a contested geopolitical environment. Your vendor’s regulatory exposure, their government relationships, and the extent to which their flagship products are considered strategic assets by the US government are all factors worth tracking, the same way you track financial stability or SOC 2 compliance.

The business case for building AI operations that are not wholly dependent on a single frontier model has never been stronger.

---

Enterprise DNA helps business leaders build AI strategies that hold up under real-world conditions. If you are thinking through how to reduce dependency risk while still capturing the genuine productivity gains AI makes possible, talk to our team.