Industrial-scale 'distillation' turns the API into a geopolitical battleground

🕒 Published on Zendoric: June 27, 2026 · 09:00
Anthropic claims before the U.S. Senate that operators affiliated with Alibaba would have squeezed Claude with nearly 25,000 accounts and 28.8 million exchanges. Beyond the accusation —which should be read with legal caution— the episode reveals something fundamental: a model's true security perimeter is no longer its code, but its own responses.
Some news matters less for its headline than for what it lays bare. According to a letter from Anthropic addressed to senators Tim Scott and Elizabeth Warren and revealed by Reuters on June 24, 2026, operators affiliated with Alibaba and its Qwen lab allegedly carried out, between April 22 and June 5, the largest known capability-extraction campaign against the company: more than 28.8 million exchanges through nearly 25,000 fraudulent accounts. It is worth stressing that these are Anthropic's accusations, not facts proven in court; Alibaba—which is also contesting its inclusion on the Pentagon's list of Chinese military companies—did not immediately respond to Reuters.
What is technically interesting is the method. 'Distillation' breaks no locks and steals no weights: it trains a weaker model on the outputs of a more advanced one, simply by conversing with it at massive scale. It is, in a sense, reverse-engineering knowledge. And it poses an uncomfortable problem for the whole industry: if the answers a model gives its legitimate customers are also the vector through which its 'way of reasoning' can be absorbed, then a lab's most valuable asset leaks out the very door through which it delivers value.
The scale cited by Anthropic marks an order-of-magnitude jump from earlier cases the company itself had documented—attributed to DeepSeek, Moonshot AI or MiniMax. That suggests detection of these patterns is maturing: telling 25,000 coordinated accounts apart from 25,000 real users requires sophisticated abuse analytics, and the fact that Anthropic can quantify it with this precision is, in itself, a sign of defensive capability.
The geopolitical frame adds an irony hard to ignore. The letter was sent, according to the account, two days before the Department of Commerce imposed restrictions on Mythos and Fable over fears of their use by foreign military intelligence, forcing Anthropic to disable them globally. The company denounces the theft of its capabilities and, almost simultaneously, sees the deployment of those same models curtailed by its own government. It is the classic dual-use technology dilemma taken to the extreme.
The constructive reading is that we are witnessing the birth of a new discipline: the protection of 'output' as operational intellectual property. Watermarks in responses, intelligent rate limits, detection of synthetic query patterns and, above all, public-private cooperation on threat intelligence—which Anthropic says it supports—will define the next frontier of AI security. The case, whether or not its details are confirmed, has already served a purpose: no one in the sector will look at their API again as merely a revenue channel.