Anthropic versus Alibaba: the 'distillation attack' that tests AI's competitive moat and the sector's trillion-dollar valuation

🕒 Published on Zendoric: June 28, 2026 · 09:00
Anthropic alleges that Alibaba used fake accounts to extract Claude's capabilities and train rival models at low cost. The case exposes a critical legal gap in export controls and complicates the narrative of a one-trillion-dollar IPO.
By Zendoric · June 28, 2026.
There is a way to steal an artificial intelligence model without touching a single chip or copying a single line of source code: simply use it. That is, in essence, what Anthropic alleges —and it is worth stressing that this is an accusation not yet proven in court— that Alibaba did with Claude. According to the company, agents of the Chinese firm allegedly created fake accounts to interact systematically with the model through its API and, from those interactions, train their own competing systems at a fraction of the original development cost. The technique is known as model distillation, and the Anthropic-Alibaba case has elevated it from a technical concept to a geopolitical problem of the first order.
What makes this episode especially revealing is not the dispute itself, but the regulatory vacuum it exposes. Kevin Wolf, former assistant secretary of Commerce for export administration, explained it with surgical precision to Fortune: 'Querying a model through an API is not exporting the model.' Current export controls were designed to restrict hardware —mainly chips— and tangible software such as Anthropic's Mythos and Fable models. But the method described in Anthropic's allegations operates on a different layer: it does not extract the model's weights directly, but rather learns from its accumulated responses. A distinction that, legally, leaves the door open.
This legislative gap is the center of gravity of the debate in Washington. Sarah Heck, Anthropic's policy director, has urged Congress to extend export controls to advanced compute. President Trump already described, in an April memorandum, the efforts of Chinese companies to distill U.S. frontier models as 'unacceptable,' although political condemnation is not the same as a legal mechanism. More concrete is the Remote Access Security Act, introduced by Representative Michael Lawler —a New York Republican— which would penalize foreign access to U.S. technology through cloud services when it poses a national security risk, even if that access is 'negligent.' The proposal has long been in committee, but according to Wolf, Anthropic's new allegations could give it enough momentum to move forward. There is also an institutional gap to fill: the Biden administration designed a framework to prevent China from accessing cloud compute for AI and model weights, but Trump revoked it just days before it was due to take effect.
The political timing is no accident. Anthropic has, on its immediate horizon, an IPO that analysts place at around a one-trillion-dollar valuation. And the question the Alibaba case puts on the table for potential investors is uncomfortable but legitimate: how defensible is the competitive moat of a company whose principal asset —a frontier language model— can be partially replicated through its own public interface?
Jay Ritter, one of the leading experts on IPOs, offers two opposing readings to Fortune. The first: becoming the target of Chinese competition can reposition Anthropic as a national strategic asset, which in the current political climate carries real market value. The second, and according to Ritter the more decisive one: if investors conclude that Anthropic's moat is not sufficiently defensible, the company's ability to sustain its extraordinary pace of revenue growth is called into question. 'Both viewpoints have merit, but I think the second one, the one that affects profitability, would be the dominant one,' he stated.
Harrison Rolfes, senior analyst at PitchBook for private companies, introduces an important nuance with an effective analogy: corporate investors who buy technology prefer the new car with all the features, even if it is more expensive. His argument is that, even if Alibaba has managed to distill Claude's capabilities, the original retains a trust differential that companies —especially American ones— are not willing to sacrifice for cost savings. Trust in Chinese models among Western corporations remains low, and that cultural and compliance factor is, for now, an invisible but real component of Anthropic's moat.
What this episode clearly reveals is a structural tension that defines the current phase of frontier AI development: the business model based on exposing capabilities through an open API —a source of revenue, adoption and feedback data— is also the vulnerability vector hardest to close without eroding the value proposition itself. Restricting API access to thwart possible distillation attacks would be tantamount to raising the castle's drawbridge and leaving legitimate customers outside.
As sector context, model distillation is neither a new phenomenon nor one exclusive to Chinese actors. Compressing the capabilities of large models into smaller, more efficient systems is a widespread industry practice. The difference here lies in the scale, in the opacity of the process and in the intent that Anthropic attributes —without judicial proof yet— to Alibaba.
Anthropic, ultimately, is playing a complex game: it needs enough regulation to protect its competitive advantage against actors that are not subject to the same market restrictions, but it must prevent that regulation from becoming a straitjacket that slows its own expansion. Rolfes sums it up well: once the IPO is completed and the public market takes control, the company will have more freedom to define its positioning toward the regulator. Until then, the 'we're on your side' narrative is also a valuation strategy.