Zendoric
← Back to the day · July 14, 2026

Anthropic's Qwen Distillation Claim Exposes the Real Weak Spot: API Defenses, Not China

🕒 Published on Zendoric: July 14, 2026 · 00:03

Anthropic alleges Alibaba's Qwen lab ran 28.8 million queries through ~25,000 fake accounts to distill Claude's coding skills. The accusation is unproven and geopolitically loaded — but the uncomfortable truth it reveals is that per-account rate limiting failed for six weeks straight.

The facts, as Anthropic frames them: in a June 10 letter to US Senators Tim Scott and Elizabeth Warren — made public through Reuters and others around June 24-25 — the company accuses Alibaba's Qwen lab of orchestrating a coordinated distillation attack. Roughly 25,000 fake accounts allegedly generated more than 28.8 million interactions with Claude between April 22 and June 5, 2026, with the aim of extracting Claude's advanced coding capabilities to train Alibaba's own models. Crucially, these are allegations: Alibaba has not publicly responded, no regulatory action has followed, and the claim of intent has not been independently verified. It should be read as Anthropic's accusation, not as established fact.

The technique itself is mundane, which is precisely why it matters. Distillation means feeding a strong model carefully crafted prompts, harvesting its answers, and using them to train a cheaper 'student.' What made this campaign notable, per Anthropic, was its patience: activity was kept below standard per-account limits — an average of about 1,152 queries per account, roughly 26 a day — so no single account looked suspicious. Spread across tens of thousands of accounts over six weeks, the aggregate was enormous while each fragment stayed invisible.

Our reading starts by separating two stories that are being deliberately fused. Story one is geopolitical — 'China stole American AI' — and it is the one built for a Senate audience. Story two is technical, and it is the one that should actually keep the industry awake: if a leading lab cannot detect a 28.8-million-query extraction running for six weeks in real time, then per-account rate limiting is not a security model, it is a speed bump. That is the durable lesson here, and it applies to every API-based AI service regardless of who the adversary is. Anthropic's disclosure is simultaneously an admission of that vulnerability and a strategic bid to reframe it as a national-security matter deserving protective policy. Both things can be true at once.

This fits a pattern we've been tracking: the AI contest is fragmenting into blocs, and distillation accusations are becoming its recurring flashpoint — echoing earlier friction like Alibaba's internal ban on Claude Code and mutual charges of copying. It's worth being honest that the West's frontier labs trained on vast swaths of others' data too; 'distillation' as a grievance is partly a boundary being drawn now that the outputs themselves are the crown jewels. When a rival's gains can be attributed to extraction rather than research, the narrative conveniently sidesteps a harder question about how much genuine ground China's open-weight models have actually closed.

Where does this go? Toward a rethink of how frontier capabilities are metered and monitored — behavioral detection across accounts, provenance and watermarking of outputs, contractual and legal guardrails on API use. That's healthy: robust, evidence-based governance beats regulating panic. The risk we'd flag for the short term is the opposite reflex — lawmakers weaponizing an unverified letter to justify blunt restrictions that entrench incumbents and slow the open ecosystem that democratizes access. The long game is unchanged and still worth defending: the point of these coding capabilities is to accelerate cures, science and abundance. Guarding them sensibly against theft is legitimate; using theft accusations as a pretext to wall off progress is not. The goal is to protect the value without strangling the diffusion that makes it matter.

🔗 Related on Zendoric

Sources & references