Anthropic Accuses Alibaba of "Adversarial Distillation" in 2026

Anthropic Accuses Alibaba of "Adversarial Distillation" in 2026

Artificial intelligence is entering a new phase of its geopolitical confrontation. Following the battle over semiconductors, data centers, and next-generation chips, the exploitation of the models themselves is now at the center of tensions.

According to Bloomberg, in a letter, Anthropic claims that Alibaba orchestrated a campaign between April and June 2026, relying on nearly 25,000 fraudulent accounts to generate 28.8 million interactions with Claude. According to the American company, the goal was not to use its conversational assistant but to methodically extract its capabilities to train competing models. In a letter addressed to several U.S. senators and the White House, Anthropic describes this operation as a campaign of " adversarial distillation" conducted on an industrial scale.

An Old Technique Becomes a National Security Issue

Distillation is not illegal in itself. For several years, it has been one of the classic techniques in machine learning.

The principle is simple. A large model, called the " teacher," is used to train a second, more compact model, the " student." The student learns to replicate the behavior of its teacher while requiring much less memory, computational power, and inference costs. This approach is used throughout the industry to deploy models on smartphones, embedded devices, or less expensive infrastructures.

In this context, distillation represents a perfectly legitimate optimization tool. "Adversarial distillation" relies on a radically different logic.

The lab wishing to train its model no longer uses its own system as a teacher. Instead, it massively queries a competitor's model, collects its responses, structures them, and then reinjects them into its own training process.

In this case, Claude would unwittingly become the teacher of a competing model.

This distinction is essential because what Anthropic is denouncing is not the distillation technique itself, but its unauthorized use against a proprietary model to reproduce part of its capabilities.

Reproducing Years of Research for a Fraction of the Cost

The economics of frontier models explains the intensity of Anthropic's reaction.

Developing a model like Claude requires several billion euros in investments. Labs mobilize hundreds of thousands of GPUs, some of the most powerful computing infrastructures in the world, and several months of continuous training. These costs are compounded by expenses related to datasets, alignment, security assessments, and research teams.

Distillation promises to significantly reduce this bill.

By querying an existing model on millions of cases, an actor can retrieve reasoning patterns, problem-solving strategies, alignment preferences, or specialized behaviors in areas such as programming or autonomous agents. They do not directly copy the model's weights but seek to replicate its observable behavior.

For American labs, this approach amounts to capturing part of the value created during training without having to bear the same investments. An economic asymmetry that fuels industry concerns.

Why Anthropic Describes It as an Industrial Operation

The figures presented by Anthropic illustrate a change in scale. The company mentions nearly 25,000 fraudulent accounts that generated 28.8 million conversations over the course of three months. According to them, the queries primarily targeted Claude's most advanced capabilities, including software development and agentic reasoning.

This description moves away from a simple misuse of an API. Anthropic describes an automated infrastructure capable of circumventing account limitations, distributing queries across a large number of identities, and systematically collecting the model's responses. The terminology used, " industrial scale," brings these practices closer to cyberespionage campaigns or massive data collection operations.

Republican Senator from Tennessee, Bill Hagerty, and Democratic Senator from New Jersey, Andy Kim, plan to introduce an amendment aimed at sanctioning companies engaging in such practices.

Where Does Learning End and Copying Begin?

However, the case raises a largely open legal question. All labs evaluate their competitors' models. Public benchmarks, performance comparisons, or response analyses are common practices in AI research.

The difficulty lies in defining when an evaluation process becomes an attempt at industrial reproduction.

• The number of queries?
• Their automation?
• The intended objective?
• The data thus constituted?

No legal framework currently provides clear answers to these questions, and this gray area explains why Anthropic seeks to shift the debate from the contractual realm to that of national security. If distillation is presented as a strategic threat rather than a simple violation of API usage terms, it paves the way for economic sanctions and government intervention.

A New Frontier for Cybersecurity

The consequences will also be technical. Labs will likely not be able to completely prevent distillation. However, they will seek to make it more difficult, more costly, and more easily detectable.

This opens a new field for cybersecurity applied to artificial intelligence.

• Behavioral detection of users,
• Dynamic query limitations,
• Digital fingerprints of responses,
• Intelligence sharing between labs, and
• Watermarking mechanisms are all avenues already explored by major American players.

As models gain value, their APIs also become critical infrastructures.