Anthropic filed largest-ever model-distillation lawsuit against Alibaba, following suits against other Chinese AI companies.

On June 10, 2026, Anthropic submitted a letter to the U.S. Senate Banking Committee, directly targeting Alibaba's Qwen team. The report disclosed striking numbers: over a 45-day period from April 22 to June 5, operators associated with Alibaba used 25,000 accounts to complete 28.8 million interactions.

What does 28.8 million conversations mean? For industry context: mainstream, high-quality SFT (supervised fine-tuning) datasets typically range from hundreds of thousands to a few million in scale. 28.8 million targeted interactions focused on core capabilities would be sufficient to distill, at low cost, a highly competitive specialized model within specific task domains.

This triggered Anthropic's acute alarm. In their view, the opposing party's behavior was laser-focused, systematically targeting the core strengths of their latest flagship model, Mythos Preview—specifically its software engineering and reasoning agent capabilities.

Anthropic characterized the behavior in their letter as "the largest-scale attempt to date by a Chinese company to free-ride on a top American research laboratory."

On February 23, 2026, Anthropic published a blog post titled "Detecting and Preventing Distillation Attacks," publicly naming three Chinese AI labs: DeepSeek, Moonshot AI (Kimi), and MiniMax (Xiyuan Technology).

The report showed approximately 24,000 China-linked accounts launching over 16 million interactions with Claude, with MiniMax accounting for over 13 million, Moonshot AI over 3.4 million, and DeepSeek over 150,000.

From 16 million to 28.8 million interactions, the scale doubled. Anthropic's counteroffensive escalated from technical exposure in February to political pressure by June.

The recipients of this letter—Senate Banking Committee Chair Tim Scott and ranking member Elizabeth Warren—represent two of the most formidable figures in American politics, specifically tasked with foreign economic sanctions and domestic financial regulation.

According to Bloomberg, following the letter's submission, U.S. Senators Bill Hagerty and Andy Kim quickly followed up. They plan to push an amendment into the Defense Act imposing strict sanctions or direct blacklisting of any Chinese company engaged in "improperly obtaining outputs from American AI models to train competing systems."

In fact, beyond the White House, Silicon Valley is forming a defensive alliance. Anthropic, OpenAI, and Google have quietly coordinated to begin sharing intelligence on unauthorized data scraping.

In overseas media reports, American officials estimated that such unauthorized "industrial-scale" distillation activities cause Silicon Valley labs tens of billions of dollars in annual losses, directly threatening Anthropic's forthcoming high-profile IPO.

Through increasingly severe accusations, what Anthropic truly seeks to establish is not merely commercial protection for one company, but rather a new absolute red line across American government and industry: using API outputs to train competing models constitutes an illegal breach.

In this comprehensive containment effort, U.S. government technology restrictions are tightening dramatically, resonating with the earlier industry-wide "emergency removal of Fable 5 and Mythos 5" incident.

In stark contrast to the confrontation on Capitol Hill, on technical forums like Reddit where developers congregate, reactions to Anthropic's allegations have been nothing short of mockery.

The most classic refrain is "it takes a thief to catch a thief." Critics point out that Anthropic itself rose to prominence through data theft. During early model training, the company faced the largest AI copyright infringement case in American history after illegally downloading millions of protected books, ultimately forced to swallow a $1.5 billion settlement.

Even Elon Musk openly attacked Anthropic in February of this year, calling them North America's biggest "data thieves" after they accused DeepSeek, Moonshot AI (Kimi), and MiniMax of launching distillation attacks—hypocritical and disingenuous.

Some also unearthed a notorious boomerang from the industry: Anthropic's Claude 4.8 model, when answering certain questions, revealed that it was actually "developed by Alibaba's Qwen model." The criticism: "The industry has normalized mutual data laundering and copying—your model runs on Qwen's blood, yet you turn around and accuse Alibaba of plagiarism?"

Others questioned why paying for normal API usage differs from any other customer, arguing it constitutes commercial breach at most—yet somehow becomes "malicious cyber attack" and "national security threat" when discussed in Congress.

Some technically-minded critics expressed disdain for Anthropic's leadership: "Faced with technical vulnerabilities, instead of improving their own AI defense layers and anti-scraping capabilities, they just run to the Trump administration to tattle."

Perhaps most ironic was a power user's lament: "My only real concern is whether Fable 5 can come back. Anthropic simultaneously complains to the White House about their models being copied while hoping the models get unlocked. At this rate, Fable 5 probably isn't coming back."

Fundamentally, "distillation" is normal practice in AI training: use a powerful existing model as the "teacher," have it answer questions, then take those answers to train a lighter-weight "student" model. The student learns the teacher's ability to answer questions, but at a fraction of the training cost.

Meta's early LLaMA versions trained on ChatGPT outputs—this is no industry secret.

What Anthropic accuses as "adversarial distillation" takes this approach to its extreme. No need to spend billions buying compute or annotating data yourself—simply continuously send carefully crafted questions to the target model, batch-save its high-quality responses, and you possess a ready-made training corpus.

This saves substantial money. By Claude's public API pricing, 28.8 million interactions would cost millions of dollars even with enterprise discounts. But compared to training a model from scratch with equivalent software engineering capabilities, this figure might be merely a line item.

That is Anthropic's core grievance: the other party bypassed years of technical accumulation and massive investment, acquiring capabilities worth billions of dollars with hundreds of millions in API calling costs.

There are two distinct categories of learned abilities. One is "task capability"—writing code, solving math, composing text. These can be quickly learned by a model given sufficient correct answers, and this portion *can* be distilled.

The other is "safety alignment"—knowing not to leak user privacy, not to assist crime, not to output dangerous content. These safety rules aren't learned through repeated problem-solving, but through exceptionally fine-tuned "behavioral correction" training. Each time a model attempts to overstep, a trainer penalizes and corrects it.

In the 28.8 million exported conversations, dangerous questions intercepted and refused by the system were all filtered out. The result: the student model learned top-tier capabilities while missing the lesson of "what not to say." Once deployed into the real world, greater capability translates to greater risk of failure.

Anthropic's ability to detect these 25,000 anomalous accounts relied on "behavioral pattern analysis"—finding inconsistencies. Examples include abnormally clustered registration times, IP addresses geographically bunched together, highly similar question content, and request frequency far too rapid to be human.

But this is merely basic defense. Some top AI labs have already deployed a more potent weapon: "output fingerprinting" technology. Like invisible watermarks, it embeds statistical hidden markers into each model output. Anyone using that content to train a new model can later be precisely traced and identified upon detection.

As the saying goes, "the tao is one foot high, the demons ten feet higher." Today you ban 25,000 accounts; tomorrow the other side registers distributed accounts using countless different virtual credit cards and dynamic proxy IPs. You analyze query patterns to catch bot accounts; they deliberately code in human-like pauses and filler to disguise themselves. You embed invisible output fingerprints; they wash them away through rewriting, translation, and noise injection.

But if sanctions lists take effect, the rules change. Then it ceases to be a purely technical "anti-scraping" or "API offense-defense" matter. "Which training data sources a model derives from" becomes a subject of rigorous regulatory scrutiny.

For everyone working in the LLM engineering chain, this outcome directly determines future compliance boundaries: which data sources are legal? Which model behaviors face retroactive punishment? Which companies get blacklisted for having training data of "questionable origin"?

This is Anthropic's true ambition—establishing on the ruins a new global AI order defined by them and executed through political force.