Anthropic is pressing U.S. lawmakers to tighten rules around AI model “distillation,” warning that Chinese competitors are systematically trying to siphon off the capabilities of advanced American systems.
In a detailed letter dated June 10 and addressed to Senate Banking, Housing, and Urban Affairs Committee Chairman Tim Scott and Ranking Member Elizabeth Warren, the company described what it calls the largest known effort to extract know‑how from its Claude chatbot.
According to Anthropic, operators linked to Chinese tech giant Alibaba and its Qwen AI lab orchestrated an industrial‑scale campaign between April 22 and June 5. During that roughly six‑week window, the group allegedly created and controlled almost 25,000 fraudulent accounts-accounts that did not correspond to genuine, organic users-and used them to conduct more than 28.8 million interactions with Claude.
Anthropic characterizes this as a coordinated “distillation attack”: a process where a rival AI system repeatedly queries a more powerful model and uses the responses to train or “clone” its own. The company says the campaign focused on some of Claude’s most sensitive capabilities, including agentic reasoning, advanced software engineering, and long‑horizon planning-exactly the kinds of functions that could be leveraged for complex automation, cyber operations, or strategic decision‑making.
The firm’s executives argue that this is not normal competitive benchmarking but an organized attempt to replicate core intellectual property at scale, bypassing licensing fees, safety guardrails, and export‑control regimes. In their view, AI distillation carried out in this way is the digital equivalent of stealing source code or proprietary designs.
Anthropic told lawmakers that while AI providers expect some level of testing and comparison by rivals, the volume and structure of the traffic associated with the alleged Alibaba‑linked operation went far beyond what could reasonably be considered research or evaluation. Patterns in usage, account creation, and prompt design suggested an automated, scripted effort to systematically map Claude’s behavior and internalize it into another model.
The company is using this incident to call for a clearer legal framework governing how foreign entities may access and interact with U.S. frontier AI systems. It wants Congress to define large‑scale distillation attacks as a prohibited form of economic and technological espionage when conducted without permission, especially by organizations operating under jurisdictions seen as strategic competitors to the United States.
In its correspondence, Anthropic urges lawmakers to consider several measures: stricter verification requirements for high‑volume API users, mandatory reporting of suspected model‑distillation campaigns to federal agencies, and the possibility of targeted sanctions or penalties for overseas actors caught engaging in systematic capability extraction. The company argues that, without such steps, U.S. investments in safe and reliable AI will effectively subsidize foreign models that do not follow comparable safety standards.
Behind Anthropic’s warning is a broader concern: once a model’s behaviors and outputs have been thoroughly scraped and reproduced, they can be embedded into new systems that lack the original’s safeguards, alignment work, and oversight. Safety research that took years and enormous capital to develop could be undermined in months if hostile or negligent actors are allowed to cheaply copy results while ignoring the responsible‑use frameworks that guided their creation.
Industry experts often liken model distillation to photocopying a book: the copy may not be perfect, but if done at enough scale, it can closely approximate the original. In the AI context, this involves feeding millions of carefully crafted prompts into a target model, capturing its responses, and training another system to mimic those outputs. Over time, the distilled model can inherit much of the target’s skill set without ever accessing its weights or code directly.
For U.S. policymakers, the Anthropic-Alibaba dispute highlights a new blind spot in export controls and digital trade. Regulations have historically focused on hardware, data sets, or direct transfers of source code. Distillation exploits a different route: it treats public or semi‑public access to a model’s interface as a tap to be left running until enough behavioral data has been collected to reconstruct a similar system elsewhere.
That raises difficult questions for legislators. Where is the line between legitimate interoperability, academic study, and theft? How should the law distinguish a small university lab that runs comparative tests on multiple models from a well‑funded foreign conglomerate automating tens of millions of queries in order to compress another company’s edge into its own product? And how do you enforce any of this without stifling the open experimentation that has historically fueled progress in AI?
Anthropic’s push for tougher rules is also tied to national‑security fears. If frontier‑level reasoning and planning capabilities can be cheaply mirrored through distillation, adversarial states or affiliated firms might accelerate their own AI programs without bearing the costs or constraints that U.S. developers accept, such as red‑team testing, secure deployment protocols, and misuse mitigation. The risk, in Anthropic’s telling, is that highly capable but poorly governed systems become widely available to actors unconcerned with democratic norms or international stability.
The company’s letter suggests several technical and policy guardrails that could complement legislation. On the technical side, providers could deploy behavioral rate‑limiting, anomaly detection for scripted querying, and dynamic response shaping when usage patterns indicate attempted distillation. On the policy side, Anthropic advocates clearer contractual language prohibiting automated extraction of capabilities, and legal tools that would allow firms to seek redress when their models are systematically targeted.
At the same time, any crackdown on distillation must navigate competing values. Overly aggressive restrictions could hinder cross‑border collaboration, slow the spread of beneficial AI applications, and entrench a small number of dominant players who can afford heavy compliance regimes. Critics warn that framing the issue purely as a geopolitical arms race risks overlooking the importance of open science and shared safety benchmarks that benefit everyone.
Still, many in the field agree that the status quo-where anyone with sufficient capital can spin up thousands of accounts and hammer a frontier model’s API-is unsustainable. Providers are already experimenting with tiered access, where the most sensitive capabilities, such as autonomous agents or code‑generation features, are limited to vetted customers, enterprise contracts, or environments with stronger identity verification.
For companies like Anthropic, the alleged attack by Alibaba‑affiliated operators is not just a matter of competition but a test case for how the United States will treat AI as a strategic asset. The outcome of the current debate in Congress could set precedents for how digital intellectual property, cross‑border AI collaboration, and national‑security concerns are balanced in the coming decade.
As lawmakers weigh their options, the incident underscores a broader reality: in an era when the most powerful AI systems are accessible through a simple web interface or API key, defending them is no longer only about locking down code. It is about deciding who gets to ask what questions, how often, and with what intent-and what happens when the answers themselves become a blueprint for the next generation of competitors.