The Gloves Are Off: Anthropic Accuses Alibaba of Largest AI Model Theft in History

Anthropic accused Alibaba of running the largest known AI model theft operation in history in 2025. The accusation involves 28.8 million exchanges with Claude using 25,000 fraudulent accounts, all designed to distill Anthropic's capabilities into Alibaba's own models. This is industrial espionage for the foundation model era, and represents a preview of what the AI Cold War actually looks like.

The technique used is called distillation. An attacker feeds a powerful model millions of queries, collects the model's outputs, and uses that data to train a smaller, cheaper model that mimics the original's behavior. Distillation is not copying code—distillation is copying intelligence itself. Unlike traditional IP theft, distillation is nearly impossible to detect until the theft has already happened at scale.

TL;DR

Anthropic accused Alibaba of conducting 28.8 million API exchanges with Claude through 25,000 fake accounts to distill Anthropic's AI capabilities into Alibaba's own models—the largest known AI model theft operation. This "distillation" attack allows adversaries to reverse-engineer expensive frontier models at a fraction of the original development cost using only API access. The incident demonstrates that the AI Cold War is already underway, fought through systematic API exploitation rather than traditional code theft.

Why the Anthropic-Alibaba Case Matters More Than Previous AI Theft Incidents

The Anthropic accusation against Alibaba is not the first distillation campaign Anthropic has caught. In February 2025, Anthropic called out three Chinese AI companies—DeepSeek, Moonshot, and MiniMax—for similar distillation attacks. However, Alibaba's operation dwarfs those earlier efforts in scale and sophistication.

Key claim: Alibaba's distillation operation involved a sustained, sophisticated effort over six weeks involving 25,000 fake accounts and 28.8 million API calls to Claude, making it the largest documented AI model theft operation.

The timing creates particular challenges for Anthropic in 2025. Anthropic is currently locked in a dispute with the Trump administration, which has suspended access to Anthropic's latest Claude models (Fable 5 and Mythos 5) for all foreign nationals, including Anthropic's own employees. The Trump administration's stated reason for the suspension is national security concerns. The unstated subtext involves exactly this type of capability leakage through distillation attacks.

Anthropic is attempting to balance two competing objectives in 2025: cooperating with U.S. officials to combat foreign distillation while also pushing back against export controls that restrict Anthropic's own operations. This balance reveals the fundamental tension in American AI policy—how to lead in AI development while preventing adversaries from catching up through capability theft.

Key takeaway: The Alibaba distillation case represents the largest known AI model theft and highlights the impossible position of AI companies that must choose between open API access for revenue and protecting capabilities from systematic exploitation.

The Distillation Arms Race: How AI Model Theft Works

Distillation creates an asymmetric advantage for attackers. Building a frontier AI model costs hundreds of millions of dollars and requires massive compute infrastructure. Distilling an existing frontier model costs a fraction of the original development cost—requiring only API access and patience. Companies like Anthropic and OpenAI essentially publish their capabilities in real time through their APIs, allowing sophisticated actors to reverse-engineer those capabilities at scale.

Key claim: AI model distillation is asymmetric warfare—frontier models cost hundreds of millions to build but can be approximated at a fraction of that cost through systematic API querying.

The White House issued a memorandum in April 2025 calling for coordination against "industrial-scale distillation" of AI models. Anthropic's letter to the U.S. Congress explicitly notes that Alibaba "ignored the Trump Administration's warnings" about distillation attacks. The statement indicates that Alibaba continued distillation operations despite direct warnings from U.S. government officials.

This situation puts AI companies in an impossible position. Open APIs drive revenue and adoption for companies like Anthropic and OpenAI. However, open APIs also create a direct pipeline for capability theft through distillation. Rate limits and usage monitoring provide some protection, but as Anthropic's case against Alibaba demonstrates, determined actors can circumvent these protections with enough fake accounts and distributed infrastructure.

Key takeaway: The White House issued guidance against industrial-scale AI distillation in April 2025, but enforcement remains challenging when theft occurs through public APIs that also generate legitimate revenue.

What Comes Next: The Future of AI Security and API Access

Expect more distillation attacks as the gap between U.S. and Chinese AI capabilities persists. The incentive to distill frontier models only grows as that gap widens. The Chinese AI labs Anthropic named—DeepSeek, Moonshot, MiniMax, and Alibaba—are not rogue actors operating independently. These companies are well-funded operations with implicit or explicit Chinese government backing. For these organizations, distillation is not a bug in their strategy but rather a deliberate feature.

Key claim: Chinese AI companies including DeepSeek, Moonshot, MiniMax, and Alibaba represent well-funded operations with government backing, making distillation a systematic strategy rather than isolated incidents.

For U.S. AI companies, the strategic calculus is shifting in 2025. The era of relatively open API access may be ending for frontier models. The AI industry will likely see more aggressive authentication requirements, usage restrictions, and geographic blocks on API access. Some advanced capabilities may never be exposed through public APIs at all. The vision of AI as a broadly accessible platform collides directly with the reality of geopolitical competition.

For policymakers, the Anthropic-Alibaba case serves as a wake-up call. Export controls on AI chips and model weights matter for AI security, but export controls are not sufficient when models themselves can be approximated through systematic API querying. The White House's coordination efforts on distillation represent a starting point, but enforcement remains unclear when the theft happens through public APIs at massive scale.

Key takeaway: U.S. AI companies will likely implement more aggressive API restrictions, authentication requirements, and geographic blocks as distillation attacks increase, potentially ending the era of open access to frontier AI capabilities.

Bottom Line: The AI Cold War Is Being Fought Through API Calls

Alibaba did not need to steal Anthropic's source code or model weights to conduct the largest AI model theft in history—Alibaba only needed patience and API keys. This reality fundamentally changes how the AI industry and policymakers must think about both model security and AI policy.

Key claim: Anthropic caught Alibaba's distillation attack involving 28.8 million API calls, but the number of undetected distillation operations currently running against U.S. AI companies remains unknown.

The AI Cold War between the United States and China is not coming in the future—the AI Cold War is already here in 2025, and the war is being fought one API call at a time. American AI labs face a binary choice: secure their capabilities through restricted access or watch those capabilities get distilled away by adversaries who face no similar constraints. There is no middle ground remaining in this competition.

Key takeaway: The Alibaba distillation case proves the AI Cold War is already underway, with attackers exploiting the fundamental tension between open API access for business growth and protecting AI capabilities from systematic theft.