Anthropic warns the White House: Alibaba tried to 'harvest' capabilities from its Claude models through distillation attacks

By Seeking Alpha (via Bloomberg) · June 24, 2026.

Anthropic sent a formal letter this week to White House officials and several U.S. senators warning that Chinese tech giant Alibaba (BABA) is allegedly carrying out an industrial-scale effort to illicitly access its Claude models. The information was originally broken by Bloomberg, and Seeking Alpha picks it up citing that primary source.

The key term Anthropic uses in its complaint is 'distillation attacks'. Although the Seeking Alpha article was partially paywalled and the full detail of the letter cannot be read, the visible fragment confirms that the company describes these actions as an organized, large-scale effort to extract knowledge from Claude's proprietary models in order to reproduce or transfer their capabilities.

As sector context: distillation attacks consist of systematically using the responses of a high-capacity AI model (the 'teacher' model) to train a different model, owned by the attacker (the 'student' model). This method allows the attacker to approximate the capabilities of the original model without having invested in the training data or the research that underpins it. In practice, it can be carried out through millions of automated queries to the target model's API, extracting its outputs to use them as training labels. OpenAI already denounced in 2025 the use of this technique by Chinese actors against its own models, so Anthropic's complaint fits into a pattern that is consolidating.

Anthropic's decision to communicate this directly to the White House and the Senate —and not only through the usual legal channels— is significant. It indicates that the company considers the incident not merely a breach of its terms of service, but a national security matter requiring an institutional response at the federal level. Anthropic has historically been a company very aligned with AI safety concerns, and its very founding is tied to debates over the control and alignment of advanced systems. This stance reinforces its public narrative as a responsible actor before the legislative and executive branches.

From an agentic AI standpoint, this type of attack is especially worrying because Anthropic's most powerful models —the Claude 3 family and its successors— are deployed massively in agentic pipelines: systems that chain calls to the model, use external tools, access databases and execute complex autonomous tasks. If an adversary manages to distill Claude's reasoning, planning and tool-use capabilities into its own model, it could gain advantages in agentic AI scenarios with both commercial and security implications.

In general, the technological race between the United States and China in the field of frontier AI has intensified controls on chip exports (NVIDIA H100, A100), but software models —and their implicit capabilities— are not covered in the same way by current export control regulations. This leaves a regulatory gap that distillation attacks exploit directly: instead of trying to access the hardware or the source code, the adversary extracts the model's 'knowledge' through its public API or through accounts created for that purpose.

Alibaba, for its part, competes in the language model market through its Qwen series (Tongyi Qianwen), which has gained notable traction in international benchmarks and is also distributed as open source. The company has not publicly responded to the accusations, at least according to the information available in the article. It should be stressed that Anthropic's allegations are just that: allegations contained in a letter. There is at this time no judicial ruling or official confirmation from the U.S. government.

The fact that the news comes from Bloomberg —a outlet with regular access to government and corporate sources in Washington— adds credibility to the report, although its nature remains that of a private complaint made public, not a formal accusation or a finding verified by third parties.

For developers and integrators who use Claude as the backbone of their agentic systems, the episode is a reminder that the APIs of foundation models are attack surfaces not only for ordinary abusive uses (spam, disinformation), but also for competitive or state intelligence operations at scale. This could accelerate the introduction by Anthropic and other companies of more sophisticated mechanisms to detect anomalous query patterns, differentiated rate limiting by user profile, and possibly stricter identity verification requirements to access the most advanced models.

From a regulatory perspective, the incident may fuel the debate in Congress over whether frontier AI models should be classified as sensitive assets subject to controls similar to those for dual-use technology (civilian and military). The EU AI Act does not directly address this type of cross-border threat, although its provisions on high-impact general-purpose models (GPAI) could eventually incorporate use-traceability requirements.

Looking ahead, if Anthropic's complaint results in concrete actions —sanctions, API access restrictions for entities linked to China, or new federal regulations— it could mark a turning point in how access to the world's most powerful AI models is governed. The geopolitics of AI is no longer limited to silicon: now it also runs through API calls.