Anthropic asks U.S. Congress to curb AI distillation attacks by Chinese rivals

By Decrypt · June 25, 2026.

Anthropic has told the U.S. Senate Committee on Banking, Housing, and Urban Affairs about what it describes as the largest known AI model distillation campaign against its Claude chatbot. In a letter dated June 10, 2026, addressed to committee chairman Senator Tim Scott and ranking member Elizabeth Warren, the company accuses operators affiliated with Alibaba and its AI lab Qwen of generating more than 28.8 million exchanges with Claude between April 22 and June 5, using nearly 25,000 fraudulent accounts—that is, accounts that do not represent real or organic users.

**What model distillation is and why it matters in agentic AI**

Model distillation is a technique in which a smaller or less capable AI system learns to imitate the behavior of a larger one by observing its outputs. In its legitimate form, it makes it possible to build compact, efficient models from large-scale systems. What Anthropic is denouncing is a fraudulent version of this process: the massive, systematic use of unauthorized access to the model to extract its most sophisticated capabilities—agentic reasoning, software engineering, and long-term planning—without incurring the enormous computational and research cost of training a frontier model from scratch.

This angle is especially relevant to agentic AI. The capabilities that, according to Anthropic, were targeted for copying are not those of a generic chatbot, but precisely those that define an autonomous agent capable of executing complex, multi-step tasks: chained reasoning, tool use, long-horizon planning, and engineering problem-solving. If a competitor manages to replicate those capabilities at low cost, it can drastically reduce the competitive advantage that Anthropic—and, by extension, the U.S.—holds in this emerging field.

**The details of the accusation against Alibaba**

Anthropic stated in its letter that the campaign was «striking in its brazenness.» The company noted that Alibaba is listed on the New York Stock Exchange, maintains commercial operations in the U.S., and answers to American investors and regulators. As an entity with a direct presence in the U.S. stock market, its involvement in an operation of this kind takes on a greater regulatory and political dimension than if it were a company entirely outside the U.S. financial system.

The scale of the attack also far exceeds the precedent Anthropic itself had disclosed months earlier. In February 2026, the company had already alleged that the Chinese AI developers DeepSeek, Moonshot AI, and MiniMax had generated more than 16 million exchanges with Claude using approximately 24,000 fraudulent accounts. The new case linked to Alibaba nearly doubles that figure in terms of interactions, raising the cumulative total of alleged unauthorized distillation attacks to tens of millions of queries.

**The national security argument**

Anthropic does not present the case solely as a violation of its terms of service or as an intellectual property issue. The company explicitly frames it as a threat to U.S. national security, arguing that when labs in the People's Republic of China (PRC) extract capabilities from American models, they accelerate the development of Chinese military and cyber AI tools while narrowing the technological gap with Washington.

In the words of the letter itself, reproduced in the article: «When PRC labs distill these capabilities from U.S. models, they capture the returns on American investments without bearing the costs or risks associated with training frontier AI models. This inverts the economic logic underpinning American AI leadership, turning billions of dollars in U.S. research and development, compute, and other investments into a subsidy for our competitors.»

This political framing is deliberate: by turning unauthorized distillation into a national security matter, Anthropic seeks to mobilize the same regulatory and legislative mechanisms already activated for advanced semiconductors, broadening the debate beyond the purely technological or commercial sphere.

**The five specific requests to Congress**

The letter does not merely denounce a situation; it proposes a legislative program with five lines of action:

1. **Expand intelligence sharing** between frontier AI developers and the U.S. government, so that companies can quickly raise the alarm about ongoing distillation attacks and receive information about state actors operating against them.

2. **Clarify antitrust rules** to allow AI companies to share information with each other about distillation attacks without incurring legal liability for coordination among competitors. Currently, antitrust law may deter companies from sharing intelligence about common threats, which benefits the attackers.

3. **Strengthen export controls** on advanced AI chips and compute capacity, closing the avenues through which Chinese actors access the infrastructure needed to process and exploit the extracted data.

4. **Close the legal loopholes** that allow Chinese companies to access data centers located outside the U.S. (in third countries) to circumvent the current restrictions on access to American AI infrastructure.

5. **Impose economic sanctions** on the companies responsible for mass model extraction, creating a financial disincentive comparable to the harm they inflict.

**The political context: Washington already has the issue on its radar**

The letter comes at a time when the Trump administration and Congress are stepping up their efforts to protect U.S. leadership in AI. According to the article, President Trump signed an executive order in early June expanding AI-driven cybersecurity initiatives, although the measure was delayed by concerns about whether it could weaken the U.S. competitive position against China. Anthropic's letter slots directly into that political narrative, offering a concrete, quantifiable case that lawmakers can use to justify new regulations.

**The underlying tension: where does legitimate distillation end and theft begin?**

The debate over distillation has grown considerably more complex in recent months, and the article itself reflects this with a significant fact: in April 2026, Elon Musk testified in a federal court proceeding that xAI had «partially» used OpenAI models during the training of Grok. This admission underscores that distillation is an established practice in the industry, even among the leading Western companies.

Anthropic has tried to distinguish between the two cases: conventional distillation—which it considers legitimate—serves to produce smaller, cheaper models from large ones, whereas the unauthorized extraction of frontier capabilities through fraudulent access violates its terms of service and constitutes a qualitatively different harm. However, this distinction has drawn criticism from observers who note that the conceptual boundaries are blurry and that AI companies themselves use competitors' data in ways they criticize in others.

This ambiguity makes the legislative response delicate: a rule that is too broad could criminalize common training practices across the industry, while one that is too narrow could prove ineffective against sophisticated extraction campaigns.

**Implications for the agentic AI ecosystem**

From the perspective of agentic AI, this case illustrates a structural vulnerability of models as a service (MaaS): the more capable an agent is and the more accessible its API, the greater the risk that bad actors will use it to systematically extract its capabilities. The 28.8 million exchanges generated in just over six weeks represent a volume of interaction that, if designed to capture agentic reasoning patterns, could provide an enormously valuable training set.

For companies and developers building on frontier model APIs, this case raises questions about how much of their own technological investment—in elaborate prompts, custom reasoning chains, or proprietary agentic workflows—is exposed when interacting with base models accessible through APIs. If base models can be copied through mass distillation, the barriers to entry in the agentic AI sector could erode faster than anticipated.

**Anthropic's position and response**

A company spokesperson confirmed the existence of the letter to Decrypt without going into specific details, stating: «We believe that combating the threat of illicit distillation requires coordinated action between government and industry, and we will continue working with Congress and the administration to maintain American AI leadership.»

This stance is consistent with Anthropic's broader strategy of positioning itself as a «responsible» AI actor aligned with U.S. national interests, which allows it to simultaneously push for regulatory protections that benefit its business model and project the image of a company that places safety above commercial short-termism.

**Outlook: a regulatory precedent in the making**

If Congress acts on these recommendations, it could set a global precedent for how the capabilities of frontier AI models are legally protected. Until now, intellectual property in AI has been debated mainly in terms of training data and copyright. Unauthorized distillation opens a different front: that of model weights and reasoning capabilities as protectable strategic assets. The legislative response—or its absence—will largely define the rules of the game for global AI competition in the coming years.