Anthropic has disclosed details of the largest Claude cloning attack in the company's history. Alibaba and its AI lab — Qwen — allegedly ran a massive capability extraction campaign between April 22 and June 5, 2026, using nearly 25,000 fraudulent accounts and 28.8 million exchanges. The company is calling on the US Congress to pass legislation that would make such attacks significantly harder.
Key takeaways
- Alibaba's Claude cloning campaign ran for 44 days (April 22 – June 5, 2026)
- 24,887 fraudulent accounts and 28.8 million exchanges — the largest attack Anthropic has ever measured
- The campaign occurred after Trump warned China in April 2026 against industrial-scale AI theft
- Alibaba used obfuscation techniques and proxy networks to avoid detection
- Anthropic proposes three countermeasures: AI firm information sharing, chip export controls, penalties for Chinese labs
Unprecedented scale
Anthropic's June 10, 2026 letter to Senators Tim Scott and Elizabeth Warren describes the campaign as "the largest we have ever measured." The targets were Claude's most valuable capabilities — agentic reasoning, software engineering, and long-horizon tasks. These are precisely the areas where Claude leads over Chinese AI labs.
Technically, the attack relied on systematic model behavior extraction (a distillation attack) through mass fake accounts. This approach allows copying a model's capabilities without incurring training costs — tens of billions of dollars for frontier models. Anthropic argues that such attacks "turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for geopolitical competitors."
Alibaba knew the risks
The Alibaba campaign allegedly began after Donald Trump issued a memorandum warning China against "industrial-scale" AI theft. Anthropic claims Alibaba acted "brazenly," ignoring the warning despite being listed on the New York Stock Exchange with US operations and accountability to American investors.
Alibaba is fighting back on two fronts. Before the Department of Defense, the company filed a lawsuit challenging its inclusion on a list of Chinese military-affiliated companies, arguing that "none of its board members has any military affiliation" and that it operates in retail and logistics, not defense. Meanwhile, Alibaba's shares dropped 3% after Anthropic's accusations became public — suggesting markets are taking the claims seriously.
China without Mythos — and a growing capability gap
A key element of the story is the real state of Chinese AI capabilities in cybersecurity. The answer provided publicly by Zhou Hongyi, founder of 360 Security Technology, is unprecedented: at a Beijing security conference, he called Mythos 5 a "cyber nuclear weapon" and admitted that Chinese companies are "well short of Mythos-level capabilities." He also warned that the US can scan Chinese system vulnerabilities using Mythos while China has no access to it — creating an offensive asymmetry.
This public admission by a prominent Chinese security expert that the US holds a technological edge in offensive AI is rare. Alibaba's Qwen model family has been downloaded over 700 million times and leads China's AI hierarchy — yet the company does not have a model approaching Mythos-level capabilities.
Three proposals for Congress
Anthropic proposed three categories of legislative action. The first involves updating antitrust law, which currently prevents AI companies from sharing information about attack methods and defenses — weakening collective sector resilience.
The second proposal calls for tightening chip export controls to deny Chinese labs the hardware needed to train on extracted data. Anthropic suggests that without advanced compute, distillation attacks become pointless — there is nowhere to retrain the stolen capabilities.
The third proposal involves sanctions on Chinese AI labs — specifically restricting access to US models, advanced chips, and requiring that Chinese data centers operate only within China. The goal is to raise the cost of such attacks to the point of being economically unviable.
Why it matters
The Alibaba vs. Anthropic case opens a new dimension of AI geopolitics that goes beyond ordinary market competition. A distillation attack on Claude is not piracy in the conventional sense — it is a systematic intelligence operation aimed at capturing the technological lead that the US has built through frontier models.
For the AI industry, the critical signal is that Anthropic is publishing detailed technical data on the attack's scale — thereby building a regulatory case that other labs (OpenAI, Google) have so far avoided. If Congress acts, this could mean a fundamental shift in how frontier model APIs are accessed — with identity verification, enhanced detection, and sanctions against users from hostile jurisdictions.
What's next?
- The US Congress is to consider Anthropic's proposals — a Senate committee hearing on "AI and the American Dream" was held on June 11, 2026
- Alibaba is legally challenging its designation on the Chinese military-affiliated companies list (lawsuit against DoD filed June 2026)
- The Trump administration is expected to complete its 30-day AI model review by the end of June — the outcome will define long-term access rules for frontier models
Sources
Ars Technica — Anthropic says Alibaba must be punished for largest Claude cloning attack
Anthropic — Letter to the US Senate (June 10, 2026, disclosed by Ars Technica)
Reuters — Alibaba sues US Department of Defense
South China Morning Post — China's cybersecurity industry needs its own Mythos model
