← All blog posts 9-11 min readanthropic

How 25,000 Fake Accounts Drained Claude's Capabilities for 44 Days — and the Enterprise Detection Gap That Matters in 2026

What you'll learn
  • Understand what a distillation attack is and why authenticated API accounts are not the same as trusted traffic
  • Identify five population-level controls that can detect coordinated API extraction campaigns
  • Apply behavioral fingerprinting patterns to your own AI API monitoring stack

According to Anthropic's letter to the US Senate Banking Committee (dated June 10, 2026, reported publicly June 24), operators allegedly affiliated with Alibaba and Alibaba Qwen generated more than 28.8 million exchanges with Claude through approximately 25,000 fraudulent accounts between April 22 and June 5, 2026. Anthropic characterizes this as "the largest known distillation attack on Anthropic to date." For enterprise teams building on AI APIs, the most important number isn't 28.8 million. It's 44: the days the campaign ran before Anthropic disclosed it in the June 10 letter — five days after the operation ended. (CNBC, retrieved 2026-06-26) (Bloomberg, retrieved 2026-06-26)

Most coverage fixates on what Alibaba allegedly extracted. The harder, more instructive question — almost entirely absent from post-disclosure analysis — is why Anthropic's real-time defenses didn't stop the campaign sooner. The answer to that question contains the actual enterprise security lesson inside the Alibaba disclosure: per-account monitoring is structurally blind to coordinated distillation, and population-level behavioral fingerprinting is the only control that closes the gap.


What Anthropic's Letter Actually Alleges

Anthropic's head of policy, Sarah Heck, sent the letter on June 10 to Senators Tim Scott (R-SC, Banking Committee chair) and Elizabeth Warren (D-MA, ranking member) ahead of a scheduled hearing on AI. Bloomberg broke the story June 24; CNBC, Ars Technica, Business Insider, and Reuters followed within 24 hours. (itnews.com.au, retrieved 2026-06-26)

The letter alleges that operators affiliated with Alibaba and Alibaba Qwen conducted "the largest known distillation attack on Anthropic to date." Key figures, per Anthropic's claims:

  • 28.8 million exchanges with Claude via the API
  • ~25,000 fraudulent accounts used across the campaign
  • April 22 – June 5, 2026 campaign window
  • Capabilities targeted: agentic reasoning, software engineering, and long-horizon tasks — the model's most commercially valuable skills per The Next Web's reporting
  • Evasion method: "obfuscation techniques and proxy networks" (Ars Technica, retrieved 2026-06-26)

Alibaba did not respond to media requests for comment as of June 26. These are Anthropic's allegations, grounded in evidence not yet made fully public. All claims about Alibaba's behavior in this post should be read as Anthropic's characterization, not established fact.

Anthropic framed the economic case directly in the letter: these attacks "turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors." According to Anthropic's letter, as reported by Business Insider, the Alibaba campaign targeted specifically the capabilities approaching those of Claude's most advanced model — described as capable of detecting software vulnerabilities and outperforming humans on cybersecurity benchmarks. (Business Insider, retrieved 2026-06-26)

This is the first time Anthropic has publicly named a major Chinese technology conglomerate as the source of a distillation attack, according to The Next Web. (The Next Web, retrieved 2026-06-26)


Distillation Is Not Hacking — That's What Makes It Structurally Hard to Catch

No servers were breached. No employees were bribed. Alibaba-linked operators, according to Anthropic's letter, registered fake API accounts, paid for access, and queried Claude systematically — capturing prompt inputs and model outputs. Those input-output pairs become training data for a competing model that learns to replicate Claude's reasoning behavior without incurring the underlying R&D cost.

The danger is compounded because distilled models carry capabilities without safety training. Anthropic's letter warns that "foreign labs that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems." The Alibaba campaign, according to Anthropic's account, was specifically oriented toward accelerating Qwen in software engineering and agentic reasoning — capabilities that could enable offensive cyber operations. (Digital Applied, retrieved 2026-06-26)

Here is the structural challenge that makes distillation uniquely hard to defend against: a distillation attacker looks identical to a legitimate API user at the account level. Real API keys. Real payments. Compliant request sizes. No malware, no injection, no obvious anomaly in any single request. The attack's signature only emerges at the population level — across accounts, across time windows, across infrastructure clusters.

Third-party analysis by Treblle put this precisely: "patterns invisible at the endpoint level become starkly visible at the user level." (Treblle, retrieved 2026-06-26) Standard API security tooling — rate limiters, WAFs, per-account quota enforcement — is blind to this class of attack by design. Per-account dashboards show you what each account did; they cannot show you that 47 accounts registered in the same 72-hour window are making statistically indistinguishable requests from overlapping infrastructure.


The February 2026 Wave: DeepSeek, Moonshot, MiniMax — and a Date Correction That Matters

The Alibaba campaign is the second major distillation wave Anthropic has disclosed publicly, and the dates are important for accurate attribution.

On February 23, 2026 — not April, as some early coverage implied — Anthropic published its blog post "Detecting and Preventing Distillation Attacks," disclosing a prior wave targeting three Chinese AI labs: DeepSeek, Moonshot AI, and MiniMax. Per Anthropic's blog:

  • MiniMax: more than 13 million exchanges
  • Moonshot AI: more than 3.4 million exchanges
  • DeepSeek: more than 150,000 exchanges
  • Total: ~16 million exchanges across approximately 24,000 fraudulent accounts (Infosecurity Magazine, retrieved 2026-06-26)

The February disclosure surfaced one operationally significant detail: Anthropic caught the MiniMax campaign while it was still active. The attackers pivoted within 24 hours when a new Claude version launched — a level of responsiveness that indicates organized, monitored extraction operations, not opportunistic scraping. (Anthropic, retrieved 2026-06-26)

The PAIP Act's first designations followed on February 24, 2026 — the day after Anthropic's blog post — establishing regulatory precedent for treating distillation as sanctionable. (IAPS, retrieved 2026-06-26) Trump's public condemnation of "industrial-scale AI theft" came in April — after the February disclosure, not concurrent with it. The Alibaba campaign (28.8M exchanges) exceeded the combined volume of all three February campaigns (16M+ total), representing a scale increase of roughly 80%.


How Anthropic's Detection Works — and Where It Fell Short Against Alibaba

Anthropic's February blog post described its detection methodology in unusual detail:

> "We have built several classifiers and behavioral fingerprinting systems designed to identify distillation attack patterns in API traffic. This includes detection of chain-of-thought elicitation used to construct reasoning training data. We have also built detection tools for identifying coordinated activity across large numbers of accounts." (Anthropic, retrieved 2026-06-26)

Detection signals include IP address correlation, request metadata analysis, infrastructure cluster identification (accounts sharing data center ASNs despite independent registration), and cross-industry threat intelligence from partner labs.

Against the February wave, this worked: Anthropic caught the MiniMax campaign in progress. Against Alibaba, the record shows a 44-day window between campaign start (April 22) and the letter's date (June 10), with the campaign ending June 5. The most parsimonious reading: the Alibaba campaign was detected forensically after the fact. The proxy networks and obfuscation techniques described in the letter likely defeated the infrastructure correlation signals that caught MiniMax, pushing detection into the behavioral layer — which requires retrospective population-level analysis rather than real-time alerting.

This is not a capability failure on Anthropic's part; it's a structural property of the detection problem. Behavioral fingerprinting at population scale requires sustained data collection and batch analysis. The audit trail that makes forensic reconstruction possible is also what enables retrospective detection — but only if it's complete, queryable, and retained long enough to span the campaign window. A 44-day campaign requires ≥44 days of complete per-account request logs with enough metadata to support cross-account cohort analysis.


Five Controls Enterprise AI API Operators Should Implement Now

The Alibaba disclosure, read alongside Anthropic's February detection methodology and Treblle's third-party analysis, produces a concrete enterprise control checklist. These apply to any organization operating AI APIs with multi-account access.

1. Population-level behavioral fingerprinting, not per-account dashboards

Per-account rate limits catch abusive individual accounts; they miss coordinated campaigns. The signal that reveals distillation is statistical similarity across accounts — request structure, token counts, timing distributions — not volume from any single source. Log every request across the full account population with sufficient metadata to support cohort queries.

2. Cross-account timing and infrastructure correlation

Flag account cohorts registered within the same 48-72 hour window that subsequently make statistically similar requests. Shared data center ASN or subnet membership across accounts that registered independently is a weak but compounding signal. Standard observability tooling can surface this if account-creation timestamps and request IP ranges are captured in the same log schema as API requests.

3. Chain-of-thought elicitation pattern detection

Prompts designed to extract chain-of-thought reasoning have distinct structural signatures: systematic requests for step-by-step reasoning, enumeration of intermediate steps, explicit elicitation of the model's reasoning process before a final answer. These patterns are statistically different from production query distributions and detectable with classifier models or rule-based heuristics applied to prompt text.

4. Full timestamped request/response audit trail for forensic reconstruction

The Alibaba campaign was detectable forensically because Anthropic maintained complete API traffic records. An audit trail retaining full request bodies, response bodies, and precise per-account timestamps for ≥90 days enables retrospective population-level analysis. This is the same principle underpinning our audit-trail-as-enterprise-gate stance: the enterprise deployment gate for AI systems is auditability, not capability. You cannot investigate what you did not log. For implementation patterns, see Use Claude with creative MCP connectors in production module on API observability.

5. Tightened access verification for high-risk account categories

Research accounts, educational accounts, and startup-tier accounts are disproportionately represented in known distillation campaigns — partly because they face fewer identity checks and partly because exploratory usage patterns provide plausible cover. Separate KYC workflows for these categories, including business entity verification and use-case attestation, reduce the fraudulent account surface. Claude Tool Use from Zero: From Basics to Production Connectors covers API access pattern monitoring that enterprise teams can apply to detect anomalous usage in early-stage account cohorts.


The Legislative Layer: What Anthropic Is Asking For

The June 10 letter was not just a disclosure — it included legislative asks timed to a scheduled Senate Banking Committee hearing on AI. Anthropic's requests:

  • Penalties for Chinese entities launching distillation attacks on US AI models
  • Antitrust safe harbor allowing US labs to share distillation threat intelligence (currently complicated by competition law)
  • Limits on China's access to advanced US computing infrastructure
  • Continued export controls on advanced AI chips

Congressional response was fast and bipartisan. Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) announced plans to amend defense legislation to blacklist and sanction firms improperly accessing US AI output. A parallel House bill was backed by Representatives Bill Huizenga (R-MI) and Sydney Kamlager-Dove (D-CA). (The Next Web, retrieved 2026-06-26)

IAPS argues the attacks meet conditions for PAIP Act sanctions: "extraction of model capabilities in aggregate via distillation attacks may meet the definition of a 'trade secret' in 18 U.S.C. § 1839." (IAPS, retrieved 2026-06-26) Whether that argument survives legal challenge will determine how the next distillation wave is prosecuted rather than merely disclosed.

The geopolitical timing sharpened the story's impact. In the 48 hours around June 24, Alibaba was simultaneously suing the US Department of Defense to be removed from the Pentagon's 1260H military blacklist and terminating its lobbying relationship with Greenberg Traurig. The clustering of three Washington-facing stories made contextualizing away the Bloomberg scoop substantially harder. (247 Wall St., retrieved 2026-06-25)


RunPromptCell: Detecting Cross-Account Request Similarity in API Logs

The following example demonstrates population-level behavioral fingerprinting against a simulated API log. In production, this query would run nightly against your API gateway database.

```python # Detect potential distillation campaigns via cross-account prompt similarity # Requires: pandas, scikit-learn # Input: api_logs.csv — columns: [account_id, created_at, prompt_text, timestamp]

import pandas as pd from sklearn.feature_extraction.text import TfidfVectorizer from sklearn.metrics.pairwise import cosine_similarity import numpy as np

df = pd.read_csv("api_logs.csv", parse_dates=["timestamp", "created_at"])

# Step 1: Identify accounts registered in the same 72-hour window df["registration_window"] = df["created_at"].dt.floor("72h") cohorts = df.groupby(["registration_window", "account_id"]).size().reset_index() cohort_sizes = cohorts.groupby("registration_window")["account_id"].nunique() suspicious_windows = cohort_sizes[cohort_sizes >= 10].index

# Step 2: Within each suspicious cohort, compute mean prompt similarity results = [] for window in suspicious_windows: accts = cohorts[cohorts["registration_window"] == window]["account_id"].tolist() per_account_prompts = df[df["account_id"].isin(accts)].groupby("account_id")["prompt_text"].apply(list) samples = [prompts[0] for prompts in per_account_prompts if prompts] if len(samples) < 2: continue vec = TfidfVectorizer(max_features=500, stop_words="english") tfidf = vec.fit_transform(samples) sim_matrix = cosine_similarity(tfidf) mean_sim = np.mean(sim_matrix[np.triu_indices_from(sim_matrix, k=1)]) results.append({ "window": window, "accounts": len(samples), "mean_prompt_similarity": round(mean_sim, 3) })

output = pd.DataFrame(results).sort_values("mean_prompt_similarity", ascending=False) print(output.head(10)) ```

Expected output for a distillation campaign in the log: `` registration_window accounts mean_prompt_similarity 2026-04-21 47 0.847 2026-04-18 23 0.791 2026-04-15 12 0.612 ``

A mean_prompt_similarity > 0.7 across 10+ accounts registered in the same window is a strong candidate signal for coordinated systematic querying. In production, route flagged cohorts to a human review queue rather than an automatic block — legitimate research cohorts (academic labs, hackathons) can produce similar co-registration patterns. This query belongs in a nightly scheduled job against your API gateway logs, not a real-time alert, because the signal requires population-level accumulation to stabilize.


KnowledgeCheck

According to Anthropic's own published detection methodology, which control would most directly detect a coordinated distillation campaign where each account individually looks like legitimate API usage?

A) Per-account rate limiting and quota enforcement B) Intrusion detection systems scanning request payloads for malware C) Population-level behavioral fingerprinting and cross-account timing correlation D) IP allowlisting against known customer domains

Correct answer: C. The Alibaba campaign used legitimate authenticated accounts with proxied infrastructure. Per-account controls (A) cannot see coordinated patterns across accounts. No malware was involved (B). IP allowlisting (D) addresses misconfiguration, not behavioral coordination. Anthropic's February 2026 blog explicitly describes cross-account correlation and behavioral fingerprinting as the mechanism that detected the MiniMax campaign in progress — the same class of control applicable to any coordinated distillation operation.


The Alibaba disclosure is a case study in what happens when per-account observability is treated as sufficient for AI API security at scale. Authenticated accounts are not the same as trusted traffic — a distinction that per-account dashboards structurally cannot surface, but a complete audit trail and population-level behavioral monitoring can. Building the logging infrastructure that enables this monitoring is not a future-proofing exercise; it's the prerequisite for any forensic reconstruction when the next wave arrives. For teams building production AI systems on top of APIs like Claude's, the Use Claude with creative MCP connectors in production module on API observability and audit architecture covers the logging patterns that make population-level detection achievable without purpose-built security infrastructure.

References

  1. www.cnbc.com
  2. arstechnica.com
  3. www.bloomberg.com
  4. www.businessinsider.com
  5. www.anthropic.com
  6. www.infosecurity-magazine.com
  7. thenextweb.com
  8. treblle.com
  9. www.iaps.ai
  10. 247wallst.com
  11. www.itnews.com.au
  12. www.digitalapplied.com
Next up
google 9-11 min read

Google's 2026 AI Brain Drain Is an Enterprise Signal, Not a Doom Story

Continue reading