Anthropic’s accusation that Chinese AI giant Alibaba orchestrated a distillation attack to acquire Claude’s capabilities could spur enterprises to be more diligent about the information and data shared when using AI models like Claude, Gemini and GPT.
The AI lab sent a letter on June 12 to U.S. senators Tim Scott and Elizabeth Warren, claiming that Alibaba created 25,000 fake accounts to access Claude, as first reported by The Wall Street Journal. The Chinese vendor allegedly accessed some of the AI model’s capabilities, such as agentic reasoning, software engineering and long-horizon tasks. Anthropic also said that operators linked to Alibaba’s Qwen AI lab used the accounts to run nearly 30 million exchanges from April to June.
Alibaba did not immediately respond to a request for comment.
What Matters to Enterprises
Distillation — a form of AI model training in which a “student” model learns from a larger “teacher” model — is somewhat common. Anthropic rival OpenAI also claimed that Chinese AI vendor DeepSeek extracted data from its models. So, the main takeaway for enterprises should be how to ensure the information they provide to AI labs using the different models used is protected, according to said Kashyap Kompella, CEO and founder of RPA2AI Research.
“Beyond the Anthropic-Alibaba distillation allegation, enterprises should be more concerned about their own AI leakage risks,” Kompella said.
He added that public-facing AI applications can leak sensitive information about business logic, customer data, documents, prompts, embeddings and proprietary workflows. Moreover, distillation itself is not inherently bad and is used by enterprises, AI labs and researchers.
“Once a frontier model is exposed through an API, the attack surface is not only cybersecurity in the traditional sense,” Kompella said. “The model’s outputs themselves become a strategic asset that others may try to capture.”
For enterprises, the main concern should be about the teacher models they are using, the data that is generated and whether the outputs can be stored and used for training.
How it Affects Alibaba
While Anthropic said Alibaba’s alleged distillation is the largest known to date, the vendor is no stranger to alleged distillation attacks by Chinese vendors. In February, the AI lab accused DeepSeek and Chinese AI vendors Minimax and Moonshot AI of harvesting Claude coding, reasoning and alignment capabilities. However, the Anthropic said Alibaba’s alleged attack is the largest known to date.
Nevertheless, it is unlikely that Anthropic’s allegations will affect U.S. enterprises’ perceptions of Alibaba or other Chinese vendors. While geopolitical considerations mean that many enterprises are averse to using Chinese models, this new allegation is likely to reinforce preconceived notions. For enterprises in regulated industries such as finance or healthcare, the perception that doing business with a Chinese AI vendor is risky may persist.
“For those buyers, this may become another data point in their risk calculations,” Kompella said.
However, for other enterprises seeking to experiment with open-weight models such as Alibaba’s Qwen in a controlled environment, “the impact may be more limited,” he added. He said that it is likely those enterprises will still use new open-weight models from Alibaba if they are inexpensive to run and meet current performance requirements.
“In those cases, the procurement question is less about Alibaba’s reputation in the abstract and more about where the model will be deployed, what data will touch it, whether the model can be run locally, and what the organization’s risk tolerance is,” Kompella continued.
Moreover, while enterprises should be more aware of the models they are using, AI labs like Anthropic will also need to be better at their controls, such as account verification, anomaly detection, rate limiting, watermarking and usage pattern analysis, he added.
“We should expect more ID verification, more aggressive booting of users who violate terms, more enterprise-only access tiers for the most capable models, and more restrictions on high-volume API usage that looks like harvesting rather than ordinary application development,” Kompella said.
