28.8 Million Conversations, 25,000 Fake Accounts
There is a particular kind of theft that leaves no broken lock. Nobody exfiltrates a database. No credentials are stolen. No malware is planted. Instead, an attacker simply uses the product — millions of times, at industrial scale, through accounts that look ordinary — and walks away with the one thing the vendor spent billions to build: the model’s reasoning itself.
That is the accusation Anthropic has now put in front of Washington. In a June 10, 2026 letter to the Senate Banking Committee — addressed to Chairman Tim Scott and Ranking Member Elizabeth Warren, and reported in detail by CNBC and Tom’s Hardware on June 24 — Anthropic alleged that operators affiliated with Alibaba and its Qwen AI lab ran 28.8 million exchanges with Anthropic’s models through roughly 25,000 fraudulent accounts between April 22 and June 5, 2026. The company described it as the largest model-distillation campaign it has ever publicly disclosed, and it said the effort was aimed squarely at the capabilities embodied in its Mythos Preview frontier model: software engineering, agentic reasoning, and cybersecurity.
For compliance and governance professionals, the significance is not the corporate rivalry. It is that “intellectual property protection” for AI has quietly become a national-security matter, prosecuted not in a courtroom but through a letter to the Senate — and that the target was the very model the U.S. government would force offline only weeks later.
What “Adversarial Distillation” Actually Is
Distillation is a legitimate and well-understood technique in machine learning. In its ordinary form, a developer trains a smaller “student” model to imitate the outputs of a larger, more capable “teacher” model. Done with your own models, it is a standard way to compress capability into something cheaper to run.
The version Anthropic alleges is different in one crucial respect: the teacher belongs to someone else. In adversarial distillation, an outside party repeatedly prompts a competitor’s advanced model, harvests its responses, and uses those responses as training data for its own system. The reasoning patterns, the structure of the answers, the hard-won behavior that the original lab paid for in research and compute — all of it can be approximated by a rival who never did the underlying work. It is, in effect, a way to buy a frontier model’s education at the price of an API subscription, while bypassing the millions of dollars of primary R&D that produced it.
The mechanics Anthropic describes are what turn this from an abstract risk into an alleged operation:
- Scale: 28.8 million conversations is not casual experimentation. It is a deliberate, sustained harvesting program.
- Evasion: roughly 25,000 fraudulent accounts were allegedly used to spread the activity thinly enough to avoid tripping abuse detection — the same fake-account tradecraft that plagues every consumer platform, repurposed for IP extraction.
- Targeting: the campaign was not a broad scrape. Anthropic says it concentrated on software engineering, agentic reasoning, and offensive-security capabilities — precisely the high-value, dual-use skills that make a frontier model strategically important.
This is not the first time Anthropic has raised the alarm. The company has said that earlier in 2026 it identified three additional “industrial-scale” distillation campaigns attributed to other AI labs — DeepSeek, Moonshot, and MiniMax. The Alibaba allegation is the largest in a pattern the company is now describing as systematic.
Why It Lands on Mythos
Readers of this site will recognize the name. Mythos is the model at the center of the most consequential AI-governance event of the year. On June 9, 2026, Anthropic released Fable 5 publicly and Mythos 5 to a narrow set of partners; by June 12, both had been switched off worldwide after the Commerce Department invoked export-control authority and the deemed-export rule against them. We covered that episode in When Washington Switched Off an AI Model and the continuity fallout in The Government Off-Switch.
Put the two events side by side and a coherent — and uncomfortable — picture emerges. The capabilities the U.S. government deemed too dangerous to leave broadly accessible are the same capabilities a foreign competitor was allegedly working around the clock to extract. The distillation window Anthropic describes (April 22–June 5) ran right up to the eve of the Mythos release and its near-immediate shutdown. Whether or not one accepts every detail of Anthropic’s account, the convergence is the point: a frontier model’s most valuable skills are simultaneously a national-security liability the government wants to contain and an intellectual-property asset foreign rivals want to copy. Both pressures bear down on the same artifact at the same time.
The Compliance and Governance Takeaways
Most organizations are not frontier-model developers and will never send a letter to the Senate. But the Alibaba allegation surfaces risks that reach much further down the stack than the labs themselves.
1. Terms-of-service and acceptable-use enforcement is now an IP control
If model capability can be siphoned through ordinary API use, then a provider’s terms of service — the clauses prohibiting use of outputs to train competing models, the anti-circumvention provisions, the fraud-and-abuse rules — are not boilerplate. They are the front line of IP protection. Any organization that builds or fine-tunes on top of others’ models should understand exactly what its provider’s terms permit and prohibit regarding output reuse, and should make sure its own products are not inadvertently offering a distillation surface to third parties.
2. Fake-account and abuse detection is an IP problem, not just a trust-and-safety problem
The alleged tradecraft — 25,000 fraudulent accounts spreading activity to stay under detection thresholds — is the same pattern security teams already fight in credential-stuffing and bot abuse. The lesson is that anti-fraud, identity verification, and anomaly detection now protect the value of the model itself, not just account integrity. If you operate any AI-powered service, assume that systematic, distributed, low-and-slow querying may be an extraction attempt and instrument for it.
3. Model IP is being adjudicated through national-security channels, not just civil litigation
Anthropic did not (only) sue. It wrote to Congress. That choice signals where this category of dispute is heading: toward export controls, foreign-adversary frameworks, and legislative pressure rather than ordinary trade-secret litigation. For compliance teams, that means model-IP exposure can translate into regulatory and geopolitical consequences — sanctions designations, export restrictions, procurement bans — that move faster and hit harder than a lawsuit. The same export-control machinery that switched off Mythos is the machinery now being invoked over its alleged theft.
4. The open-weights asymmetry is becoming strategic
Here is the bind the episode exposes. The United States is moving to restrict access to its most capable models — Mythos was forced offline, and frontier releases are trending toward vetted-partner-only distribution. Meanwhile, Chinese labs continue to publish highly capable open-weight models for anyone to download, and the gap between those open models and the locked-down Western frontier is narrowing. If distillation accelerates that catch-up, the practical result is a world where the most capable freely available models are the ones the U.S. cannot control at all — and the ones it can control are increasingly off-limits even to legitimate domestic users. Organizations planning multi-year AI strategies need to factor in that the availability map of frontier capability is being redrawn by IP and export pressure simultaneously.
5. Your provider’s IP fights are now a continuity variable
If a provider escalates a distillation dispute into the national-security arena, the downstream effects — tightened access, new verification requirements, partner-only gating, or government-compelled restrictions — can reach the enterprises that depend on that provider. As with the Mythos shutoff, the disruption may originate entirely outside your contract. Treat “provider is embroiled in a model-IP or export-control dispute” as a named scenario in vendor-risk and continuity planning, and keep a tested fallback for anything business-critical.
What to Do Now
- Read your providers’ terms on output reuse, anti-distillation, and anti-circumvention, and confirm your own use complies and your own products do not expose a distillation surface.
- Instrument for extraction patterns — distributed accounts, high-volume targeted querying of your most capable features, and low-and-slow harvesting — as an IP-protection control, not just abuse prevention.
- Track the geopolitics, not just the product roadmap. Model-IP disputes are now resolved through export controls and legislative pressure; those outcomes can change what models you may use and who may use them.
- Plan for the open-weights asymmetry. Where appropriate, evaluate whether controllable open-weight models are part of your resilience strategy, while accounting for the provenance and security questions they raise.
- Add model-IP and export-control disputes to vendor-risk scenarios, with notification expectations and fallback paths, the same way you would model a provider outage.
Conclusion
The Alibaba distillation allegation is a milestone in how the world treats the value locked inside an AI model. The theft Anthropic describes left no broken lock because, if true, it did not need one — the product was the vector, ordinary usage was the method, and the prize was the model’s mind. That it targeted Mythos, the same model Washington forced dark weeks later, underscores how thoroughly frontier capability has become contested terrain: too dangerous to leave open, too valuable to leave unguarded, and increasingly fought over through the instruments of national security rather than the rules of commerce.
For everyone building on top of these systems, the message is not to panic but to widen the aperture. Model availability, model IP, and model geopolitics are now the same problem, and the events of June 2026 — the shutoff and the distillation allegation — are two views of it. The organizations that prepare for both will be the ones still standing when the availability map is redrawn again.
This article is provided for informational purposes only and does not constitute legal advice.



