Anthropic Alleges Alibaba Used Nearly 25,000 Fraudulent Accounts in Attempted Model Distillation

This article summarizes reported allegations. Build With Abdallah has not independently verified Anthropic's technical evidence.

Sources: Reuters | Financial Times | TechCrunch/Business Insider | Anthropic official update/status

Anthropic has alleged that Alibaba created and operated nearly 25,000 fraudulent accounts in an attempt to extract capabilities from its Claude AI models, according to Reuters and Financial Times. The claim, which has not yet been independently confirmed, describes one of the largest reported attempts at frontier-model capability extraction attributed to a major technology company.

What Anthropic is alleging

According to the reports, Anthropic believes Alibaba used close to 25,000 fraudulent accounts to interact with Claude, generating approximately 28.8 million interactions. The stated purpose, in Anthropic's view, was attempted model distillation — using a target model's outputs to train or fine-tune a separate model that mimics its behavior.

If accurate, the operation would likely have been designed to:

• Map Claude's reasoning patterns and refusal boundaries.
• Generate synthetic training data that reproduces Claude-style outputs.
• Identify guardrail responses that could be replicated or bypassed.
• Reduce the cost and time needed to build a competing conversational model.

It is important to emphasize that these are allegations. Alibaba has not publicly responded, and Anthropic has not yet released the full evidence it is relying on.

How mass-account extraction works

A 25,000-account operation is not casual experimentation. It is an industrial-scale data-collection effort. The typical pattern includes:

1. Account farming using synthetic identities, proxy infrastructure, or rotating account details to avoid detection.
2. Query distribution so no single account triggers rate limits or content-policy alerts.
3. Prompt engineering designed to elicit long, high-quality outputs across coding, reasoning, science, and safety-sensitive topics.
4. Dataset assembly where responses are cleaned, deduplicated, and used to fine-tune a local model.
5. Capability mapping to reproduce refusal behavior, tool-use patterns, and chain-of-thought formatting.

The result is rarely a perfect clone. But it can produce a model that imitates the target closely enough to save months of training time and significant compute budget.

Why this timing matters

The allegation arrives while Anthropic is already under intense scrutiny. On Friday, June 12, 2026, the U.S. Commerce Department sent Anthropic a letter invoking an export-control directive that forced the company to restrict access to its Fable 5 and Mythos 5 models for non-Americans, including Anthropic employees. Anthropic responded by pulling both models offline for all customers.

The government action was reportedly triggered by a security research paper describing a guardrail bypass in Fable 5. Cybersecurity researcher Katie Moussouris, who reviewed the paper at Anthropic's request, wrote that the bypass "should never have triggered an export control" because the behavior cannot be fixed without weakening the model for legitimate defensive use. Researchers and industry observers criticized the directive as hasty and misguided.

By Monday, June 15, Anthropic had reportedly restored access to the models after public pushback. TechCrunch reported that the episode raised concerns about the U.S. government using unilateral pressure against American AI labs.

The Alibaba allegation, if substantiated, would give Anthropic a separate security narrative: a well-resourced foreign actor allegedly attempting to extract its model capabilities at scale.

What this means for AI labs

For Anthropic and its peers, the reported allegation is a reminder that API access is a security surface. Every endpoint that returns model output is a potential exfiltration channel. Labs already deploy several defenses:

• Rate limiting and anomaly detection to spot coordinated query patterns.
• Output watermarking and fingerprinting to trace leaks back to specific accounts.
• Tiered access so frontier capabilities are only available to vetted enterprise customers.
• Identity verification and geofencing to restrict accounts from high-risk regions.

None of these controls are perfect. Determined actors with large budgets can work around most of them. The practical question is whether extracting outputs remains cheaper than training a model from scratch — and at current frontier-model prices, the answer is often yes.

The attribution question

Alibaba is one of China's largest cloud and AI companies. It develops its own large language models, including the Qwen family, and has clear commercial incentives to close the gap with Western frontier labs. If Anthropic's allegation is accurate, it would fit a broader pattern in which some reported cases have involved alleged unauthorized extraction of model capabilities.

However, attribution is complicated. A well-funded internal group could act without full corporate knowledge, or the accounts could be linked to Alibaba Cloud infrastructure without being directed by Alibaba's corporate leadership. Until Anthropic publishes technical indicators — account graphs, query signatures, IP patterns, and payment trails — the claim remains an allegation rather than a proven fact.

What to watch next

Three developments will determine how seriously to take this story:

1. Evidence release. If Anthropic publishes a technical report, the 25,000-account figure becomes verifiable. Without it, the claim stays speculative.
2. Official responses. Statements from Alibaba, the Chinese government, or U.S. officials would clarify whether this is treated as a corporate dispute or a diplomatic issue.
3. Industry countermeasures. Expect stronger know-your-customer checks, more aggressive bot detection, and possibly fingerprinting schemes that make extracted outputs easier to trace.

Source links

• Reuters — reported the Anthropic-Alibaba allegation (full article not accessed due to paywall).
• Financial Times — reported the Anthropic-Alibaba allegation (full article not accessed due to paywall).
• TechCrunch/Business Insider — covering the broader Fable 5 / Mythos 5 export-control episode:
  • "The US government's Anthropic models ban was never about an AI jailbreak" — https://techcrunch.com/2026/06/15/the-us-governments-anthropic-models-ban-was-never-about-an-ai-jailbreak/
  • "Anthropic's safety warnings may have just backfired" — https://techcrunch.com/2026/06/12/anthropics-safety-warnings-may-have-just-backfired-the-government-has-pulled-the-plug-on-its-most-powerful-ai/
• Anthropic official update/status — https://www.anthropic.com/news/fable-mythos-access
• Katie Moussouris, Luta Security analysis — https://www.lutasecurity.com/post/the-fable-5-export-controls-harm-us-cyber-defense
• Axios reporting on White House tensions — https://www.axios.com/2026/06/15/anthropic-white-house-fable-mythos
• Breaking social-media report on Alibaba account fraud — source image provided by reader.

Conclusion

The allegation that Alibaba operated nearly 25,000 fraudulent accounts to extract Claude capabilities is significant but unverified. What is confirmed is that Anthropic recently restricted access to Fable 5 and Mythos 5 after a U.S. government export-control directive, then later restored access. Together, the two stories illustrate how frontier AI models are caught between two forces: governments trying to control their release, and well-resourced competitors trying to replicate them. For builders, the lesson is that access control, attribution, and output monitoring are now as important as training compute.

Follow Build With Abdallah for more analysis on AI agents, frontier-model security, and the engineering behind production AI systems.