AI distillation attack row splits Alibaba and Anthropic apart

An AI distillation attack accusation has fractured one of the most closely watched rivalries in global tech, with Chinese giant Alibaba banning its staff from using Anthropic’s Claude Code and ordering them onto its own in-house platform instead. The fallout matters far beyond Silicon Valley and Hangzhou, Pakistani software houses, freelancers, and IT firms that rely on both US and Chinese AI tools are now watching a supply chain they depend on get pulled in two opposite directions.

What happened between Alibaba and Anthropic?

The move is the latest escalation in a feud that ignited last month, when Anthropic accused operators linked to Alibaba’s Qwen AI lab of running the largest known model distillation attack against Claude. In June, Anthropic sent a letter to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, accusing Alibaba of launching “the largest known distillation attack” on its systems.

On June 10, Anthropic sent a letter to leaders of the U.S. Senate Banking Committee accusing operators affiliated with Alibaba’s Qwen lab of using nearly 25,000 fraudulent accounts to generate 28.8 million ex[traction queries]. Anthropic said that distillation effort targeted capabilities including agentic reasoning, software engineering proficiency, and long-horizon task completion.

China’s Alibaba will ban employees from using Anthropic’s programming tool Claude Code, starting on July 10. Employees have reportedly been instructed to adopt Qoder, Alibaba’s in-house AI coding platform, as the replacement, and according to reports from Chinese outlets citing company insiders, the directive reportedly goes further than Claude Code itself, as staff have allegedly been told to uninstall all Anthropic products, including the Sonnet, Opus, and Fable model families.

The hidden code that made things worse

The ban was lit by a second fire that broke out at the same time. The trigger for the ban was a June 30 post on the r/ClaudeAI subreddit by a user who claimed to have reverse-engineered Claude Code while restoring a disabled remote-control feature. According to the write-up, obfuscated detection logic had shipped silently since version 2.1.91, released on April 2, with no mention in the release notes.

Security researchers shared findings on Reddit and GitHub, revealing that a version of Claude Code had been built to examine users’ local environments, things like timezone settings and proxy configurations, and quietly embed identifying markers in the data transmitted to Anthropic. Anthropic’s Thariq Shihipar said in a post on X that this was “an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.”

According to a July 3 South China Morning Post report, the Chinese tech giant said Claude Code had been “added to a list of high-risk software with security vulnerabilities” following a comprehensive evaluation, citing what it described as back-door risks. Alibaba has not publicly responded to Anthropic’s distillation accusations.

What is an AI distillation attack and why does it matter?

The phrase sounds technical, but the idea is simple. A large, capable model (the ‘teacher’) answers a huge set of questions, and a smaller model (the ‘student’) learns to imitate those answers until it can do the same job for less money. Done with permission and on data you are allowed to use, this is one of the smartest ways to ship an efficient AI product. A model distillation attack takes that same idea and removes the permission.

LLM distillation attacks are best understood as unauthorized model extraction campaigns: an actor uses legitimate-looking black-box access, through APIs, apps, resellers, or proxies, to collect high-value supervision signals such as answers, reasoning traces, tool-use trajectories, and coding outputs, then transfers those capabilities into a downstream model through distillation or related imitation learning. In plain words, the attacker pays normal API fees but fires millions of carefully crafted questions at the model, records every answer, and trains a cheaper copycat with the results.

What distinguishes a distillation attack from someone just using an AI tool is the intent and scale. An individual using ChatGPT for work is a user. An organization systematically generating millions of queries to harvest training data is an attacker. This is not a niche security problem, DeepSeek, Moonshot and MiniMax took the distillation method to an industrial scale, leveraging thousands of fraudulent accounts and proxy services to extract capabilities from Claude, according to Anthropic. You can read more about how DeepSeek has been building its own infrastructure to compete on the DeepSeek inference chip story we covered earlier.

Anthropic is also fighting legal battles on other fronts, we recently covered the Anthropic Pentagon lawsuit over AI ethics, which shows just how many pressure points the company is managing at once.

The US-China AI split is getting wider

Anthropic already maintains the industry’s hardest line on access to China, stating it is the only frontier AI firm that restricts service to Chinese-owned entities, even through subsidiaries incorporated abroad. The Financial Times reported that Anthropic is moving to close loopholes that have allowed Chinese companies to bypass restrictions and access Claude through third countries.

As AI companies in the United States tighten measures to prevent unauthorised access, resale and model distillation, Chinese cloud and AI firms are increasingly turning to domestic and open source models, including Alibaba’s Qwen, DeepSeek, Moonshot and Zhipu. The split is now firm enough that companies on both sides are being asked to choose a lane. Anthropic urged Washington to pursue stricter semiconductor export restrictions and impose penalties on AI developers caught running distillation operations.

On the Chinese side, Alibaba’s own Qwen model family has been growing fast. Qwen sees strong use among developers and firms that want cost control and data control, and reports show more than 90,000 enterprises use Qwen-based models on Alibaba Cloud. Meanwhile, Chinese models like Qwen are becoming options for companies as they offer an attractive combination of performance and cost for specific workloads, and businesses with more mature AI strategies are increasingly willing to use them where they make technical or commercial sense.

What this means for Pakistani developers and IT firms

Pakistan’s IT sector, which exports over $3 billion worth of services a year, runs on tools like Claude Code, the Anthropic API, and a growing stack of Chinese open-source models. This dispute creates friction at both ends.

First, access risk. Anthropic already prohibits Chinese companies, as well as foreign entities owned by those companies, from using its models, and has reportedly been working to close loopholes that allow Chinese users to access Claude. Pakistani firms that use Claude through a reseller or a regional cloud partner need to check that their access route is clean and compliant. Being caught in a crackdown aimed at Chinese proxies, even by accident, could cut off a critical coding tool overnight.

Second, a practical opportunity. Chinese models operate at often “a fraction of the cost” of US rivals while running “close to the top American frontier models,” estimated to be “six to nine months” behind top US rivals. For a Pakistani startup or freelancer watching their dollar-denominated API bills, open-source models like Qwen or DeepSeek, which can be self-hosted via Hugging Face, offer a real cost advantage. The key is understanding what you are using and why, rather than defaulting to whichever tool is cheapest on a given day.

Third, the trust question. Distillation attacks illustrate a broader shift in cybersecurity, from protecting data to protecting models themselves. As AI systems grow more capable, safeguarding them will require continuous innovation in defensive strategies. Companies must treat AI models as high-value assets deserving the same level of protection as critical infrastructure. Pakistani IT companies building their own AI products or fine-tuned models should take note: if you expose your model through a public API without rate limits or behavior monitoring, you face the same risk Anthropic does, just at a smaller scale.

The bigger picture is that the AI industry is splitting into two supply chains, one US-led, one China-led, and developers everywhere, including in Pakistan, will have to navigate both with more care than before. This is not a story about two foreign tech giants arguing. It is a story about the rules of the AI tools you use every day at work.

Frequently Asked Questions

What exactly is an AI distillation attack?

An AI distillation attack is when someone sends millions of queries to a commercial AI model through its public API, records the answers, and uses those answers to train a cheaper copycat model. No hacking is involved, the attacker just pretends to be a normal user at a massive, automated scale. The result is a rival model that mimics the original without paying for the research that built it.

Why did Alibaba ban Claude Code specifically?

Two things happened close together. Anthropic accused Alibaba’s Qwen lab of running the largest known distillation attack on Claude. Then developers found hidden code inside Claude Code that appeared to check whether users were in China by looking at timezone and proxy settings. Alibaba called this a security risk and classified Claude Code as high-risk software, directing staff to its own Qoder platform instead.

Does this affect Pakistani users of Claude?

Pakistani users are not directly banned. Anthropic’s restrictions target Chinese-owned companies and entities, not Pakistani individuals or firms. However, if a Pakistani developer routes their Claude traffic through a service that Anthropic flags as a proxy for Chinese access, their account could be caught in a broader crackdown. Using Anthropic’s own official API directly is the safest route.

What are the alternatives if Claude access becomes harder to get?

Open-source Chinese models like Alibaba’s Qwen and DeepSeek can be self-hosted, which removes the access-restriction risk entirely and lowers API costs. US alternatives include OpenAI’s GPT family and Google’s Gemini. The right choice depends on your use case, budget, and how sensitive your data is. For coding tasks, several benchmarks now show Qwen 3.7 Max performing very close to Claude at roughly half the price.

Exit mobile version