Anthropic just dropped a bombshell: operators linked to Alibaba’s ecosystem allegedly ran a massive, coordinated campaign to siphon capabilities from Claude’s AI models. The attack wasn’t subtle. It involved tens of thousands of fake accounts and millions of interactions designed to extract Claude’s software engineering and reasoning prowess.

The scale of the operation

According to Anthropic’s findings, three Chinese laboratories conducted these attacks: DeepSeek, Moonshot AI (which is backed by Alibaba), and MiniMax. Together, they created over 24,000 fake accounts and generated more than 16 million interactions with Claude’s models.

Moonshot AI was the most aggressive of the three. The Alibaba-backed lab alone accounted for over 3.4 million exchanges, all focused on extracting Claude’s capabilities in agentic reasoning, coding, and computer-vision tasks. That’s roughly 20% of the total interaction volume from a single operator.

Anthropic has since banned all accounts involved in the distillation activities. The company also noted that it does not offer commercial access to Claude in China, which means every one of those 24,000 accounts was created in violation of Anthropic’s terms of service from the start.

A pattern, not an isolated incident

This isn’t the first time Anthropic has flagged Chinese actors exploiting its AI systems. Back in November 2025, Anthropic reported a separate case involving a Chinese state-sponsored group that used its Claude Code tool for outright cyber espionage.

That earlier operation targeted nearly 30 different entities. The attackers used Claude Code to perform reconnaissance, write exploit code, and harvest credentials, with remarkably little human involvement. The human operators reportedly made only 4 to 6 critical decisions per campaign, letting the AI handle the rest autonomously.

The February 2026 distillation attacks represent a different kind of threat. The November case was about using Claude as a tool for espionage. The February case was about stealing Claude itself, or at least its capabilities. Both are violations, but they represent fundamentally different threat vectors that Anthropic now has to defend against simultaneously.

What this means for the AI industry and investors

For Anthropic specifically, the attacks validate the company’s investment in security and monitoring infrastructure. You don’t catch 24,000 fake accounts and 16 million suspicious interactions without serious detection capabilities.

For investors watching the AI space, this incident highlights a few dynamics worth tracking. First, expect increased spending on AI security across the sector. Detecting and preventing distillation attacks at scale requires sophisticated monitoring systems, and every major AI lab will be reviewing its defenses after Anthropic’s disclosure.

Second, regulatory pressure is almost certainly coming. When a foreign adversary’s linked entities create tens of thousands of fake accounts to steal AI capabilities, lawmakers notice.