Anthropic closes loopholes to prevent Chinese access to Claude
A massive distillation attack tied to Alibaba's Qwen lab prompted Anthropic to tighten identity checks and call on Congress for stronger penalties
Anthropic is rolling out a stricter enforcement regime designed to stop Chinese entities from accessing its Claude models, whether through direct API abuse or the kind of elaborate workarounds that its existing rules technically didn’t cover.
The proximate cause is hard to ignore. According to a letter Anthropic sent to U.S. senators on June 10, 2026, operatives linked to Alibaba’s Qwen AI lab executed what the company described as the largest known distillation attack it has ever identified. Between April 22 and June 5, 2026, roughly 25,000 fraudulent accounts generated more than 28.8 million interactions with Claude. The goal: systematically extract Claude’s capabilities to train a competing model without paying for the research that produced them.
What a distillation attack actually is
Distillation means feeding a powerful model enormous volumes of questions and logging its answers, then using that data to train a cheaper model that mimics the original’s behavior.
In its June letter to senators, Anthropic called for two things: better information sharing between U.S. AI companies when distillation attacks are detected, and significantly harsher penalties for anyone caught running one.
The policy evolution
Anthropic’s September 2025 Terms of Service already prohibited commercial access to Claude by Chinese entities or by companies indirectly controlled by them. The new measures extend the restriction to majority-owned subsidiaries of restricted entities, closing the corporate structure loophole that let some users maintain plausible deniability.
In April 2026, Anthropic also began rolling out identity verification for flagged users, requiring government-issued IDs and live selfies before granting or restoring access.
By early July 2026, Anthropic had walked back at least some of its covert detection measures after users pushed back. The company hasn’t disclosed exactly which methods it rolled back.
Why this matters beyond Anthropic
Anthropic has not publicly accused Alibaba of directing the attack, only that the accounts were linked to operatives associated with the Qwen lab. That’s a meaningful distinction, and one that matters if this eventually becomes a legal or regulatory matter.
What investors and developers should watch
Anthropic’s letter to senators suggests the company is actively lobbying for a legal framework that would give U.S. AI labs stronger recourse when distillation attacks are detected.