Anthropic has leveled an accusation that sounds like a wake-up call for the entire industry: Chinese company Alibaba allegedly carried out a systematic campaign to distill its Claude model, creating 25,000 fake accounts and totaling 28.8 million exchanges in just three months, from April to June 2026. The numbers paint a picture of a planned, almost industrial-scale operation.

The accusation: a large-scale distillation campaign

According to disclosed details, the activity exploited access to the Claude API, the large language model developed by Anthropic. The fake accounts supposedly circumvented usage limits to send a massive volume of requests, aiming to collect enough prompt-completion pairs to train a “student” model. The technique, known as distillation, does not copy the original model’s weights directly, but extracts its functional behavior, transferring knowledge to a new system.

LLM distillation: how to extract a model from the “black box”

In the LLM world, distillation is a legitimate practice when used to compress large models into more efficient versions for inference on limited hardware. However, conducted without authorization, it becomes theft of intellectual property. In this specific case, the absence of direct control over the distribution infrastructure made such a wide-reaching attack possible. Any organization that exposes a model through a cloud API is by definition exposed to this risk, because the model does not sit behind its own firewall.

Cloud API vulnerabilities and what’s at stake for businesses

The episode lays bare a structural fragility of cloud-based services: dependence on an external provider and trust in its fraud detection systems. Rate limiting, strong authentication, and identity verification are essential tools, but they can be bypassed with resources and patience. For a company that builds its competitive advantage on proprietary models, losing training secrets because of a fake account is a nightmare scenario. Not to mention the geopolitical implications: the transfer of advanced AI capabilities to entities under different regulatory regimes raises questions of sovereignty and national security.

The on-premise path: locking models behind your own perimeter

Those who choose to keep models in a self-hosted environment gain near-absolute control over access. In an on-premise deployment, the inference service can be exposed only within the corporate network or through tightly regulated channels, making it impossible for external actors to send mass requests without authorization. AI-RADAR regularly analyzes the trade-offs between the cost of managing local infrastructures and the protection these models offer. Anthropic’s accusation reinforces the importance of carefully evaluating deployment context: not all organizations can afford a private datacenter, but for those operating in regulated sectors or with strategic assets, the choice of self-hosting becomes a pillar of the AI strategy.

Beyond the case: what changes for the AI industry

Beyond the specific incident, the accusation signals growing aggressiveness in the race to accumulate model capabilities. If confirmed, it will push API providers to invest in more sophisticated countermeasures, such as behavioral account detection and analysis of request patterns. On the regulatory front, it may accelerate the introduction of stricter rules on the export of AI services. For the enterprise user, the lesson is clear: protection of AI know-how also comes from architectural decisions, not just legal ones.