Anthropic’s accusation is not just another exchange of barbs between AI giants: it is a signal that the fight for control over LLMs is now being fought on the front of unauthorized distillation. According to the American company, Alibaba orchestrated the largest such attack ever recorded against Claude, its flagship model.

The accusation and the method

Anthropic has not released full technical details, but the core of the accusation is clear: someone – allegedly linked to Alibaba – queried Claude on a massive scale to extract its capabilities, using the responses to train a competing model. This technique, known as distillation, has been known in academic circles for years: a ‘student’ model learns from the behavior of a ‘teacher’ without direct access to its weights or original data. When done without authorization, it effectively turns a service’s API into a free resource to clone someone else’s intellectual property.

What it means for those managing models in-house

For organizations evaluating on-premise or self-hosted LLM deployments, the episode highlights a risk that is often underestimated: protecting the model itself, not just the data. Even a local instance exposed via API can become a target for distillation unless rate limiting, response watermarking, or anomaly detection systems are put in place.

The line between legitimate training and capacity theft is thin. A company fine-tuning an LLM for internal use could inadvertently find itself facing legal challenges if it employs non-transparent distillation techniques. The Anthropic-Alibaba case shows that the debate is no longer theoretical and that the consequences can be geopolitical.

Technology sovereignty and new barriers

US-China tensions add another layer. Access to Western models is already constrained by hardware and software export controls. Incidents like this could accelerate the introduction of stricter defense mechanisms – such as query inspection, multi-factor authentication for APIs, and geographic restrictions on inference – redefining the concept of data sovereignty to include the model itself.

From an operational standpoint, those managing LLMs in-house will have to evaluate concrete trade-offs: balancing the openness needed to serve internal applications with the closedness required to prevent capability leaks. On AI-RADAR, those dealing with these choices can find analytical frameworks that help weigh costs, risks, and architectures, without imposing ready-made solutions.

A game just getting started

The case remains controversial and investigations are ongoing, but it marks a turning point. Until now, AI security focused on prompt injection and adversarial examples; today, unauthorized distillation is entering the CISO’s agenda. The question is no longer whether models can be copied, but how quickly their developers can field effective defenses, while enterprises reassess what it actually means to own and protect an LLM.