Tension among AI giants has reached a new breaking point. Anthropic has formally accused Alibaba of orchestrating the largest distillation campaign ever recorded against Claude, its flagship LLM. In a letter sent to US senators and White House officials – seen by Bloomberg – the company describes the use of nearly 25,000 fraudulent accounts, traced to Alibaba’s Qwen lab, that between April and June systematically extracted the model’s capabilities. The news immediately sparked debate not only on the legal front but also around the architectural security of AI systems.

What distillation is – and why this case stands out

Distillation is not a new technique. In essence, it trains a “student” model on the outputs of a larger, more capable “teacher” model, compressing that knowledge into a lighter, faster network. By itself, it is a common practice used to build efficient models for edge devices or resource‑constrained environments. However, conducting distillation at scale without authorization, bypassing a cloud platform’s access controls, clearly violates terms of service and borders on intellectual property theft. Anthropic claims that operators linked to Qwen generated massive request volumes through fake accounts to obtain enough input‑output pairs to replicate Claude’s behavior. In size and method, the operation would mark a watershed compared to previous known attempts, such as those against OpenAI or Google models.

Cloud APIs under siege

The attack highlights an intrinsic weakness of models exposed solely via API: the access surface is large, and a determined adversary can simulate legitimate traffic despite detection systems. For enterprises evaluating how to distribute their LLMs, the incident becomes a concrete argument in favor of self‑hosted architectures. Running inference on‑premises, on dedicated hardware behind the corporate perimeter, drastically reduces the risk of unauthorized extraction of model capabilities. Of course, this choice brings non‑trivial computational cost and management complexity: adequate GPU VRAM, optimized serving pipelines, and skills to keep the system up to date are required. Yet the advantage in terms of control, data sovereignty, and IP protection can outweigh the initial investment, especially when the model itself is a strategic asset.

Sovereignty as a pillar of AI strategy

Anthropic’s letter is not just a complaint against a single competitor; it raises questions about cloud dependency and the fragility of an ecosystem where innovation travels mostly over public endpoints. Governments and enterprises that impose data residency requirements and GDPR compliance are eyeing on‑premises deployments with growing interest, not only for regulatory reasons but also to defend their AI investments. Unlawful distillation artificially shortens the development cycles of those who tap into others’ models, eroding the competitive edge of companies that have spent billions on research. For AI-RADAR, which closely follows the infrastructure decisions of LLM adopters, the episode confirms a trend: sovereignty is no longer an option but a pillar for anyone who considers AI a critical business lever.

A broader outlook

Beyond the specific case, the industry will likely need more robust protection tools: prompt watermarking, cryptographic output signatures, and consumption monitoring to spot suspicious patterns. On the enterprise user side, the episode could accelerate migration toward hybrid or fully private platforms, where granular access controls and network segmentation prevent large‑scale extraction. At stake is not just the defense of a single model but the sustainability of an API‑based business model itself. For those planning their AI strategy today, the message is clear: how an LLM is distributed is not a technical detail. It is a decision that directly affects security, total cost of ownership, and the ability to maintain a differential advantage over time.