Anthropic Caught Qwen Running 25,000 Fake Claude Accounts
Anthropic accused Alibaba's Qwen lab of running 25,000 fraudulent accounts that extracted 28.8 million Claude interactions in the largest AI distillation attack on record.

An engineer in Shanghai types a query. The request travels to a relay server in Singapore, then hits a Claude API endpoint in the United States under a name that doesn't resolve to any real company. The response arrives seconds later. Now imagine that exchange happening 28.8 million times over six weeks, all while Anthropic's fraud detection caught nothing - until it did.
On June 10, 2026, Anthropic sent a letter to Senate Banking Committee Chair Tim Scott and Ranking Member Elizabeth Warren accusing operatives linked to Alibaba's Qwen AI lab of running what the company called the largest distillation attack in its history.
TL;DR
- Qwen-linked operators ran 25,000 fake Claude accounts from April 22 to June 5, producing 28.8 million interactions
- Targeted Claude's software-engineering and agentic-reasoning capabilities - its most commercially valuable skills
- Bigger than the February incident involving DeepSeek, MiniMax, and Moonshot AI (16M exchanges, ~24K accounts)
- Ant Financial and ByteDance separately bypassing the ban via Singapore subsidiary and VPN reimbursements
- Senators Hagerty and Kim moving a defense bill amendment to sanction firms conducting such attacks
- Alibaba's U.S.-listed shares dropped more than 3% following the disclosure
The Distillation Attack
Distillation works like this: you query a powerful model thousands of times with carefully designed inputs, collect its responses, then train a cheaper model on those input-output pairs. Done at scale, the result is a model that approximates the original's performance without paying for the research that produced it.
Anthropic told the Senate that from April 22 to June 5, 2026, roughly 25,000 accounts linked to Qwen lab operators submitted queries that specifically probed Claude's code-generation and agentic-reasoning capabilities. The goal was to build training data for a Qwen release - extracting the skills Anthropic describes as the model's "most commercially valuable" without paying a dollar in subscription fees.
The February 2026 precedent involved DeepSeek, MiniMax, and Moonshot AI, whose operators produced roughly 16 million exchanges through about 24,000 fake accounts. The Qwen campaign surpassed that in both scale and specificity. Anthropic has previously covered how some Qwen models openly list Claude Opus as a training source - the covert campaign suggests that transparent distillation had already been taken as far as it could go.
Singapore's Raffles Place financial district, where shell companies used to relay Claude access to mainland China were incorporated. Offshore subsidiaries in Singapore provided the legal cover that initially cleared Anthropic's geographic filters.
Source: commons.wikimedia.org
Three Routes Around the Ban
Anthropic banned Chinese entities from using Claude commercially in September 2025, updating its terms of service to block any company more than 50% owned by entities headquartered in unsupported regions - China, Russia, Iran, and North Korea among them. What followed was an arms race of workarounds.
The Singapore Funnel - Ant Financial provided employees with corporate Claude Code accounts tied to a Singapore-based subsidiary. Because the accounts originated from an offshore entity, they initially cleared Anthropic's geographic filters. Engineers at the mainland China headquarters accessed Claude through internal network routing that emerged in Singapore.
The VPN Reimbursement Scheme - ByteDance took a simpler approach. The company reimbursed software engineers for personal Claude subscriptions purchased with VPN access. No corporate accounts, no Singapore entity, just individual employees expensing a productivity tool and the VPN bill that made it accessible.
The Cloud Relay - Some firms created foreign-incorporated entities and ran Claude access through Microsoft Azure's API layer. A Singapore-registered shell company held the Azure contract; Claude queries from Chinese headquarters traveled through it. These "transfer stations" operated as commercial middlemen:
client (China) → relay server (Singapore, AWS/Azure) → Claude API (US) → response → client
The relay model doesn't require sophisticated corporate structures. It needs only a server in a supported country, an Anthropic API key, and buyers willing to pay a markup.
Anthropic Fights Back
The countermeasures are accumulating, though none is airtight.
In April 2026, Anthropic began rolling out identity verification for flagged accounts: government-issued ID and a live selfie before access was restored. Detection criteria expanded to include anomalies like account time zones that don't match the stated company address, usage patterns consistent with systematic capability extraction, and account clusters submitting near-identical prompts.
The company extended its ToS to cover majority-owned subsidiaries, closing the corporate-structure loophole that let some users maintain plausible deniability through offshore entities. By early July, Anthropic had partially rolled back some of the more covert detection methods after user pushback - a sign that the monitoring was casting a wide enough net to catch legitimate users as well.
Transfer stations - servers in supported countries that relay Claude prompts from mainland China - are the primary workaround now that direct access routes have been closed.
Source: commons.wikimedia.org
Dario Amodei has publicly said Anthropic has "forgone several hundred million dollars in revenue" by refusing Chinese commercial access. The letter to Scott and Warren also requested that Congress enable enhanced information-sharing between U.S. AI labs on distillation attacks and substantially increase penalties for perpetrators.
Congress Moves
The Anthropic letter has already produced legislative action. Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) are adding an amendment to defense legislation that would impose blacklists or sanctions on entities conducting systematic distillation campaigns against U.S. AI models. A parallel bipartisan House bill is also advancing.
Alibaba's American depositary receipts dropped more than 3% and fell below $100 per share after the Senate letter became public. The company hasn't formally responded to Anthropic's allegations.
The distinction Anthropic drew - "operatives linked to" rather than "Alibaba directly" - is likely deliberate. It preserves room for legal proceedings and avoids triggering formal diplomatic responses before legislators finish drafting the sanction framework.
Whether the Hagerty-Kim amendment passes in its current form or not, the Qwen campaign has already done something the February incident didn't: it put AI distillation on the agenda of the Senate Banking Committee, not just the intelligence community.
Sources:
- Anthropic Moves to Block Chinese Firms Using Claude via Offshore Workarounds - BanklessTimes
- Anthropic Accuses Alibaba of Record Model Distillation - Digital Applied
- Alibaba Ran Largest Known AI Theft Campaign Against Claude, Anthropic Tells Senate - TechTimes
- Distillation: The New U.S.-China AI Fight - Forbes
- Anthropic Accuses Alibaba of Running Largest Distillation Campaign Against Claude - TNW
- Anthropic closes loopholes allowing Chinese access to Claude - CryptoBriefing
