Cloning Claude
It cost billions to build and six weeks to copy.
Between April 22 and June 5, 2026, Alibaba ran 25,000 fraudulent accounts through Claude. In six weeks those accounts generated 28.8 million conversations, systematically targeting advanced software engineering capabilities and multi-step agentic reasoning. Anthropic detected the operation and disclosed it on June 26.
That’s the data. Here’s the structural problem it reveals.
Frontier AI companies build their competitive position on training runs that cost hundreds of millions to billions of dollars. The API is how that investment gets monetized, a toll gate through which every query passes. What Alibaba’s operation demonstrates is that the toll gate is also the extraction point. Once a model is queryable, the behavior it produces can be captured, and captured behavior can be used to train a cheaper model that mimics it. The training moat converts, through the API, into something orders of magnitude cheaper to copy than to build.
Training a frontier model costs hundreds of millions. Running queries against it costs a fraction of a cent. That gap, between the capital required to build a capability and the capital required to extract it, is so wide that any organization with API access and time can bridge it. Software piracy exploited the same gap between development cost and reproduction cost for decades. Distillation differs in a way that matters legally and practically. A pirated binary is a copy of an artifact. A distilled model is a copy of a capability. You can’t sue the weights into non-existence. The knowledge lives in the behavior, and the attacker bought it one query at a time, billed at the API’s own advertised price. The capability doesn’t leave in a single transfer. It seeps out gradually, invisibly, encoded in outputs that look indistinguishable from ordinary use.
The obvious objection is that a copy made this way is a degraded one. It is. A distilled model captures the teacher’s behavior on the questions it was asked and frays at the edges of everything it wasn’t. But a degraded copy is still a competitive product, and the market has already put a number on it. Apple’s roughly $1 billion deal with Google to power the new Siri includes distilling five foundation models from Gemini. That is extraction by exactly this mechanism, systematic querying to capture capability, and Apple paid a billion dollars because the degraded copy was worth a billion dollars. The method is identical in both cases. What separates the two is the contract. Sanctioned extraction produces royalties. Adversarial extraction produces a copy and nothing else.
The harder part is that malicious queries are indistinguishable from legitimate ones at scale. 28.8 million conversations across 25,000 accounts looks, in aggregate, like a large enterprise customer. Detection requires spotting the same patterns that normal usage produces: high query volume, systematic probing across capability types. Any threshold that catches an attacker also catches a power user. The signals that eventually flag a campaign only become readable after significant data has accumulated. Anthropic found this one, but the mechanism that makes detection possible is the same mechanism that arrives too late. By the time a systematic distillation campaign is visible in usage patterns, the attacker has already harvested the data.
This is a different failure from the one I’ve written about before. Inference costs collapsing 1,000x in three years, open-weight models turning capability into a permanent commodity: that story is about what happens after a model is released. Adversarial distillation is about what happens before. It works directly through the API, against a closed model, before anything leaves the lab. Market forces don’t wear the training moat down over time here. A competitor extracts it deliberately, query by query, in six weeks.
This isn’t Anthropic’s problem to solve alone. Every frontier lab running a public API faces the same structural condition. The API is the product. The API is also the attack surface. The industry chose this model because there was no better way to monetize a capability that can’t be shipped as a binary. A large model doesn’t run on a customer’s hardware the way a software license once did. The only delivery mechanism is the query, and the query is also the extraction vector. Anthropic detected one campaign. Whether other campaigns are running is not the interesting question. The interesting question is whether any of the labs would know. The Alibaba disclosure happened because Anthropic found it. There’s no registry of campaigns that didn’t get caught.
The conventional defenses don’t hold against this. Rate limiting slows an attacker and slows every legitimate user along with him. Access controls exclude bad actors the same way they exclude anyone without approved credentials, which is exactly what 25,000 fraudulent accounts were built to defeat. Stricter verification adds friction for real users while determined adversaries route around it. Detection catches what has already happened. None of them touch the underlying asymmetry: building the capability costs a fortune, and querying it costs almost nothing.
The only structural response left is velocity. A distilled copy captures the frontier as of the harvest date. If the original keeps moving faster than copies can be deployed and turned into products, the copy is always a step behind, and a step behind is worthless in a market that pays for the frontier. The moat becomes the rate of new training runs rather than any single one. Access to the frontier is worth something only while the frontier keeps moving.
Which is less a solution than a sentence. It commits every lab to running flat out, indefinitely, because the moment one slows down the copies close the gap. Nobody chose this treadmill. It’s what remains after the other defenses fail. A moat you have to keep digging every few months, at a cost of billions, to hold the same relative position is a strange thing to call a moat.
The Alibaba operation reads like a scandal about one company’s conduct. It’s really a proof of concept for how a knowledge monopoly fails at the interface built to sustain it. The API cannot be both the revenue mechanism and the secure boundary. Access is the product, and access is extraction. A lab can outrun what it reveals for a while. Whether it can do that indefinitely, flat out with no finish line, is the bet the whole industry is now making without having shown it can be won.


