Anthropic claims Alibaba used 25,000 fake accounts to mine Claude 28.8M times

Anthropic is accusing Alibaba of running what it calls the largest campaign to illicitly extract Claude's capabilities, using more than 28.8 million Claude interactions generated through almost 25,000 fraudulent accounts. According to Anthropic’s June 10 letter sent to Senators Tim Scott and Elizabeth Warren, the activity ran from April 22 to June 5 and violated Claude’s terms of service and access restrictions.

The letter, which Ars Technica obtained one day ahead of a Senate committee hearing on “AI and the American Dream,” adds an even sharper detail: Anthropic says the alleged operators were “affiliated with Alibaba and Alibaba Qwen,” Alibaba’s AI lab. It also claims the campaign targeted “some of Claude’s most valuable capabilities,” including “agentic reasoning, software engineering, and long-horizon tasks.” In plain English, Anthropic’s complaint is not about generic scraping. It is about adversarially harvesting the parts of the system competitors want most.

This is happening against a backdrop Anthropic references directly: China is racing to match the capabilities of Anthropic’s leading model after Mythos’ release, and it notes Mythos faced subsequent restriction from foreign markets. That context matters because model capability access is, increasingly, a geopolitical and regulatory lever. When access is restricted, incentives rise to substitute it with workarounds: imitation, replication, and testing at scale. In other words, cloning attempts stop being a side story and become a business continuity problem for both frontier labs and the platforms that depend on them.

The mechanics Anthropic points to are also telling. A campaign that uses tens of thousands of accounts suggests deliberate evasion of rate limits and detection systems, not just aggressive legitimate use. Anthropic frames the alleged effort as extraction of capabilities “through almost 25,000 fraudulent accounts.” If accurate, that implies operational planning, identity management at scale, and a willingness to violate platform rules to speed up model development.

For executives reading this, the board-level question is simple: if your product is judged by outcomes (reasoning quality, software output, task completion), then attackers do not just want data. They want behavior. Anthropic’s letter explicitly names categories of capability it says were targeted: agentic reasoning, software engineering, and long-horizon tasks. Those are areas where evaluation is hard, and where improvements can translate quickly into enterprise value. If a competitor can compress the trial-and-error loop by learning how a system behaves across those tasks, it can shorten development timelines.

Regulators are not ignoring this. The Senate committee hearing on “AI and the American Dream,” referenced in Ars’s coverage, signals that lawmakers are treating AI competition, safety, and fairness as intertwined. A letter from Anthropic to both Tim Scott (R-SC) and Elizabeth Warren (D-Mass.) is also a notable bipartisan choice, because it places the alleged conduct in the broader public policy conversation instead of keeping it confined to vendor disputes. Even if the legal and technical details of “cloning” vary from case to case, the underlying issue is familiar to regulators: whether market actors are extracting restricted value from systems they are not authorized to use.

Second order, this kind of accusation can reshape how the market thinks about “secure access” as a product feature. Claude’s terms of service and access restrictions, which Anthropic says were violated, become more than legal boilerplate. They become the line between acceptable evaluation and behavior theft. The more high-stakes capabilities are named in complaints, the more pressure regulators and customers may place on model providers to harden systems, improve detection of abusive account patterns, and document misuse.

There is also an investor and partnership angle. When a dispute becomes public, the reputational cost is not evenly distributed. The lab accused of copying can face scrutiny, but the company bringing the evidence also inherits scrutiny about its own access controls, monitoring, and governance. Boards will want to know what evidence was collected, what controls exist today, and what response playbooks are in place if a similar extraction campaign is detected. In a market where model access is increasingly commoditized through APIs and “evaluation” wrappers, the operational maturity of these protections can become a competitive differentiator.

Strategically, this letter underscores a bigger industry reality: as frontiers race and governments tighten scrutiny, the war is not just about who builds the biggest model. It is also about who can defend their intellectual property and platform trust against large-scale imitation. If Anthropic’s claims are treated seriously, peers across AI labs, model hosting platforms, and enterprise buyers should assume that adversaries will test every edge in access policy and every vulnerability in detection. The stakes are not abstract. They are measured in the ability to keep valuable capabilities from becoming a competitor’s training shortcut.