Anthropic is implementing a stricter enforcement regime to stop Chinese entities from accessing its Claude models, closing loopholes that allowed elaborate workarounds.

The move follows a significant distillation attack. According to a letter sent to U.S. senators, operatives linked to Alibaba's Qwen AI lab executed what Anthropic called the largest known distillation attack it has identified.

Between late April and early June 2026, roughly 25,000 fraudulent accounts generated over 28.8 million interactions with Claude. The goal was to systematically extract its capabilities to train a competing model.

Distillation involves feeding a powerful model vast volumes of questions and logging its answers. That data is then used to train a cheaper model that mimics the original's behavior.

Anthropic has called for better information sharing between U.S. AI companies when such attacks are detected and for significantly harsher penalties for perpetrators.

The company's existing terms already prohibited commercial access by Chinese entities. The new measures extend that restriction to majority-owned subsidiaries of restricted entities, closing a corporate structure loophole.

Anthropic also began rolling out identity verification for flagged users, requiring government-issued IDs and live selfies.

Anthropic has not publicly accused Alibaba of directing the attack, only linking the accounts to operatives associated with its Qwen lab. This distinction could be important in any legal or regulatory matter.

The company's actions suggest it is actively lobbying for a legal framework giving U.S. AI labs stronger recourse against distillation attacks.