The Information Machine

AI Labs Defend Against Model Output Distillation: Meta Restricts Claude Code, Anthropic Accuses Alibaba

open · v1 · 2026-07-01 · 102 items

What

Two developments have converged around AI model output protection. Anthropic publicly accused Alibaba of running what it calls the largest known distillation attack on Claude, using approximately 25,000 fraudulent accounts to generate 28.8 million exchanges intended to train Alibaba's own models, and disclosed the campaign to the U.S. government.[2][1][3] Separately, internal Meta documents leaked to The Information show Meta has placed strict limits on how engineers in its applied AI division may use Claude Code and OpenAI's Codex, specifically to prevent competitor model outputs from entering Meta's own training pipelines.[6][12][7] Both OpenAI and Anthropic have terms of service explicitly barring use of their model outputs to develop competing models, though legal experts question whether these provisions are enforceable in court.[7][9][8]

Why it matters

These cases define an emerging category of competitive IP dispute unique to AI: a sufficiently capable model can be queried at scale to produce training data that transfers its capabilities to a rival system, potentially without any traditional intellectual property violation. How labs detect, deter, and legally address this practice will shape the economics of frontier model development and the enforceability of AI terms of service.

Open questions

  • Will Anthropic pursue legal action against Alibaba, and if so, what legal theory — contract, trade secret, or something else — would support it? [9][8]

  • Alibaba has not publicly responded to the allegations; does it dispute the characterization of the accounts as fraudulent or the purpose as distillation? [3][13]

  • Are anti-distillation clauses in AI terms of service enforceable against a foreign company operating primarily outside U.S. jurisdiction? [9]

  • How does Meta's restriction on Claude Code and Codex affect engineer productivity, and will other AI labs building their own models adopt similar policies? [6][7]

Narrative

Anthropic disclosed to the U.S. government that Alibaba orchestrated what the company describes as the largest known distillation attack on Claude.[1] The operation used approximately 25,000 fraudulent accounts to generate 28.8 million exchanges with the model, with the apparent purpose of producing labeled input-output pairs that could train Alibaba's own systems on Claude's behavior.[2][3] Anthropic described the campaign as 'brazenly' and 'illicitly' extracting AI capabilities.[4] Zvi Mowshowitz's commentary confirms Anthropic has formally accused Alibaba of this operation and framed it in the context of broader U.S.-China AI competition.[5] Alibaba has not issued a public response.

Separately, internal documents obtained by The Information show Meta has prepared guidelines restricting how engineers in its applied AI division use Claude Code and OpenAI's Codex.[6] The concern is straightforward: if Meta engineers use competitor AI tools in their development workflows, the outputs of those tools — code suggestions, explanations, design choices — could find their way into Meta's model training pipelines, constituting unintentional distillation.[7] Analyst Rohan Paul characterized the risk as arising from 'even accidental reuse of Claude or Codex answers' and suggested mitigation strategies including 'ingredient tracking' and clean-room rules separating coding-agent outputs from training datasets.[7] The restriction covers Claude Code (Anthropic) and Codex (OpenAI), the same companies whose terms of service explicitly prohibit using their model outputs to develop competing AI models.[7][8]

The legal landscape around these prohibitions is uncertain. Both OpenAI's and Anthropic's terms of service bar use of outputs to train competing models, but legal commentators have noted these clauses may be difficult to enforce in court, particularly against foreign entities.[9][8] A strong case, as Rohan Paul observed, would typically require evidence such as mass scraping, fake accounts, or internal records showing intentional cloning — precisely the kind of evidence Anthropic claims to have in the Alibaba matter.[7] Commentator Prasenjit Sarkar argued the episode shows that 'the bottleneck in AI capability competition just moved from training to policy enforcement.'[10]

Skepticism exists on the technical framing. One commentator (@96Stats, described as being based in China) dismissed BBC coverage of the Anthropic allegation as written by a 'casual journalist,' arguing that 'extraction' as framed in mainstream reporting does not accurately describe what distillation involves technically.[11] This dissent is a minority view in the coverage but reflects a broader debate about whether systematic API querying constitutes IP misappropriation or merely uses a paid service within its technical terms.

Timeline

  • 2026-06-24: Anthropic publicly accused Alibaba of running the largest known distillation attack on Claude, using ~25,000 fraudulent accounts and 28.8M exchanges. [3][2][13]
  • 2026-06-24: Anthropic disclosed the Alibaba distillation campaign to the U.S. government. [1][18]
  • 2026-06-25: Mainstream coverage spread widely; critics began debating whether 'extraction' framing in press reports accurately describes the technical process. [11][17][19]
  • 2026-06-29: The Information reported internal Meta documents show strict limits placed on applied AI engineers' use of Claude Code and Codex over distillation concerns. [6][12][14]
  • 2026-06-29: Rohan Paul analyzed Meta's restrictions and both companies' ToS provisions, proposing ingredient-tracking and clean-room rules as mitigations. [7]
  • 2026-06-30: Zvi Mowshowitz confirmed Anthropic's formal accusation against Alibaba and contextualized it within broader U.S.-China AI competition and policy developments. [5]

Perspectives

Anthropic

Alibaba conducted the largest known distillation attack on Claude, using ~25,000 fraudulent accounts to generate 28.8M exchanges; the campaign was brazen and illicit, and Anthropic has disclosed it to the U.S. government.

Evolution: Consistent enforcement posture; this is the most specific and large-scale distillation allegation Anthropic has publicly made.

Meta

Restricting internal use of Claude Code and Codex by applied AI engineers to prevent competitor outputs from contaminating Meta's training pipelines.

Evolution: Defensive posture; the internal policy reflects Meta's own awareness of distillation risk as a company that both uses and competes with frontier AI providers.

Rohan Paul (@rohanpaul_ai)

Meta's restrictions are a rational response to real legal exposure; both OpenAI and Anthropic ToS bar competitive training on outputs; mitigation requires ingredient tracking and clean-room separation of coding tools from training pipelines.

Evolution: Analytical framing; no prior stance on record.

Prasenjit Sarkar (@stretchcloud)

The Anthropic-Alibaba episode shows the primary bottleneck in AI competition has shifted from training capability to policy enforcement.

Evolution: Consistent analytical observer across multiple posts this cycle.

Legal experts (via ppc.land)

AI terms of service provisions barring competitive training may prove unenforceable in court, limiting labs' practical recourse even when violations are detected.

Evolution: Emerging perspective surfaced by this story; no prior record.

Dr. Luke in China (@96Stats)

Mainstream press coverage conflates 'extraction' with distillation inaccurately; the BBC story in particular was written without AI expertise and overstates what the technique accomplishes.

Evolution: Skeptical dissent; minority view in overall coverage.

Zvi Mowshowitz

Confirms Anthropic's Alibaba accusation; situates it within a pattern of ad hoc, improvised U.S. AI governance and is cautious about whether policy mechanisms can keep pace with distillation-scale threats.

Evolution: Consistent critical-but-engaged observer of AI policy; integrates this story into broader governance concerns.

Tensions

  • Anthropic characterizes Alibaba's API usage as a systematic, illicit distillation campaign; Alibaba has not responded, leaving the question of intent and authorization unresolved. [3][2][4]
  • Labs rely on ToS anti-distillation clauses as a primary defense, but legal experts argue those clauses may be unenforceable, particularly against foreign entities. [9][8][7]
  • Technical commentators (e.g., @96Stats) argue press coverage mischaracterizes distillation as straightforward theft; mainstream outlets and Anthropic treat it as clear IP misappropriation. [11][17][3]
  • Meta restricts its engineers from using the most capable external AI coding tools to protect its training pipelines, creating a direct tradeoff between developer productivity and competitive IP hygiene. [6][12][7]

Status: active and growing

Sources

  1. [1] SITUATION DETECTED: Anthropic has disclosed to the U.S. Government that Alibaba executed the largest known distillation ... — reactive:ai-model-distillation-ip (2026-06-28)
  2. [2] Anthropic accuses Alibaba of a massive distillation attack using ~25,000 fake accounts and 28.8M exchanges against Claud... — reactive:ai-model-distillation-ip (2026-06-28)
  3. [3] Anthropic accuses Alibaba of campaign to extract AI capabilities — reactive:ai-model-distillation-ip
  4. [4] Anthropic accuses Alibaba of campaign to 'brazenly' and 'illicitly' extract AI capabilities - The letter, which was obta... — reactive:ai-model-distillation-ip (2026-06-24)
  5. [5] The Once And Future Fable #5 — Zvi's AI Roundups (2026-06-30)
  6. [6] Exclusive: Internal Meta documents reveal new limits on Claude Code and Codex as the company works to prevent distillati... — reactive:ai-model-distillation-ip (2026-06-30)
  7. [7] The Information: Meta has reportedly limited engineer use of Claude Code and Codex because rival model outputs could con… — Rohan Paul Twitter (2026-06-29)
  8. [8] OpenAI Terms of service forbid training competitor models via their ML outputs (... | Hacker News — reactive:ai-model-distillation-ip
  9. [9] Legal experts warn AI terms of service may prove unenforceable in ... — reactive:ai-model-distillation-ip
  10. [10] The bottleneck in AI capability competition just moved from training to policy enforcement. — reactive:ai-model-distillation-ip (2026-06-25)
  11. [11] Lol such a dumb article by the BBC clearly written by a casual journalist and not AI expert. They claim ‘extraction’ as ... — reactive:ai-model-distillation-ip (2026-06-25)
  12. [12] Internal docs: Meta places strict limits on how staff in its applied AI division can use Claude Code and Codex, fearing ... — reactive:ai-model-distillation-ip (2026-06-29)
  13. [13] Anthropic Accuses Alibaba of Largest AI Distillation Attack: 28.8M Fraudulent — reactive:ai-model-distillation-ip (2026-06-26)
  14. [14] Internal documents: Meta is placing strict limits on how engineers in its applied AI division can use Claude Code and Co... — reactive:ai-model-distillation-ip (2026-06-29)
  15. [15] Meta $META established strict limits on how applied AI staff can use Anthropic's Claude Code and OpenAI's Codex. — reactive:ai-model-distillation-ip (2026-06-29)
  16. [16] Meta has restricted internal use of Claude Code and GitHub Copilot (built on Codex) for the same underlying reason: dist... — reactive:ai-model-distillation-ip (2026-06-30)
  17. [17] Anthropic Accused Alibaba of a Distillation Attack. Here’s What That Means—and Why It’s So Dangerous — reactive:ai-model-distillation-ip
  18. [18] SITUATION DETECTED: Anthropic has disclosed to the U.S. Government that Alibaba executed the largest known distillation ... — reactive:ai-model-distillation-ip (2026-06-28)
  19. [19] Anthropic accuses Alibaba of 'largest known distillation attack' on ... — reactive:ai-model-distillation-ip