28.8 Million Queries: The AI Heist That Tripped No Alarms

Authored by Joseph Hoefer via RealClearDefense,
When we picture intellectual property theft, we picture a break-in. A hacker slips past the firewall, copies the source code, and disappears. So, when an American AI company tells Congress that China just pulled off the largest extraction campaign it's ever recorded, the natural assumption is that someone cracked the vault.
Nobody broke in. And that's exactly what makes this threat so difficult for Washington to address.
Last week, Anthropic told the Senate Banking Committee that operators affiliated with the Chinese conglomerate Alibaba ran roughly 28.8 million queries with its Claude models through nearly 25,000 fraudulent accounts between April and June. According to the company, the goal was not to steal the model. It was to harvest its answers, then use those answers to train a competing Chinese system at a fraction of the cost.
This technique is called distillation, and not all of it is sinister. Training a smaller model on the outputs of a larger one is a routine and legitimate practice when a company does it with its own systems. What Anthropic alleges is something else: unauthorized extraction from a competitor's proprietary service, carried out at industrial scale through fake accounts that violated its terms of use. The line between ordinary engineering and a national-security problem runs right through that word "unauthorized."
The unsettling part is how ordinary the attack looks from the outside. The operators signed up, gained access, and asked questions, millions of them, aimed at the model's most valuable skills: writing software and reasoning through complex tasks step by step. The model did precisely what it was built to do. No alarm tripped, because from the system's perspective, nothing went wrong. A determined competitor simply walked through the front door, at enormous scale, to approximate years of American research by learning from the model's outputs.
That is a genuinely new kind of problem, and it scrambles the usual playbook.
The instinct in Washington has been to treat Chinese AI gains as a hardware story. Keep advanced chips out of Beijing's hands, the thinking goes, and you slow its progress. That instinct isn't wrong. Compute is a real chokepoint... China keeps trying to smuggle chips and route around the controls, and tightening those rules is sound policy.
But chip controls were designed to stop someone from building a powerful model. They do nothing to stop someone from quietly copying the behavior of a model that already exists.
You can wall off the foundry and leave the storefront wide open. That is the gap distillation walks through, and it is why a hardware-only strategy, however necessary, cannot be the whole answer.
The stakes are not only strategic. Every successful extraction campaign compresses years of research and billions of dollars of private investment into millions of automated queries, undermining the incentives that made American frontier AI leadership possible in the first place. This is what intellectual property theft looks like in the age of AI: not stolen code, but a copied teacher. Alibaba is simply the first vivid example, and it won't be the last.
The encouraging news is that the government has already named the problem. In April, the White House science office issued a memo warning that foreign entities, mostly based in China, are running "industrial-scale campaigns to distill U.S. frontier AI systems," and it committed the administration to better information sharing and defensive coordination with industry. The House Foreign Affairs Committee advanced a bill that would track these extraction attempts and authorize sanctions against the companies behind them. And in response to the Alibaba disclosure, Sens. Bill Hagerty (R-Tenn.) and Andy Kim (D-N.J.) are pushing an amendment to this year's defense bill directing the Commerce Department to penalize Chinese firms caught doing it.
That bipartisan momentum is the right reflex. To work, the response must match the attack, and that means treating model extraction like any other strategic economic attack rather than a routine business dispute.
Two priorities follow. First, detection is a shared problem, yet companies fight it alone. The fake accounts and evasion patterns show up across multiple American labs, but legal uncertainty discourages competitors from comparing notes. Congress can give them clear permission to share threat signals with one another and with the government, the way banks already share intelligence on fraud. Second, deterrence must reach the storefront, not just the foundry. If a Chinese lab can lose access to American chips for smuggling them, it should face comparable consequences for systematically abusing American AI services to copy them.
America has spent years debating how to keep advanced AI out of China's hands. The harder question may be how to keep China's AI companies from quietly learning everything they can from the models we place online for the world to use. Last week's disclosure put a number on it: 28.8 million questions, asked through the front door. Washington has finally started looking at the right entry point. Now it needs to figure out how to lock it.
Joseph Hoefer is a principal and chief AI officer at Monument Advocacy, where he leads the firm's AI policy practice.
Related Markets
All MarketsMarket data may be delayed. Not financial advice.
💡 AI analysis provides alternative perspectives on current events