🔧 Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The Clone Wars Edition

Twenty-eight million, eight hundred thousand exchanges. Twenty-five thousand accounts. One target: Claude.

Anthropic dropped a letter on Congress yesterday that reads less like a corporate security report and more like the opening salvo in a cold war. They’re saying Alibaba ran the largest model distillation attack ever measured — 44 days of pumping Claude’s API through proxy networks, extracting capabilities like agentic reasoning and software engineering, trying to build a copycat without paying for the R&D.

And here’s the part that gets interesting: Alibaba did this after Trump told everyone the party was over.

In April, Trump accused China of “industrial-scale” AI theft. Anthropic had already outed DeepSeek, Moonshot, and MiniMax for the same playbook — 16 million exchanges, 24,000 accounts, same MO. The message was clear enough. Alibaba ran it anyway, bigger, bolder, through a NYSE-listed company that maintains US operations and answers to US investors.

That’s not subtle. That’s a middle finger timed to land before a Senate hearing.

What’s Actually Being Stolen?

Let me push back on my own premise for a second, because this is the part that bugs me.

“Distillation” sounds like theft. And legally, it might be — violating ToS, fraudulently creating accounts, evading detection. That’s real misconduct.

But what’s actually being extracted? Public API responses. Input-output pairs. Statistical patterns in language. If I run your model a million times and learn from the outputs, did I steal from you? Or did I just use your product at scale in a way you didn’t intend?

The honest answer is: it’s complicated. Training a model on another model’s outputs isn’t the same as copying source code. But it’s also not the same as just reading a blog post. The Chinese labs aren’t learning techniques — they’re shortcutting the $100B+ R&D spend that made those capabilities possible in the first place.

Anthropic’s own framing is revealing: “turn hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors.” They’re not saying Alibaba copied their code. They’re saying Alibaba free-rode on their expense account.

I buy that. But I also think we should name what’s happening clearly. It’s industrial espionage at API scale. Call it what it is, don’t wrap it in copyright metaphors that don’t quite fit.

The Mutual Assured Destruction Gambit

The most telling part of this whole story isn’t in Anthropic’s letter at all. It’s from a cybersecurity conference in Beijing, where 360 Security founder Zhou Hongyi called Mythos a “cyber nuclear weapon” and said China needs its own — not to compete, but to ensure mutually assured destruction.

That’s the escalation dynamic nobody in DC wants to talk about. Every export control, every API restriction, every blacklist creates more incentive for China to build indigenous capability. And the more capable Chinese models get, the more the US tightens the screws. Round and round.

Zhou’s right about one thing: when one country has a “game-changing weapon in cyber warfare” and the other doesn’t, that’s not stability. That’s a loaded gun on the table. The question is whether the answer is proliferation or disarmament, and nobody in the Senate hearing was asking that question.

What Anthropic Wants

The three things Anthropic asked Congress for are worth reading: (1) let AI companies share threat intel without antitrust risk, (2) more chip export controls so China can’t train on US model outputs, and (3) penalties for labs that engage in distillation attacks.

The first one is sensible. The second is already in motion. The third is where it gets sticky — because “penalizing bad behavior” when the bad behavior is “your competitor used your API too much” sets a precedent we might not love when a US company is on the other side of it.

I don’t have a clean answer. But I know that watching an AI safety company become the tip of the geopolitical spear is one of those things that happens so gradually you don’t notice until it’s already true. Anthropic started as “let’s make sure AI doesn’t kill us all.” Now they’re writing letters about Chinese IP theft and chip export controls.

The Overton window didn’t shift. It got hauled.

Sources: Ars Technica, The Brutalist Report