Anthropic has accused Alibaba of obtaining “illicit” access to its Claude chatbot, alleging that the Chinese ecommerce giant used fake accounts to probe and “extract” the system’s capabilities. The dispute, reported by the Financial Times, lands at a sensitive intersection of AI security, competitive strategy, and the practical question of what counts as legitimate testing versus unauthorized access—especially when the target is not a traditional website or database, but a conversational model whose “capabilities” can be inferred through repeated interaction.
At the center of Anthropic’s claim is a pattern of behavior: the company says Alibaba employed accounts that were not genuine users in order to evaluate Claude in ways Anthropic considers unauthorized. In response, Alibaba disputes the allegations, saying it used those accounts for legitimate evaluation and testing. The disagreement is not simply about whether particular accounts existed; it is about intent, method, and the boundaries of acceptable probing when an AI system is publicly accessible yet still protected by access controls, terms of service, and security expectations.
This is the kind of conflict that becomes more common as AI models move from research labs into commercial ecosystems. Once a model is available via an API or a web interface, it inevitably becomes a target—not only for attackers seeking to break it, but also for companies trying to understand it. That understanding can be benign: testing for reliability, safety, latency, or compliance. But it can also become strategic: mapping strengths and weaknesses, identifying failure modes, and using those insights to improve competing products. The line between those two categories is where this case now sits.
What Anthropic alleges: probing with fake identities
According to the report, Anthropic’s accusation focuses on the use of fake accounts. Anthropic argues that these accounts were used to carry out behavior it describes as unauthorized access to Claude, with the goal of extracting the chatbot’s capabilities. In other words, the concern is not merely that Alibaba tested Claude, but that it did so under conditions Anthropic believes violated the spirit—or the letter—of access rules.
The concept of “capability extraction” is important here. In traditional cybersecurity, extraction might mean copying data or bypassing authentication. With AI systems, extraction can be subtler. A model’s internal weights are not necessarily stolen, but its external behavior can be systematically characterized. By asking carefully chosen questions, running repeated prompts, and comparing outputs across many scenarios, a determined actor can infer how the system reasons, what it refuses, what it gets wrong, and how it responds to different styles of instruction. Over time, that can translate into a competitive advantage: better prompt engineering, improved fine-tuning strategies, or even the development of a rival system that targets the same user needs while avoiding the target model’s weaknesses.
Anthropic’s framing suggests it views Alibaba’s activity as crossing from evaluation into something closer to reverse engineering through interaction. If true, the use of fake accounts would be a key part of that argument: it implies the testing was not transparent, not tied to legitimate user identity, and not conducted under the normal expectations of the service.
Why fake accounts matter in AI endpoint disputes
Fake accounts are not automatically proof of wrongdoing in every context. Companies routinely create test accounts for QA, load testing, or integration work. But the difference between legitimate testing and illicit probing often comes down to scale, pattern, and purpose.
In many AI services, access is governed by terms that assume real users and discourage automated scraping or abusive traffic. Even when a model is accessible, the operator may expect that requests are made in good faith and within reasonable limits. Fake accounts can be used to circumvent rate limits, hide the source of traffic, or avoid detection mechanisms designed to identify abnormal usage. They can also be used to obscure the relationship between the tester and the traffic patterns, making it harder for the provider to enforce policies consistently.
In this case, Anthropic’s allegation implies that the fake accounts were not simply placeholders for internal testing, but tools to conduct a broader capability-mapping effort. That distinction matters because it changes the legal and ethical interpretation: it moves the story from “a company tested a product” to “a company attempted to obtain information about a competitor’s system in a way the provider says is unauthorized.”
Alibaba’s response: legitimate evaluation and testing
Alibaba disputes Anthropic’s claims. The company says it used the accounts for legitimate evaluation and testing. This is a familiar defense in disputes over AI probing: the accused party argues that it had a business reason to assess performance, that it followed relevant procedures, and that the activity was not intended to steal or bypass protections.
From Alibaba’s perspective, the ability to evaluate competitors’ AI systems is not inherently illegitimate. In fact, evaluation is a normal part of product development. Teams compare models to understand user experience, benchmark quality, and identify gaps. If a model is publicly accessible, then testing it can be framed as analogous to reviewing a competitor’s software in the market.
But Anthropic’s counterargument is likely that the method—specifically the use of fake accounts—was not consistent with legitimate evaluation. If the provider believes the accounts were created to disguise identity or circumvent safeguards, then the evaluation becomes something else: not a review, but an attempt to extract capabilities beyond what the provider intended to allow.
The deeper issue: what is “testing” when the target is a model?
This dispute highlights a growing industry challenge: AI endpoints are both products and targets. Unlike a static dataset, a chatbot’s behavior is dynamic and context-dependent. That makes it difficult to define what constitutes acceptable testing.
Consider three scenarios:
First, a developer uses Claude through official channels to build an application and runs standard test suites. This is typically legitimate, especially if done within documented limits.
Second, a researcher or company runs structured evaluations to benchmark performance. This can also be legitimate, particularly if it is transparent and does not violate terms.
Third, a competitor runs large-scale, systematic probing designed to map the model’s behavior in detail, potentially to replicate or surpass it. If done with fake accounts or in ways that evade safeguards, it starts to resemble extraction.
The problem is that the third scenario can look similar to the second from the outside. Both involve repeated prompts and analysis of outputs. The difference may be in intent, scale, and whether the provider’s access controls were respected.
That is why the “fake accounts” detail is so central. It suggests Anthropic believes Alibaba’s approach was not just evaluation, but evaluation conducted in a way that undermined the provider’s ability to manage access responsibly.
Competitive intelligence versus unauthorized access
AI capability mapping sits in a gray zone between competitive intelligence and unauthorized access. Companies have always tried to learn from competitors—through benchmarking, reverse engineering, and market research. But AI systems introduce new constraints because they are often protected by terms of service and technical controls that are designed to prevent abuse.
If a company can interact with a model freely, it can gather information. The question becomes: how much information gathering is allowed? And what methods cross the line?
Providers argue that their models are not meant to be treated as free resources for extraction. They are services with costs, safety obligations, and risk management requirements. Providers also worry that extraction efforts can accelerate the arms race: if competitors can cheaply map capabilities, they can iterate faster and potentially reduce the incentive to invest in safety and governance.
Accused companies argue that they are not stealing proprietary weights or code. They are observing outputs, which any user could observe. They may also claim that their testing improves the ecosystem by identifying limitations and pushing for better performance.
The truth is that both arguments contain elements of reality. Observing outputs is not the same as stealing internal parameters. Yet systematic probing can still produce actionable knowledge that functions like extraction. In practice, providers often treat excessive or deceptive probing as a form of abuse even if no direct data theft occurs.
The governance angle: enforcement is catching up to deployment
Beyond the immediate parties, this case reflects a broader shift in AI governance. As models become widely accessible, enforcement mechanisms are evolving. Providers are increasingly focused on endpoint security: controlling who can query models, how often, and under what identity.
This is not only about preventing malicious actors. It is also about ensuring that legitimate users are not crowded out by automated traffic, and that the provider can maintain predictable service quality. When a competitor uses fake accounts to generate high-volume queries, it can degrade performance for others and strain infrastructure. It can also complicate monitoring and incident response.
The governance challenge is that AI systems are often accessed through interfaces that were originally designed for human interaction, not for adversarial measurement. Rate limits, bot detection, and account verification can help, but they are imperfect. Meanwhile, the incentives for probing are strong: understanding a model’s behavior can be valuable even without breaking it.
This is why the dispute is likely to resonate across the industry. It signals that providers may pursue legal or contractual remedies when they believe probing crosses into extraction—even if the target model is technically reachable.
A unique take: the “identity layer” is becoming part of AI security
One of the most interesting aspects of this story is the role of identity. In classic cybersecurity, identity is about authentication and authorization: who are you, and are you allowed to access this resource? In AI endpoint disputes, identity is increasingly about trust and accountability.
If a company uses fake accounts, it is not just hiding its traffic. It is undermining the trust model that allows providers to allocate capacity, enforce terms, and attribute behavior. In a world where AI models can be queried at scale, identity becomes a control surface. It determines whether the provider can distinguish between legitimate evaluation and abusive extraction.
This is a subtle but important shift. Many people think of AI security as prompt injection, data leakage, or model inversion attacks. Those are real concerns. But this case suggests another layer: the operational security of the interface itself. The “front door” to AI systems—accounts, sessions, rate limits, and monitoring—may become as important as the model’s internal defenses.
If providers begin treating deceptive identity as a security issue, then companies that want to evaluate models will