Stolen Claude tokens are being resold for a fraction of the official price, and Anthropic just told the Senate it thinks Alibaba is one of the customers.
Last week, Anthropic sent a letter to the Senate Banking Committee accusing the Chinese tech giant of running "the largest attack yet attempting to clone Claude," using a technique called distillation to siphon capabilities out of Anthropic's flagship model. Distillation is the practice of training a smaller, cheaper model on the outputs of a bigger one, basically letting it copy the answers. We covered the Mythos export controls last week, and this is the flip side. Anthropic is now alleging Chinese actors are working to steal exactly what those controls were meant to protect.
What makes the accusation sting is who Alibaba actually is. The company is listed on the New York Stock Exchange and answers to American investors and regulators, which Anthropic pointed out in the letter, as reported by Ars Technica. This isn't some anonymous state actor running an op. It's a publicly traded company that happens to be answerable to the same regulators it's allegedly working around.
But Alibaba is downstream of something bigger. An entire underground economy has grown up around moving AI capabilities outside of official channels, and most people building with AI have no idea it exists.
Start with the resellers. A Hacker News user named tristanj laid out the mechanics earlier this month: Chinese resellers are offering Claude tokens at 70 to 90% below official Anthropic API prices. They get there by pooling Claude Max accounts, running payments fraud, and reselling capacity from stolen credentials. For a competitor trying to clone Claude through distillation, this is essentially training data at a clearance sale.
The supply chain underneath is uglier. A recent attack on OpenAI Codex users showed how AI developer tooling has become one of the highest-value targets in software right now. Aikido Security put it well: a stolen Codex refresh token is more than access to a chat interface. It's persistent, long-lived, and lets the attacker run as the developer.
The same problem is showing up at the agent layer. CSO Online recently reported on a malicious AI agent skill that passed security review and reached 26,000 users before anyone caught it. The same marketplaces that make agents useful are also a clean way to slip something harmful into a developer's workflow.
The reason all of this is moving fast is demand. Weekly token processing volume on OpenRouter went from 0.4 trillion in December 2024 to 27 trillion by March 2026, a roughly 68-fold jump in 15 months. When a market grows that fast, a 70 to 90% discount stops being a curiosity and starts being a business model.
Anthropic itself says it can't fix this alone. The company told the Senate it wants "coordinated action between government and industry" to keep frontier capabilities from leaking out the back door, which is corporate-speak for asking Washington to make this someone else's problem too.

Greg Kamradt of ARC Prize posted last week that the AI token black market was "obvious in retrospect." Marc Andreessen replied, "Cyberpunk AF." They're both right. Any resource that's valuable, expensive, and digitally transferable eventually gets a gray market, and tokens check every box. The part that should worry Anthropic isn't the resellers themselves but the loop they enable. Stolen tokens feed distillation pipelines, distilled models become competitors, and competitors put pressure on the labs that paid to train the originals in the first place. Going to the Senate isn't a technical move, it's a political one. Anthropic has clearly decided the next phase of this fight gets fought in Washington, not on the leaderboard.
