JarValley

Market Prices

BTC Bitcoin
$64,137 +1.51%
ETH Ethereum
$1,842.38 +0.45%
SOL Solana
$74.88 +0.35%
BNB BNB Chain
$569.8 +1.14%
XRP XRP Ledger
$1.09 +0.63%
DOGE Dogecoin
$0.0722 +0.46%
ADA Cardano
$0.1659 +3.49%
AVAX Avalanche
$6.55 +0.99%
DOT Polkadot
$0.8370 -1.56%
LINK Chainlink
$8.31 +1.56%

Event Calendar

{{年份}}
22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

18
03
unlock Sui Token Unlock

Team and early investor shares released

28
03
unlock Arbitrum Token Unlock

92 million ARB released

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

12
05
halving BCH Halving

Block reward halving event

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

Tools

All →

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,137
1
Ethereum ETH
$1,842.38
1
Solana SOL
$74.88
1
BNB Chain BNB
$569.8
1
XRP Ledger XRP
$1.09
1
Dogecoin DOGE
$0.0722
1
Cardano ADA
$0.1659
1
Avalanche AVAX
$6.55
1
Polkadot DOT
$0.8370
1
Chainlink LINK
$8.31

🐋 Whale Tracker

🟢
0x3917...66ce
3h ago
In
3,194 ETH
🟢
0xd746...e7f7
3h ago
In
331,956 DOGE
🔵
0xb6b9...9a5f
12h ago
Stake
5,433,700 DOGE
News

The 28.8 Million Query Heist: Distillation as the New Oracle Manipulation

Pomptoshi

The ledger does not lie, only the operators do. On February 7, Anthropic posted a number: 28.8 million. That is the volume of API calls it attributes to Alibaba’s Qwen lab. Not a benchmark run. Not a load test. A systematic extraction of Claude’s output distribution. A distillation heist, masked as legitimate traffic. The AI industry has its first major proof of concept for a vulnerability I have been forecasting since my 2022 audit of the Ethereum Merge: if you sell inference, you are selling the keys to your vault. And the cost of breaking in is a fraction of the cost of building the vault.

The 28.8 Million Query Heist: Distillation as the New Oracle Manipulation

Context The accusation is straightforward: between September and November 2026, Alibaba’s Qwen lab executed 28.8 million queries against Anthropic’s Claude API. The queries followed patterns consistent with knowledge distillation—repeated inputs, systematic probing of edge cases, and a request distribution designed to replicate the teacher model’s probability surface. Anthropic detected the anomaly, blocked the account, and went public. The target model was not specified, but the scale suggests a frontier model, likely Claude 3.5 or 4. The industry response has been muted, a mix of denial and acknowledgment that this is the inevitable next chapter in the API-economy playbook.

This is not a new technique. Distillation has been used for years to compress models or transfer knowledge to smaller architectures. What is new is the adversarial framing: using a competitor’s paid API to clone their core IP. The cost asymmetry is staggering. At Anthropic’s standard enterprise rates, 28.8 million queries could cost anywhere from $30,000 to $400,000 depending on tier and region. Against the estimated $400 million+ spent training a frontier model, that is a rounding error. The attackers paid for electricity. The defenders paid for the entire power plant.

Core Let me dissect this like a smart contract audit. The technical vector is simple: query the teacher model with a diverse input set, capture the output logits or token probabilities, and use those to train a student model. The student learns to mimic the teacher’s distribution, often achieving 90-95% of the teacher’s performance at a fraction of the computational cost. There is no code theft. No parameter extraction. Only behavioral cloning through the API surface. The entire attack is a cryptographic oracle manipulation.

First, the cost asymmetry is structural. In blockchain terms, this is a flash loan in slow motion. The attacker borrows inference capacity, extracts value, and repays the principal with a small fee. The lender (Anthropic) bears the compute cost without capturing the value of the knowledge transfer. My 2024 analysis of Optimistic Rollup fraud proofs revealed a similar pattern: the cost of mounting a fraudulent withdrawal was asymmetrically lower than the cost of verifying every block. The solution was economic bonding. Here, no bond exists. Anthropic cannot demand collateral from its users without breaking the API business model.

Second, detection is harder than prevention. Anthropic claims to have identified the attack through query-pattern analysis. But detection is probabilistic, not deterministic. False positives are inevitable. Legitimate users with high query volumes—researchers, aggregators, or large-scale evaluators—could trigger the same alarms. The line between benign benchmarking and malicious distillation is a gradient defined by intent, a variable that cannot be logged. My experience auditing the FTX balance sheet in 2022 taught me that opacity in process is the enemy of accountability. Without a transparent attestation of query intent, every large-scale API user is a suspect.

Third, the geographic signal is misleading. The queries originated from IP ranges associated with Alibaba Cloud data centers. That proves nothing about corporate sponsorship. A single rogue team within Qwen, or even an external actor hijacking compute credits, could generate the same pattern. In my 2025 analysis of autonomous AI-agent liability, I identified the critical failure point: attribution. When a decision—or an action—has no clear human principal, legal and technical accountability collapses. This distillation attack suffers from the same ambiguity. Is Alibaba the entity? Or is it a third party using Alibaba’s infrastructure as a proxy?

Let me benchmark the economics. Training a frontier model like GPT-4 is estimated to require 10,000-25,000 GPU-months and cost $100-$500 million. Distillation of the same model through 28.8 million queries (at roughly 0.5 cents per query for a 1000-token output) costs at most $144,000. The ratio of capital efficiency is 1:3,000. The attacker gets 95% of the model’s intelligence for 0.03% of the cost. In any market, such asymmetries attract exploiters. The only reason this is news is that the industry has been living on trust, not verification.

The 28.8 Million Query Heist: Distillation as the New Oracle Manipulation

Silence in the code is a bug waiting to happen. Anthropic’s API had no rate-limit adaptation, no behavioral fingerprinting, no economic disincentive for repetitive query patterns. The attacker exploited the absence of a circuit breaker. This is not a failure of AI security; it is a failure of incentives. Anthropic had the data to detect the anomaly earlier, but the cost of building a real-time distillation detector was not prioritized. The bug was in the governance, not the architecture.

Contrarian For all the alarmism, the bulls have a point. Distillation is not inherently malicious. It is a legitimate technique for democratizing AI, reducing inference costs, and enabling on-device models. The open-source community uses it daily. The accusation by Anthropic, if proven, only confirms that closed-source APIs are inherently leaky. The contrarian view: this incident is the strongest argument yet for open-weight models and distributed inference. If a central point of knowledge extraction can be gamed, the solution is to eliminate the central point. Let the model weights be public, and let the market compete on refinement, not secrecy.

I have some sympathy for this argument but only up to a point. In my 2026 work on AI-agent liability standards, I found that decentralization without accountability is chaos. Open weights reduce the barrier to copying but also eliminate the traceability of the original creator. If Qwen distilled Claude, the output is a derivative. Who is liable when that derivative model generates a harmful output? The original trainer? The distiller? The user? The legal fog is thicker than a zk-SNARK. The bulls ignore that distillation, like forking an open-source project, carries no guarantee of safety alignment. The student model inherits the teacher’s latent biases and vulnerabilities, often without the corresponding safety fine-tuning. The result is a model that is smart but unaligned, dangerous in the wrong hands.

History is the only reliable audit trail. The contrarian critique that APIs are inherently insecure is accurate, but the solution is not to abandon closed sources. It is to build better detection and deterrence. The same bulls who cheer distillation as liberation will be the first to demand regulation when their own model is cloned. The incident is a reminder that intellectual property in AI is a spectrum, not a binary. Proving copying requires probabilistic inference, not a signature. Until the industry agrees on standards for training provenance—perhaps through cryptographic hashing of inference transcripts or on-chain timestamping of model outputs—every API call is a potential leak.

Takeaway Proof is cheaper than trust, yet still ignored. The AI industry can learn from blockchain infrastructure. Implement query bonding: require users to stake tokens that are slashed if behavioral analysis indicates malicious extraction. Publish query-level anonymized logs to a verifiable ledger for independent audit. Standardize a “consumption proof” that allows legitimate large-scale users to attest their intent without revealing proprietary data. Without these structural changes, the 28.8 million query heist will be remembered not as an anomaly, but as the opening salvo in a war of cost arbitrage. The ledger does not lie. The question is whether Anthropic—and every other API provider—will start reading it before the next heist goes public.

Silence in the code is a bug waiting to happen. This bug has no patch. Only a protocol.

The 28.8 Million Query Heist: Distillation as the New Oracle Manipulation

Fear & Greed

25

Extreme Fear

Market Sentiment

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

💡 Smart Money

0x20f9...eb37
Arbitrage Bot
+$1.0M
90%
0x0aa2...ad68
Experienced On-chain Trader
+$4.8M
82%
0x719d...0159
Early Investor
+$0.8M
81%