LogoLogo

Podcasts

Newsletters

Videos

Catalog

People

About

Search

Seriously Risky Business Newsletter

July 02, 2026

Srsly Risky Biz: America Won't Beat the Distillation Ecosystem

Written by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray and Amberleigh Jack. This week's edition is sponsored by Corelight.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Beijing Market, Photo by zhang kaiyv on Unsplash

Last week Anthropic accused Chinese company Alibaba of conducting what it described as the "largest known distillation attack" against the company's AI models. 

Distillation attacks upskill less capable models by training them on the outputs of more advanced ones. Back in February Google, OpenAI and Anthropic all said that Chinese companies were harvesting their proprietary intellectual property in coordinated campaigns.

Alibaba's latest campaign, Anthropic says, occurred from April 22 to June 5 and used more than 25,000 fraudulent accounts to generate 28.8 million exchanges. Anthropic says it was carried out by operators "affiliated with Alibaba and Alibaba Qwen, Alibaba's AI lab". 

These claims were detailed in a letter to US lawmakers which highlighted some of the impacts of the campaign. The letter said the attacks will help Chinese companies achieve advanced "Mythos Preview-level" cyber capabilities sooner, turn "hundreds of billions of dollars in American investment and R&D into a massive subsidy for our geopolitical competitors" and help China's People's Liberation Army. It also described the campaign as "brazen", occurring just weeks after White House committed to combatting the adversarial distillation of American AI models.  

In April, when the US government said it would step up to counter distillation attacks, we were underwhelmed by the actions it proposed. These included information sharing (yawn), facilitating the development of best practices to counter the attacks (double yawn), and "explor[ing] a range of measures to hold foreign actors accountable for industrial-scale distillation campaigns" (zzzzzz). 

In hindsight, that last action is borderline funny. They're committing to exploring measures, but not actually taking them! Clearly these are high-agency people of action! 

But avoiding a commitment to action here might be the safe bet. The distillation campaigns are just an offshoot of a complex greymarket economy that provides paying customers in mainland China with access to American AI services. Dismantling this whole ecosystem will be tough. 

Zilan Qian has written a profile of this greymarket ecosystem for the ChinaTalk substack. In short, an entire supply chain of actors has sprung up to overcome barriers to access for Chinese people who are willing to pay for advanced American models. These barriers include geoblocking, phone verification, credit card requirements and live biometric know-your-customer checks. 

A range of different providers register or acquire Anthropic accounts at scale, supply non-Chinese phone numbers for SMS verification, and provide payment infrastructure that lets Chinese customers pay for their tokens with local payment systems.  

Because Chinese users are banned from using American AI services, middlemen in this ecosystem generate fake IDs to overcome know-your-customer requirements. If that fails, agents will even travel to low-income countries to recruit real individuals to complete in-person verification. 

Then there are "transfer stations", API proxies that sit between Chinese end-users and Anthropic's infrastructure. They're like OpenRouter, but designed to obfuscate the origin point of queries. 

This entire ecosystem is financed by a whole range of users, not just AI companies looking to conduct distillation attacks. Users include university professors and students, tech workers, developers, resellers who buy wholesale access and repackage it for individual consumers, and even hobbyists.

Access to Claude via these means is amazingly cheap, too, with Chinese users paying as much as 70% to 90% below official prices. Transfer stations achieve a cost-advantage by, among other things, harvesting bulk registered free sign-up credits and even selling user logs of requests and responses to be used by Chinese model makers for distillation. 

They'll also divvy up a Max plan's token quota amongst multiple users, or even just lie and short-change customers by charging for frontier models while actually routing requests to cheaper or open weights models.

The take home message here is that this is a sophisticated and profitable market and US government disruption efforts will have a limited impact. 

Extreme solutions, like the now-abandoned export controls on Anthropic's Mythos and Fable models, probably would have prevented Chinese distillation attacks, but only because they effectively prevented everyone from using the models. 

With controls lifted, Fable is now broadly available, and our bet is that the Chinese AI access grey market is already working to get access for paying Chinese customers. The logs that will fuel distillation attacks are just a happy byproduct.

If the government imposes restrictions below the level of an outright ban, we expect market participants will be able to adjust. There is too much money to be made from AI right now, even in these strange, grey markets. The spice must flow! 

In its letter to lawmakers, Anthropic suggested that the US should "penalise bad behaviour" from Chinese AI labs and notes that "Alibaba is listed on the New York Stock Exchange, maintains business operations in the United States, and is accountable to US investors and regulators". 

Direct action targeting specific companies seems more promising as a deterrent. But this kind of approach runs smack bang into bigger issues, like the entire bilateral trade relationship between the US and China. In mid-June Reuters reported that more than 100 Chinese companies, including AI firm DeepSeek, were slated to be placed on the Commerce Department's Entity List, a trade blacklist. The administration did not follow through in order to avoid escalating tensions with Beijing. 

Unfortunately for American AI companies, the US government just doesn't have the leverage to materially affect the Chinese AI ecosystem, where logs are a wonderful byproduct that power distillation attacks. 

Will the Trump administration risk damaging US-China relations to stop Chinese companies carrying out these attacks? Our magic 8 Ball says: Outlook not so good.

Jaguar Land Rover Hackers Were… Russian! 

It turns out last year's extremely disruptive hack of Jaguar Land Rover (JLR) was the work of a Russian hacking group, at least according to a New York Times article last week. We're highly sceptical that it was directed by the Russian government, but it doesn't have to come from the top  to cause pain to unfriendly states. 

The JLR hack was a huge deal. It began on 31 August 2025 and resulted in the company's production lines being shut from September through until mid-October. It is the UK's largest ever hack in terms of financial impact, estimated to have cost the British economy £1.9 billion (USD$2.55 billion) and landed a measurable impact on the UK's economic growth. 

At the time, a group calling itself the Scattered Lapsus$ Hunters claimed responsibility, going so far as to post proof by way of screenshots of internal JLR systems. The group's name is a play on three juvenile hacker collectives, so the logical presumption at the time was that a group of Western teenagers was responsible.

Now, however, the New York Times says this wasn’t the work of wayward kids. According to five people familiar with an investigation into the hack it was, in fact, "Russian hackers". The Times doesn't offer an opinion on whether Scattered Lapsus$ Hunters was also in JLR's systems at this time, or whether the purported group was a front for these Russian hackers.

Details about the attribution are thin, but include that "the attack was different in methodology and motivation" from typical Scattered Spider-style hacks. The Times says that Microsoft had already been tracking the Russian group when they hacked JLR. Shortly after the hack was detected, Microsoft advised the company that the Russian group was responsible. 

The Times also reported the hackers apparently also used novel ransomware with a previously unseen encryption algorithm.

So far, so interesting, but then the Times plays up the possibility that the hack was directed by the Russian government. Its evidence? There was no ransom note, the attack took place "amid an increasingly hostile relationship between Russia and Britain" and the encryption algorithm used was sophisticated and unusual. One unnamed cyber security expert described it as "really, really complicated".

We'd be surprised if Russian state hackers were involved. They do have a war to worry about, after all. There is intelligence to collect and propaganda and cyber-enabled influence operations to run. There's just a lot on their plate.

There is a spectrum of possibilities here, though. At one end of the spectrum sits state-directed operations. At the other end of the spectrum are cyber criminals with no connection to the state whatsoever. In the middle, you have almost unlimited combinations and permutations of criminal and state involvement.

Criminals can be given "top cover" to operate freely as long as they make life painful for Russia's adversaries. They can be encouraged to attack industry sectors or economies the Kremlin wants to damage. They can even be tasked with disrupting a specific organisation.

We don't really know where this attack sits on that spectrum, and that's the entire point. 

This is exactly why Russia is such an enjoyer of these types of grey-zone tactics. They sit below the threshold that warrants a big response, but still inflict real pain. Correctly attributing attacks like these is also a colossal pain in the neck. 

So what can the UK government do about attacks like these? Not all that much! Russia is already sanctioned up the wazoo and is in the midst of a grinding war.

Given the absolute lack of downside for the Russians, we're frankly surprised we don't see more of this sort of thing.

Watch James Wilson and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Access to Anthropic's Fable restored: Anthropic announced on Tuesday that US government export controls on its Fable 5 and Mythos 5 models had been lifted and that customer access to the models will be restored. We hope that this is a step towards normalising the company's relationship with the government.  
  2. Cellphone geolocation searches will need warrants: The US Supreme Court has ruled that law enforcement agencies require a warrant when they ask companies to search their cellphone geolocation information. A previous case had ruled that a warrant wasn't needed, so we think this is a sensible correction. The court punted on what a reasonable and sufficiently tailored warrant would look like.
  3. US strikes scam compound cloud infrastructure: The US Department of Justice announced it had seized cloud computing infrastructure used by the Huione Group, a Cambodia-based conglomerate involved in scam compounds and criminal marketplaces. The infrastructure was used by the group for money laundering, according to the DoJ. The Treasury also announced further sanctions on the group.

Sponsor Section

In this Risky Business sponsor interview, James Wilson chats with Corelight’s VP of Product Vijit Nair defence strategies for the AI era. When agents can find and exploit vulnerabilities at machine speed, you need to balance between proactive and reactive measures. On the proactive side, you need modelling of assets and threats. On the reactive side you'll need telemetry so you can act quickly if a threat becomes a reality.

Corelight makes NDR hardware that runs a heavily optimised version of the Zeek network monitoring tool. Combined with its Agentic Triage product, customers can detect threats in their networks, and monitor the effectiveness of their mitigation strategies.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss whether cyber organisations should be separated from Signals Intelligence organisations. 

Or watch it on YouTube!

From Risky Bulletin:

Researcher drops giant cache of zero-day exploits: An anonymous security researcher going online by the pseudonym of Bikini has published proof-of-concept exploit code and detailed write-ups for more than a dozen zero-day vulnerabilities in popular open-source projects.

The exploits were published without notifying any of the vendors.

They impact 15 software projects, including some big names like the Linux kernel, Libssh2, Anydesk, FFmpeg, Gogs, Gitea, Ghidra, 7-Zip, MyBB, PHP, OpenVPN, the VLC player, and more.

[more on Risky Bulletin]

Microsoft disrupts StegoAd operation: Microsoft's security team has removed 119 malicious Edge extensions from the official Microsoft Edge Add-ons store that were part of a coordinated operation that sought to steal user credentials, backdoor browsers, and engage in advertising and search affiliate fraud.

The extensions were published through 90+ different developer accounts but shared infrastructure, parts of their codebase, and heavily relied on steganography to hide malicious commands and code.

The StegoAd operation, as Microsoft called it, also had Chrome and Firefox extensions under its umbrella.

[more on Risky Bulletin]

Law enforcement agencies and security firms take down Amadey and StealerC: An Europol operation aimed at taking down cybercrime operations has added two new victims to its trophy wall in the Amadey malware loader and the StealC infostealer operation. (Technically three, but we already covered the SocGolish botnet takedown last week, so we're gonna pretend it's two.)

The takedown included seven law enforcement agencies (from Europol, Canada, Denmark, Germany, the Netherlands, the UK, and the US) and six security firms (Microsoft, Bitsight, ESET, IBM, Proofpoint, MBSD, and Pillsbury).

Takedown figures include 326 servers, 142 domains, and more than $47 million in illegal cryptocurrency profits.

[more on Risky Bulletin]

Recent Newsletters

  • Srsly Risky Biz: America Won't Beat the Distillation Ecosystem
  • Risky Bulletin: Researcher drops giant cache of zero-day exploits
  • Risky Bulletin: Microsoft disrupts StegoAd operation
  • Risky Bulletin: Law enforcement agencies and security firms take down Amadey and StealerC
  • Srsly Risky Biz: Open Weight Model Advances Make the Mythos Debate Moot

Recent Videos

  • Risky Business (844): China closes AI vulndev gap as US lifts Fable ban
  • Mythos on your desk? Using local LLMs for code reviews
  • Between Two Nerds: How to set cyberspace ablaze
  • Srsly Risky Biz: Open weight models make the Mythos debate moot
  • Risky Business (843): Fortibleed is kinda awesome, actually

Recent Podcasts

  • Srsly Risky Biz: America won't beat the distillation ecosystem
  • Risky Bulletin: Researcher drops giant cache of zero-days
  • Risky Business #844 -- China closes AI vulndev gap as USA lifts Fable ban
  • Mythos on your desk? Using local LLMs for code reviews
  • Between Two Nerds: Set cyberspace ablaze
Risky Business Media

Risky Business

  • Home
  • Podcasts
  • Newsletters
  • Video
  • Sitemap

Risky Business Media

  • About
  • People
  • Advertising
  • Sponsor Enquiries: sales@risky.biz

Risky Connections

  • Risky Business on Apple Podcasts
  • Risky Business on Spotify
  • Risky Bulletin on Apple Podcasts
  • Risky Bulletin on Spotify
  • Risky Business Features on Apple Podcasts
  • Risky Business Features on Spotify
  • Risky Business Stories on Apple Podcasts
  • Risky Business Stories on Spotify
  • YouTube
  • LinkedIn

Risky Contacts

Risky Business Media Pty Ltd
PO Box 774
Byron Bay NSW 2481
General Email: editorial@risky.biz

© Risky Business Media 2007–2026. All rights reserved.
ABN 73 618 465 517