内容来源：https://aiweekly.co/issues/anthropic-says-alibaba-stole-29-million-conversations-with

内容总结：

Anthropic指控阿里巴巴批量窃取AI模型，证据已提交白宫

本周，AI实验室之间的“战争”全面升级。Anthropic公开指控阿里巴巴旗下通义千问实验室，通过操控约2.5万个虚假账户，在今年4月至6月期间，从Claude模型中非法提取了近2900万条对话内容，系统性地窃取其核心的软件工程和智能推理能力。Anthropic称这是针对Claude的“最大规模蒸馏攻击”，并已就此致信白宫和美国参议员。这是Anthropic首次公开点名一家中国科技巨头为模型盗窃行为的主导方。

与此同时，人才争夺战也进入白热化。谷歌Gemini团队核心成员在六天内相继出走Anthropic，包括被视为关键贡献者的Jonas Adler和Alexander Pritzel。分析指出，Anthropic看中的不仅是人才，更是他们对谷歌旗舰模型底层逻辑的掌握。

AI供应链面临“后门”危机

安全研究方面，Novee Security团队发现，超过300个全球顶级代码仓库存在严重漏洞，任何未认证用户通过一个免费账号即可发起恶意攻击。例如，在微软Azure Sentinel仓库中，一条匿名评论便可窃取永不过期的密钥；在谷歌AI开发工具套件中，一次恶意提交即可完全控制关联云项目。Apache、Cloudflare等巨头也未能幸免。

更隐蔽的风险来自社交媒体。康奈尔大学研究显示，仅需在Reddit或维基百科上植入一段13个单词的文本，就能系统性地操纵ChatGPT和谷歌AI的搜索结果，使其反复输出垃圾或诈骗内容。

监管重锤即将落地

欧洲《人工智能法案》第50条将于8月2日正式生效。届时，所有聊天机器人和深度伪造内容必须明确标识其AI属性，覆盖所有生成式AI系统，而不仅限于高风险应用。欧盟委员会已发布指南草案，留给企业落实的时间仅剩数周。

讽刺的是，就在同周，有人利用AI机器人向加州空气监管机构批量提交虚假反对意见，成功迫使政府搁置了一项淘汰燃气设备的环保计划。目前，22位州和地方官员要求总检察长介入调查。

AI“抢饭碗”的真相：工程师依然稀缺

SignalForce人才报告显示，大型科技公司的工程岗位招聘数仅较2019年下降11%，远低于全岗位25%的降幅。工程师目前占新聘员工的55%，且离职率最低。所谓的“AI代码末日”并未到来，反而是一线客服、行政等无需学位的“敲门砖”岗位首当其冲，约有1100万个此类岗位面临被AI替代的风险。

真正的赢家：芯片和存储厂商

当AI实验室相互指责、内斗不休时，真正赚得盆满钵满的却是“卖铲子的人”。美光科技刚交出史上最佳财报——营收415亿美元，毛利率高达84.9%，其高带宽内存已售罄，下一代HBM4出货量超10亿美元，下一季度营收指引直指500亿美元。高通宣布到2029年数据中心芯片销售目标为150亿美元，并推出250核服务器CPU。SambaNova据传正以100亿美元估值融资10亿美元，估值较2月暴涨5倍。

与此同时，404 Media报道称，优步等公司数月内即烧光全年AI预算，被迫限制员工访问Claude Code等工具。AI实验室仍在苦苦寻求可持续盈利模式，而芯片和存储厂商早已坐收渔利。

中文翻译：

Anthropic指控阿里巴巴运营2.5万个虚假账户，从Claude中套取了近2900万条对话——随后将证据提交给了白宫。这仅仅是实验室之间相互开战一周的开场戏，它们与所有人——包括彼此——都处在战争状态：挖走谷歌顶尖的Gemini人才，眼睁睁看着自家开发工具被匿名陌生人撬开，并面临欧洲8月披露期限的压力。出人意料的是？本周唯一稳健盈利的公司卖的是内存和硅片——而不是模型。
赞助商
从一次性评估转向可重复的智能体验证。
Spec27帮助团队定义AI智能体应如何表现，针对这些预期进行测试，并理解在真实场景中行为在何处出现偏差。
快讯
实验室角斗士时代

• Anthropic指控阿里巴巴发动了有史以来针对Claude最大规模的蒸馏攻击——在致白宫和美国参议员的信中，Anthropic称，与阿里巴巴通义千问实验室有关系的操作者利用约2.5万个欺诈账户，在4月至6月期间对Claude进行了近2900万次交互，系统性地窃取其最有价值的技能——软件工程和智能体推理——通过所谓的“对抗性蒸馏”。这是Anthropic首次公开点名一家中国大型科技公司为模型盗窃行动的源头。[CNBC]
• 谷歌的Gemini智囊团正在流失至Anthropic——六天内四位高管离职——乔纳斯·阿德勒和亚历山大·普里策尔，两人在内部被视为Gemini的关键贡献者，即将跳槽至Anthropic——就在DeepMind的约翰·詹珀加入Anthropic、诺姆·沙泽尔转投OpenAI的几天后。谷歌可以匹配薪酬，却无法匹配一家即将上市的初创公司的IPO前股权。Anthropic不只是在招人，它是在购买谷歌旗舰模型运作方式的“知识”。[TechCrunch]
  AI供应链受困
• 一个匿名拉取请求就能劫持超过300个全球最大的代码库——Novee Security的研究人员扫描了约3万个高影响力的GitHub仓库，发现其中超过300个可被任何拥有免费账户的未认证用户完全利用——他们将这种模式称为“冬虫夏草”。在微软的Azure Sentinel仓库中，一个拉取请求上的匿名评论可以执行代码并窃取永不过期的GitHub应用密钥；在谷歌的AI Agent开发套件示例中，单个恶意PR即可获得关联云项目的完全所有权。Apache、Cloudflare和Python软件基金会也受到影响。[The Hacker News]
• 一条13个单词的Reddit帖子就能暗中污染ChatGPT和谷歌的AI回答——康奈尔大学的研究人员表明，一条短至13个单词的片段，被植入Reddit、维基百科或Quora后，可以可靠地引导AI搜索智能体重复垃圾或诈骗内容。这种风险是结构性的：ChatGPT和背后的深度研究模式在约一半的回答中引用用户生成的页面，而它们所有引用中约四分之一来自这些内容。本周由我们追踪的11位AI专家分享。[404 Media]
  政府认真对待的一年
• 欧洲AI透明度法律于8月2日生效——每个聊天机器人和深度伪造都必须声明——从8月2日起，欧盟AI法案第50条强制要求提供商在用户与AI对话时告知用户，并要求部署者标记AI生成或操纵的图像、音频、视频和公共利益文本为人工产物。这适用于所有生成式系统，而不仅限于高风险系统——委员会刚刚发布的指南草案是公司只有数周时间执行的行动手册。[欧洲委员会]
• 一个AI机器人用虚假公众评论淹没了加州空气监管机构——并且成功了——成千上万封反对逐步淘汰燃气炉和热水器计划的电子邮件涌入南加州空气质量区，其中许多由一家与当地燃气公司母公司客户有关联的咨询公司运营的AI平台生成。董事会放弃了该计划；现在22名州和地方官员希望总检察长展开调查。[GovTech]
  AI资本开支税
• AI本应消灭工程岗位。数据却显示相反——SignalFire的人才状况报告发现，大型科技公司的工程招聘较2019年仅下降11%，而所有岗位的招聘下降25%——工程师现在占这些公司招聘人数的55%，高于此前的46%。他们被招聘最快，离职最少。“AI代码末日”并未到来；压力落在了工程师周围的所有人身上。[TechCrunch]
• AI正在冲击1100万个不要求学位的“入门级工作”——Opportunity@Work和布鲁金斯学会的一份新分析警告称，美国1100万个“入门级工作”——即那些让没有四年大学学位的工人跻身中产阶级的客服、文员和协调员岗位——现在是最易受到AI自动化影响的。当前沿实验室保留高级工程师时，他们脚下的阶梯正被抽走。[Opportunity@Work]
  淘金热让卖铲子的人赚得盆满钵满
  当实验室本周忙于相互指责盗窃和挖角员工时，实际在AI热潮中赚钱的公司几乎没上头条。
  美光刚刚交出了其史上最佳季度：415亿美元营收和创纪录的84.9%毛利率，其高带宽内存——每个AI加速器都需要的部件——实际上已售罄，下一代HBM4已出货超过10亿美元。它预计下季度营收达到500亿美元。长期作为手机芯片公司的高通，在其投资者日设定了2029年150亿美元的数据中心销售目标，并发布了一款250核服务器CPU，Meta是其首个被披露的客户。而SambaNova据称正在以约100亿美元的估值融资高达10亿美元——是2月份估值的五倍。
  与模型制造商的对比就是故事本身。同一周，404 Media记录了一场“代币末日”——本周我们追踪的AI专家中分享最多的内容之一：像Uber这样的公司在几个月内烧掉了整年的AI预算，然后限制员工对Claude Code等工具的访问权限。实验室仍在寻找持久的利润。而卖给他们内存和硅片的公司已经找到了。
  关键要点
• 模型窃取现已成为实验室战争的主战场。Anthropic不是在法庭上起诉竞争对手——它是在告诉国会，一家外国巨头流水线化地复制了Claude，同时从谷歌挖走了解Gemini运作方式的人才。护城河是训练数据和人才，而两者都正遭受直接攻击。
• 你构建AI所依赖的东西是软目标。一周内，匿名陌生人可以劫持300多个顶级代码仓库，而Reddit上13个单词就能扭曲ChatGPT的回答。为AI智能体提供数据和工具比模型本身更容易被投毒。
• 就在操纵公众变得轻而易举之际，披露正在成为法律。欧洲将在8月2日要求每个聊天机器人和深度伪造自我标识——同一周，一个AI机器人用虚假评论悄然左右了美国的监管决定。规则和滥用正一同到来。
• 稳赚的钱在技术栈的中层。内存和硅片以创纪录的利润率售罄，而实验室却在限制自家员工的AI预算——即使在劳动力市场上，AI也在放过高级工程师，同时威胁着他们脚下的1100万个入门级工作。
  值得阅读
• Gemini 3.5 Flash现在能够看到并控制屏幕——谷歌将“计算机使用”功能——点击、打字和在浏览器、移动端及桌面上滚动——直接集成到其快速的Gemini模型中，通过API和企业智能体平台即可使用，并配有新的安全护栏，在敏感操作时暂停确认，并在检测到提示注入时停止。[谷歌]
• “约束税”：迫使小模型适配模式会牺牲正确性——一篇新论文衡量了小语言模型被要求生成模式有效结构化输出时的有效性与正确性权衡——量化了你为了获得可解析的JSON而牺牲了多少语义准确性。[arXiv]
• 通用聊天机器人在医生真实问题上胜过专用临床AI——在《自然·医学》上，领先的通用模型在医生提出的真实世界问题上得分超过了两个顶尖专用临床AI工具，揭示了监管批准与这些系统在诊室实际表现之间的差距。[自然·医学]
• 字节跳动从头训练了一个80亿参数的扩散语言模型——iLLaDA，与中国人民大学合作，基于12万亿个token构建，是一个完全双向扩散LLM，在多个基准测试上与Qwen2.5 7B相匹敌——提醒人们开放权重的前沿仍在推进，而且在中国持续推进。[AI Weekly]
  等等，什么？
• 微软备受赞誉的量子“突破”可能是一个基本的Python错误——圣安德鲁斯大学物理学家亨利·莱格在《自然》杂志上的一篇新批评文章认为，支撑微软“2029年实现工作量子计算机”路线图的拓扑量子比特结果基于遗漏的数据、选择性图表和编码错误——而更完整的数据集看起来更像是随机噪声而非证据。微软表示坚持其结果。[Slashdot]
• 如果AI有意识，那么《帝国时代II》也有意识——当实验室悄然配备哲学家来讨论机器意识时，404 Media提出了一个归谬法：一名研究人员用1999年策略游戏中的数字山羊构建了一个工作神经网络。如果聊天机器人可以有意识，那么游戏AI也可以有意识——以此类推，微软Word也可以。本周由我们追踪的8位AI专家分享。[404 Media]
  本周投票
  Anthropic声称阿里巴巴流水线化地窃取了Claude并将此事提交给了华盛顿。这到底是谁的问题？
  ——亚历克西斯

英文来源：

Anthropic accused Alibaba of running 25,000 fake accounts to pull nearly 29 million conversations out of Claude — then took the evidence to the White House. That was just the opening shot in a week the labs spent at war with everyone, including each other: poaching Google's top Gemini minds, watching their own developer tools get pried open by anonymous strangers, and staring down Europe's August disclosure deadline. The twist? The only companies cleanly printing money this week sell memory and silicon — not models.
Sponsor
Move from one-off evals to repeatable agent validation.
Spec27 helps teams define how an AI agent should behave, test against those expectations, and understand where behaviour breaks across realistic scenarios.Quick Hits
The Lab Gladiator Era

• Anthropic accuses Alibaba of the largest distillation attack ever aimed at Claude — In a letter to the White House and US senators, Anthropic says operators tied to Alibaba's Qwen lab used roughly 25,000 fraudulent accounts to run nearly 29 million exchanges against Claude between April and June, systematically harvesting its most valuable skills — software engineering and agentic reasoning — through what it calls "adversarial distillation." It's the first time Anthropic has publicly named a major Chinese tech giant as the source of a model-theft campaign. [CNBC]
• Google is losing its Gemini brain trust to Anthropic — four senior exits in six days — Jonas Adler and Alexander Pritzel, both viewed internally as key contributors to Gemini, are set to leave for Anthropic — days after DeepMind's John Jumper went to Anthropic and Noam Shazeer left for OpenAI. Google can match the salary; it can't match the pre-IPO equity at a startup about to go public. Anthropic isn't just hiring people, it's buying the knowledge of how Google's flagship model works. [TechCrunch]
  AI Supply Chain Under Siege
• One anonymous pull request can hijack 300+ of the world's biggest code repos — Researchers at Novee Security scanned about 30,000 high-impact GitHub repositories and found more than 300 fully exploitable by any unauthenticated user with a free account — a pattern they call "Cordyceps." In Microsoft's Azure Sentinel repo, an anonymous comment on a pull request could execute code and steal a non-expiring GitHub App key; in Google's AI Agent Dev Kit samples, a single malicious PR granted full ownership of the linked cloud project. Apache, Cloudflare and the Python Software Foundation are affected too. [The Hacker News]
• A 13-word Reddit post can quietly poison ChatGPT and Google's AI answers — Cornell researchers showed that a snippet as short as 13 words, planted on Reddit, Wikipedia or Quora, can reliably steer AI search agents into repeating spam or scam content. The exposure is structural: the deep-research modes behind ChatGPT and Google cite user-generated pages in roughly half their answers, and about a quarter of all their citations come from that content. Shared this week by 11 of the AI experts we track. [404 Media]
  The Year Governments Got Serious
• Europe's AI transparency law goes live August 2 — every chatbot and deepfake must say so — From August 2, the EU AI Act's Article 50 forces providers to tell users when they're talking to an AI, and deployers to label AI-generated or manipulated images, audio, video and public-interest text as artificial. It applies to every generative system, not just high-risk ones — and the Commission's just-published draft guidelines are the playbook companies have weeks to implement. [European Commission]
• An AI bot flooded California air regulators with fake public comments — and won — Tens of thousands of emails opposing a plan to phase out gas furnaces and water heaters poured into Southern California's air-quality district, many of them generated by an AI platform run by a consultant tied to a firm whose clients include the local gas utility's parent. The board scrapped the plan; now 22 state and local officials want the attorney general to investigate. [GovTech]
  The AI Capex Tax
• AI was supposed to kill engineering jobs. The data says the opposite — SignalFire's State of Talent report finds engineering hiring at major tech firms is down just 11% from 2019, versus a 25% drop across all roles — and engineers now make up 55% of those companies' hires, up from 46%. They're hired fastest and quit least. The "AI code apocalypse" hasn't arrived; the squeeze is landing on everyone around the engineers instead. [TechCrunch]
• AI is coming for the 11 million 'gateway jobs' that don't require a degree — A new Opportunity@Work and Brookings analysis warns that 11 million US "gateway jobs" — the customer-service, clerical and coordinator roles that let workers without a four-year degree climb into the middle class — are now the ones most exposed to AI automation. As frontier labs spare senior engineers, the ladder underneath them is the part getting pulled away. [Opportunity@Work]
  The Gold Rush Pays the Shovel Sellers
  While the labs spent the week accusing each other of theft and poaching each other's staff, the companies actually banking the AI boom barely made the front page.
  Micron just posted its best quarter ever: $41.5 billion in revenue and a record 84.9% gross margin, with its high-bandwidth memory — the part every AI accelerator needs — effectively sold out and more than $1 billion of next-generation HBM4 already shipped. It guided next quarter to $50 billion. Qualcomm, long a phone-chip company, used its investor day to set a $15 billion data-center sales target for 2029 and unveil a 250-core server CPU, with Meta as its first named customer. And SambaNova is reportedly raising up to $1 billion at roughly a $10 billion valuation — five times what it was worth in February.
  The contrast with the model makers is the story. The same week, 404 Media documented a "Tokenpocalypse" — one of the week's most-shared reads among the AI experts we track: companies like Uber burning through an entire annual AI budget in months, then capping employee access to tools like Claude Code. The labs are still hunting for durable profit. The people selling them memory and silicon already found it.
  Key Takeaways
• Model theft is now the lab war's main front. Anthropic isn't suing a rival in court — it's telling Congress a foreign giant industrialized the copying of Claude, while raiding Google for the people who know how Gemini works. The moat is the training data and the talent, and both are under direct attack.
• The thing you build AI on is the soft target. In one week, anonymous strangers could hijack 300+ top code repos and 13 words of Reddit could bend ChatGPT's answers. The tools and data feeding AI agents are far easier to poison than the models themselves.
• Disclosure is becoming law just as gaming the public gets trivial. Europe will require every chatbot and deepfake to identify itself on August 2 — the same week an AI bot quietly swung a US regulatory decision with fake comments. The rules and the abuse are arriving together.
• The sure money is in the middle of the stack. Memory and silicon are sold out at record margins while the labs cap their own staff's AI budgets — and even in the workforce, AI is sparing senior engineers while threatening the 11 million gateway jobs beneath them.
  Worth Reading
• Gemini 3.5 Flash can now see and control a screen — Google folded "computer use" — clicking, typing and scrolling across browser, mobile and desktop — directly into its fast Gemini model, available now via the API and its enterprise agent platform, with new guardrails that pause for confirmation on sensitive actions and halt on detected prompt injection. [Google]
• The Constraint Tax: forcing a small model into a schema costs it correctness — A new paper measures the validity-versus-correctness tradeoff when small language models are made to produce schema-valid structured output — quantifying how much semantic accuracy you sacrifice for guaranteed-parseable JSON. [arXiv]
• General-purpose chatbots beat dedicated clinical AI on doctors' real questions — In Nature Medicine, leading general-purpose models outscored two of the top dedicated clinical AI tools on physicians' real-world questions, exposing a gap between regulatory clearance and how these systems actually perform in the exam room. [Nature Medicine]
• ByteDance trained an 8B diffusion language model from scratch — iLLaDA, built with Renmin University on 12 trillion tokens, is a fully bidirectional diffusion LLM that rivals Qwen2.5 7B on several benchmarks — a reminder the open-weight frontier keeps moving, and keeps moving in China. [AI Weekly]
  Wait, What?
• Microsoft's celebrated quantum "breakthrough" may be a basic Python error — A new Nature critique by St Andrews physicist Henry Legg argues the topological-qubit result underpinning Microsoft's "working quantum computer by 2029" roadmap rests on omitted data, selective plots, and coding errors — and that a fuller dataset looks more like random noise than proof. Microsoft says it stands by its results. [Slashdot]
• If AI is sentient, then so is "Age of Empires II" — As labs quietly staff up on philosophers to debate machine consciousness, 404 Media offers the reductio: a researcher built a working neural network out of digital goats inside the 1999 strategy game. If a chatbot can be conscious, the argument goes, so can the game AI — and so, for that matter, can Microsoft Word. Shared this week by 8 of the AI experts we track. [404 Media]
  This week's poll
  Anthropic says Alibaba industrialized the theft of Claude and took it to Washington. Whose problem is this, really?
  — Alexis