On 24 June, The 5:21 PM Proof documented what happened when the US Commerce Department instructed Anthropic to pull Fable 5 and Mythos 5 from global access with 90 minutes' notice. Regular readers will remember the argument: that sovereign infrastructure demands sovereign discipline, and that the organisations which discovered this on a Friday evening at 5:21 PM Eastern Time were the ones that had not built for it.
Since that piece published, the public record has become less incomplete. What has emerged reframes the June 12 directive -- not in a way that changes the sovereignty conclusion, but in a way that makes it considerably sharper.
The cave was not broken into on 12 June. It had been systematically emptied for the six weeks before the letter arrived.
Anthropic's own statement, published at the moment of the shutdown, is precise about what the government told them. The stated rationale was a narrow, non-universal jailbreak: asking the model to read a specific codebase and identify software vulnerabilities. Anthropic reviewed it. They concluded the capability level demonstrated was already available from other public models, including OpenAI's GPT-5.5. They complied with the directive. They also said, on the record, that they disagreed with it -- that applying this standard consistently across the industry would "essentially halt all new model deployments for all frontier model providers."
That is what the government cited. That is the proximate cause of the 5:21 PM shutdown.
It was not the whole picture.
On 10 June -- two days before the directive -- Anthropic sent a formal letter to senior members of the US Senate Banking Committee, including Chair Tim Scott and Ranking Member Elizabeth Warren, and to White House officials. Bloomberg broke the story on 25 June. Reuters, Nikkei Asia, and InfoWorld subsequently verified the details.
The letter described an industrial-scale capability extraction operation. Between 22 April and 5 June 2026, operators linked to Alibaba's Qwen AI lab had conducted 28.8 million exchanges with Claude through approximately 25,000 fraudulent proxy accounts, circumventing geographic restrictions and terms-of-service controls. The campaign began the day after the White House Office of Science and Technology Policy issued a memo warning foreign entities against adversarial distillation. Anthropic characterised it as the largest known model-extraction attack in their history -- dwarfing the combined scale of earlier campaigns they attributed to DeepSeek (150,000 exchanges), Moonshot AI (3.4 million), and MiniMax (13 million).
The target was not general capability. The campaign specifically went after Claude's software engineering and agentic reasoning pipelines -- the same capabilities that the jailbreak subsequently surfaced as a concern. Adversarial distillation at this scale does not steal model weights. It harvests reasoning paths, maps blind spots, and replicates capability without the safety guardrails that constrained the original. AI analysts including TechInsights and Greyhound Research noted that Alibaba had effectively reverse-engineered Claude's internal reasoning architecture across tens of millions of queries -- at a fraction of the R&D cost of building it independently.
By mid-2026, independent benchmarking firm Epoch AI reported that Chinese open-weight models -- anchored by Qwen 3.5 and DeepSeek V4 Pro -- lagged Western proprietary front-runners by an average of three months. The narrowest capability gap in the history of LLM development. The 25,000 accounts were part of the reason why.
The Senate letter arrived on 10 June. The directive arrived on 12 June. Whether those two events are causally linked or merely adjacent is not established in the public record. What is established is that three independent threat vectors converged in the same 48-hour window: systematic capability theft at industrial scale, a validated code-level jailbreak, and the classified NSA red-team findings under Project Glasswing that Senator Mark Warner relayed publicly -- that General Joshua Rudd had told lawmakers Mythos had penetrated almost all of the NSA's classified test systems in hours, not weeks.
Governments do not usually act on one data point. The directive arrived when three of them landed simultaneously.
On 26 June -- exactly 14 days after the shutdown -- Commerce Secretary Howard Lutnick partially lifted the ban. Mythos 5 was reinstated for approximately 100 vetted US corporations and federal agencies, restricted to defensive cybersecurity applications. Fable 5 remains offline. GPT-5.6 Sol launched simultaneously under a government-approved preview requiring individual administration vetting.
The models that ran the extraction campaign are unaffected by any of this.
Qwen 3.5 and DeepSeek V4 Pro ship under open weights with permissive licences. No Commerce Department letter reaches them. They are already running on infrastructure outside Washington's jurisdiction -- including, quite possibly, infrastructure that organisations outside the United States migrated to on the evening of 12 June when the US-controlled alternative went dark. The administration's response to a Chinese capability theft campaign has been to gate US models behind government vetting while Chinese open-weight models accumulate developer mindshare globally, unconstrained.
The kill-switch works on closed models. It is structurally toothless against open weights. Washington locked the door after the cave had already been emptied.
The sovereignty argument in The 5:21 PM Proof does not require the causal chain to be tidy. It requires only that the outcome be real: on 12 June, at 5:21 PM, a commercial vendor's compliance obligation became your access policy. That happened regardless of whether the Alibaba campaign, the jailbreak, or the NSA findings drove it. The infrastructure that was pulled was pulled. The organisations that depended on it discovered the dependency at the worst possible moment.
What the fuller picture adds is a second layer. The June 12 directive was a response to a capability extraction campaign that had already succeeded. The model that was locked down had already been partially replicated, without safety constraints, in a jurisdiction that answers to a different sovereign. The organisations now on a waiting list for Mythos 5 restoration are waiting for access to a model whose most distinctive reasoning capabilities have already been harvested and redistributed.
Sovereign infrastructure does not solve the capability gap. The gap between Mistral Small 24B and Fable 5 is real, and it did not close on 12 June. What sovereign infrastructure solves is the 5:21 PM problem -- the discovery, on a Friday evening, that your operational dependency answers to someone else's compliance obligation.
The cave is open. The thieves are not coming back for more. The question is which infrastructure your organisation is built on, and whose letter it answers to.
Cross-reference: The 5:21 PM Proof · The Theatre Pulldown · The Bomb They Built · The Third Option No One Is Talking About · The Control Plane Trap
The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy—with particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
