cd /news/ai-safety/alibaba-bans-claude-code-after-anthr… · home topics ai-safety article
[ARTICLE · art-47029] src=thenextweb.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code

Alibaba banned employees from using Anthropic's Claude Code after security researchers discovered hidden steganographic code that tracked Chinese users by timezone and proxy settings. The ban follows Anthropic's accusation that Alibaba ran the largest known distillation attack on its models, using 25,000 fraudulent accounts to generate 28.8 million exchanges.

read5 min views3 publishedJul 3, 2026
Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code
Image: Thenextweb (auto-discovered)

TL;DR

Alibaba banned Claude Code after security researchers found Anthropic had embedded steganographic tracking code to identify Chinese users. The ban follows Anthropic’s accusation that Alibaba ran the largest known distillation attack on its models.

Alibaba has banned its employees from using Claude Code, Anthropic’s AI-powered coding agent, after security researchers discovered that the tool contained hidden code designed to identify Chinese users. The ban, effective 10 July, follows weeks of escalating conflict between the two companies over allegations that Alibaba stole Anthropic’s AI capabilities through industrial-scale distillation.

As Claude Code was recently discovered to carry back-door risks, after comprehensive evaluation, Claude Code has now been added to a list of high-risk software with security vulnerabilities,” Alibaba said in an internal notice reported by the South China Morning Post. The company recommended employees use Qoder, its own coding agent platform, as a substitute.

How the tracking worked

A Reddit user identified as LegitMichel777 reverse-engineered Claude Code on 30 June and found obfuscated code that had been silently present since version 2.1.91, released on 2 April, with no mention in the release notes. The code checked whether a user’s system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hardcoded list of Chinese domains and AI lab addresses.

Rather than logging the results conventionally, the system used steganography to hide its signals in the system prompt sent back to Anthropic’s servers. If the timezone was Chinese, the date format changed from dashes to slashes, and the apostrophe in “Today’s date is” was swapped with one of three visually identical but technically distinct Unicode characters depending on which flags were triggered.

The alterations are invisible to human users and potentially even to the AI model itself, but they are machine-parseable by Anthropic’s servers. Portions of the detection code were XOR-obfuscated with the key 91, a technique used to prevent plain-text extraction during code analysis.

Anthropic’s response

Thariq Shihipar, an Anthropic engineer on the Claude Code team, said on X that the tracking was “an experiment we launched in March that was meant to prevent account abuse from unauthorised resellers and protect against distillation.” He said the team had been “meaning to take this down for a while” and that the pull request to remove it was merged on 1 July.

The rollback coincided with the restoration of Anthropic’s Fable 5 and Mythos 5 models, which the US Commerce Department had ordered the company to disable for all foreign nationals in mid-June after Amazon researchers found a jailbreak vulnerability. The export controls were lifted on 30 June, and Anthropic restored access on 2 July, saying it would “scale up government collaboration” on frontier AI security.

The distillation backdrop

Anthropic’s justification for the tracking code sits within a broader campaign against what it calls systematic theft of its models’ capabilities. In a letter to the US Senate Banking Committee on 10 June, the company accused operators affiliated with Alibaba’s Qwen AI lab of running the largest known distillation attack on Claude, using roughly 25,000 fraudulent accounts to generate 28.8 million exchanges between April and June.

Alibaba has denied the accusation. Anthropic had previously named DeepSeek, Moonshot AI, and MiniMax in February as perpetrators of similar campaigns, framing distillation as an existential threat to the business models of frontier AI companies.

Distillation, the practice of using a powerful model’s outputs to train a smaller one, occupies a grey area in AI development. Asian AI startups have launched alternatives to Anthropic’s models partly because the export ban on Fable 5 and Mythos 5 left a gap in the market, making the line between legitimate competition and illicit extraction increasingly difficult to draw.

The developer trust problem

Claude Code requires deep access to a developer’s local file system to read, modify, and execute code, meaning any hidden functionality in the tool effectively has access to everything on the machine. Huorong Security, a Chinese cybersecurity firm, said Anthropic’s tracking was not only a transparency issue but also raised cross-border data compliance concerns.

Today it’s a timezone check, tomorrow it could be system sabotage or data exfiltration,” one Reddit user wrote. Anthropic’s privacy policy states that it collects the kind of data in question, but critics argue the steganographic method, designed to be invisible to users, crosses a line that a standard privacy disclosure does not.

The bigger picture

The episode accelerates China’s push to reduce reliance on American AI tools, which Chinese firms increasingly view as carrying legal, security, and operational risks. Alibaba has been building out its own AI stack aggressively, integrating its Qwen models across products from e-commerce to robotics, and the Claude Code ban gives it further justification to push employees toward domestic alternatives.

Lizzi Lee, a fellow at the Asia Society Policy Institute’s Centre for China Analysis, said the conflict showed how the US-China AI competition has moved beyond technology into access control and sovereignty. “If a US AI coding tool can detect Chinese usage or proxy access, then it’s not surprising for major Chinese tech companies to not want employees using it internally,” she said.

Anthropic’s models have long been officially inaccessible in China, but they remain popular among domestic developers who use workarounds to maintain access. Whether the tracking controversy pushes more of them toward Chinese alternatives or simply confirms what many already suspected about the risks of depending on American AI tools is a question that extends well beyond Alibaba.

── more in #ai-safety 4 stories · sorted by recency
── more on @alibaba 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/alibaba-bans-claude-…] indexed:0 read:5min 2026-07-03 ·