
TL;DR
Alibaba banned Claude Code after security researchers discovered that Anthropic was embedding a stegographic tracking code to identify Chinese users. The ban comes after Anthropic accused Alibaba of carrying out the largest known distillation attack on its models.
Alibaba has banned its employees from using Claude Code, Anthropic’s AI-powered coding agent, after security researchers discovered the tool contained secret code designed to identify Chinese users. The ban, which came into effect on July 10, will apply from now on conflict between the two companies has been escalating for weeks Because of allegations that Alibaba stole Anthropic’s AI capabilities through industrial-scale distillation.
“After a thorough evaluation, Claude Code has now been added to the list of high-risk software with security vulnerabilities because Claude Code was recently discovered to carry backdoor risks.“Alibaba said in an internal notice reported by the South China Morning Post. The company advised its employees to use Coder, its coding agent platform, as a replacement.
How tracking worked
Reddit user LegitMichel777 reverse-engineered Claude Code on June 30 and found the mangled code, which had been silently available since version 2.1.91, released on April 2, without any mention in the release notes. The code checked whether the user’s system time zone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hard-coded list of Chinese domains and AI lab addresses.
Rather than conditionally recording the results, the system used steganography to hide its signals in the system query sent back to Anthropic’s servers. If the time zone was Chinese, the date format would be dashes to slashes, and the apostrophe would be “Today is the date” was replaced by one of three visually identical but technically different Unicode characters, depending on which flags were enabled.
The changes are invisible to human users and potentially even the AI model itself, but they are machine analyzed by Anthropic’s servers. It was parts of the fix code XOR – Mixed with 91 keya technique used to avoid plain text extraction during code analysis.
Anthropic response
Thariq Shihipar, an anthrop engineer at the Claude Code team, said tracking in X “a practice we launched in March to prevent account abuse by unauthorized sellers and protect against distillation.” He is the team’s “means to eliminate it for a while” and a pull request to remove it was merged on July 1st.
It coincided with the retreat Restoration of Anthropic’s Fable 5 and Mythos 5 modelsAfter Amazon researchers discovered the jailbreak vulnerability, the US Commerce Department ordered the company to disable it for all foreign nationals in mid-June. Export controls were lifted on June 30, and Anthropic restored access on July 2, saying it would “enhance government cooperation” on cross-border AI security.
Distillation background
Anthropic’s rationale for tracking code sits within a broader campaign against what it calls the systematic theft of its models’ capabilities. In a letter sent to the US Senate Banking Committee on June 10, the company accused the company of controlling operators affiliated with Alibaba’s Gwen AI lab. the largest distillation attack known Claude using approximately 25,000 fake accounts to generate 28.8 million exchanges between April and June.
Alibaba has denied the accusation. Anthropic previously named DeepSeek, Moonshot AI and MiniMax as perpetrators of similar campaigns in February, citing distillation as an existential threat to the business models of frontier AI companies.
Distillation, the practice of using the results of a powerful model to develop a smaller model, occupies a gray area in AI development. Asian AI startups have released alternatives to Anthropic’s models in part because the export ban on Fable 5 and Mythos 5 created a vacuum in the market and made it increasingly difficult to draw the line between legitimate competition and illegal extraction.
Developer trust issue
Claude Code requires deep access to the developer’s local file system to read, modify, and execute code, meaning that any hidden functionality in the tool effectively has access to everything on the machine. Huorong Security, a Chinese cybersecurity firm, said Anthropic’s tracking was not only a transparency issue but also raised cross-border data compliance concerns.
“Today is a time zone check, tomorrow could be a system sabotage or data leak,One Reddit user wrote. Anthropic’s privacy policy notes that it collects this type of data, but critics argue that the stegographic method, which is designed to be invisible to users, crosses a line where standard privacy disclosures do not cross.
The bigger picture
The episode accelerates China’s push to reduce Chinese firms’ reliance on American artificial intelligence tools, which increasingly carry legal, security and operational risks. Alibaba is aggressively building its AI stackGwen’s integration of models across products from e-commerce to robotics and the Code Claude ban give workers additional reason to push for local alternatives.
Lizzie Li, a fellow at the Center for China Analysis at the Asia Society Policy Institute, said the conflict shows how the US-China AI competition is moving beyond technology to control and sovereignty. “If a US AI encryption tool can detect Chinese usage or proxy access, then it’s no wonder big Chinese tech companies don’t want employees to use it internally.“he said.
Anthropic’s models have long been officially unavailable in China, but they remain popular among local developers who use solutions to protect access. Whether the tracking controversy will push more of them toward Chinese alternatives or confirm what many already suspect about the risks of America’s reliance on AI tools is a question that goes well beyond Alibaba.





