Alibaba prohibits Claude Code due to concealed tracking of Chinese users.
TL;DR: Alibaba prohibited its staff from using Claude Code following the discovery by security researchers that Anthropic had embedded hidden tracking code aimed at identifying Chinese users. This ban comes after Anthropic accused Alibaba of conducting a significant distillation attack on its models.
Alibaba has prohibited its employees from using Claude Code, Anthropic’s AI coding assistant, after security experts found hidden tracking code designed to identify Chinese users. The ban, which took effect on July 10, follows a rising conflict between both companies over allegations that Alibaba appropriated Anthropic’s AI technologies through large-scale distillation efforts.
“Due to the recent discovery of backdoor risks with Claude Code, a thorough evaluation has classified it as high-risk software with security vulnerabilities,” stated Alibaba in an internal memo reported by the South China Morning Post. The company advised its employees to use its own coding platform, Qoder, as an alternative.
Details on tracking functionality
On June 30, a Reddit user named LegitMichel777 reverse-engineered Claude Code and uncovered obfuscated code that had been embedded since version 2.1.91, released on April 2, with no mention in the release notes. This code checked if a user’s system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a predefined list of Chinese domains and AI lab addresses.
Instead of logging the results in a standard manner, the system employed steganography to conceal its signals within the system prompt sent back to Anthropic's servers. When the timezone was identified as Chinese, the date format would shift from dashes to slashes, and the apostrophe in “Today’s date is” would be replaced with one of three visually similar but technically different Unicode characters based on the triggered flags.
These modifications are undetectable to human users and possibly to the AI model itself, yet they can be processed by Anthropic’s servers. Portions of the detection code were XOR-obfuscated with the key 91, a method used to hinder plain-text extraction during code reviews.
Anthropic’s clarification
Anthropic engineer Thariq Shihipar noted on X that the tracking was "an experiment launched in March to prevent unauthorized account abuse by resellers and guard against distillation.” He indicated that the team had intended to remove it for a while, and the relevant pull request was approved on July 1.
This rollback coincided with the restoration of Anthropic's Fable 5 and Mythos 5 models, which the U.S. Commerce Department had instructed the company to disable for all foreign users in mid-June due to a discovered jailbreak vulnerability. Export limitations were lifted on June 30, with access restored on July 2, at which point Anthropic announced plans to enhance collaboration with the government regarding frontier AI security.
Background on distillation
Anthropic’s rationale for the tracking code is framed within a broader fight against what it perceives as systematic theft of its model capabilities. In a letter to the U.S. Senate Banking Committee dated June 10, the company accused entities linked to Alibaba's Qwen AI lab of executing the largest known distillation attack on Claude, utilizing approximately 25,000 fraudulent accounts to facilitate 28.8 million exchanges between April and June.
Alibaba has denied these allegations. In February, Anthropic had previously named DeepSeek, Moonshot AI, and MiniMax as similar campaign perpetrators, positioning distillation as a serious threat to the business models of leading AI companies.
Distillation, which involves using outputs from a powerful model to train a smaller one, occupies a contentious space within AI development. Asian AI startups have initiated alternatives to Anthropic’s models partly due to the export ban on Fable 5 and Mythos 5, creating ambiguity between legitimate competition and unlawful appropriation.
Issues of developer trust
Claude Code necessitates extensive access to a developer’s local file system to process, modify, and execute code, implying that any concealed functions within the tool could access everything on the machine. Huorong Security, a Chinese cybersecurity firm, emphasized that Anthropic’s tracking posed not only a transparency issue but also raised concerns regarding cross-border data compliance.
“One day it’s a timezone verification; the next, it could be system sabotage or data theft,” one Reddit user expressed. Although Anthropic’s privacy policy states that it gathers such data, critics contend that the steganographic approach, designed to remain undetectable to users, surpasses the boundaries of standard privacy disclosures.
Broader implications
This situation accelerates China’s endeavors to reduce dependence on American AI tools, which Chinese companies increasingly regard as associated with legal, security, and operational risks. Alibaba has been vigorously developing its own AI framework, integrating its Qwen models across various products from e-commerce to robotics, and the ban on Claude Code further legitimizes its push for domestic alternatives.
Lizzi Lee, a fellow at the Asia Society Policy Institute’s Centre for China Analysis, remarked that the conflict illustrates
Other articles
Alibaba prohibits Claude Code due to concealed tracking of Chinese users.
Alibaba categorized Anthropic's Claude Code as high-risk software after researchers discovered steganographic markers that identified Chinese users based on their timezone and proxy.
