News
Alibaba Bans Claude Code After Discovering Hidden Code That Tracked Chinese Users

Alibaba will prohibit employees from using Claude Code starting July 10 after discovering a hidden mechanism in the tool that detected users logging in from China. Anthropic admits the feature was meant to combat unauthorized account resale and the training of rival models on Claude's outputs.
Contents
Alibaba is imposing, starting July 10, a complete ban on the use of Claude Code, Anthropic's coding agent, adding it to its internal list of high-risk software. The reason is the discovery of a hidden mechanism in the tool's code that could detect whether a user was logging in from China and relay that information to Anthropic's servers without the user's knowledge.
What the code revealed
The mechanism was not visible in Claude Code's standard interface. According to reporters who reviewed a code analysis first published on Reddit, the tool checked the device's time zone settings and cross-referenced proxy server addresses against a hardcoded list of Chinese domains and addresses linked to local AI labs.
If the system identified a user as potentially Chinese, it signaled this in ways invisible to the operator, for instance by switching the date format from hyphens to slashes or inserting specific Unicode characters into the system prompt sent to the model. The entire mechanism was further encrypted with a simple XOR algorithm using a numeric key, making it harder to detect during a standard code audit.
Anthropic's explanation
Anthropic does not deny the mechanism exists, but frames it as a defensive measure rather than a surveillance tool. Company engineer Thariq Shihipar wrote on X that the feature was created in March as an experiment aimed at curbing abuse tied to unauthorized account resale and protecting against distillation, meaning the training of competing models on responses generated by Claude.
It was an experiment launched in March meant to prevent account abuse by unauthorized resellers and protect against distillation - Thariq Shihipar, Anthropic engineer
Shihipar added that the team had been planning to phase out the mechanism for some time, and that more appropriate safeguards had already been put in place. A pull request removing the disputed code was merged into the repository on July 1, a day after the story began circulating online.
The distillation dispute behind it
The whole situation is unfolding against the backdrop of a much broader conflict between Anthropic and Qwen, the Chinese AI lab owned by Alibaba. Anthropic accuses Qwen of running what it calls the largest known distillation attack on the market, using roughly 25,000 fake accounts to funnel 28.8 million queries to Claude between April and June 2026 in order to train a competing model on its responses.
Alibaba denies the allegations. However, the company has not directly addressed the detected tracking mechanism, focusing its internal communications instead on classifying Claude Code as high-risk software and ordering its removal from employee workstations.
What Alibaba employees get instead
In place of Claude Code, Alibaba is directing employees to use Qoder, its own AI-assisted coding platform developed in-house by the group. It marks another step by the company toward reducing its reliance on Western, language-model-based development tools, alongside its earlier push to promote its own Qwen family of models.
Anthropic had already been barring Chinese entities from direct access to its models, regularly closing loopholes that allowed users to bypass those restrictions, for example through proxy servers registered outside China. The exposed geolocation-tracking mechanism fits within that policy, but the way it was implemented, without informing users and using concealment techniques, raises questions about the line between legitimate intellectual-property protection and covert surveillance.
For Polish companies and developers using Claude Code, the case has practical implications. If the tool was capable of covertly classifying users by location and sending signals back to the vendor's servers, it raises questions about what other telemetry data coding agents collect in the background, regardless of the user's country of origin.
The case could also influence how European tech companies approach security audits of AI tools used by their development teams. There is growing recognition that a model's open source code alone does not guarantee transparency of the tools built around it, since telemetry mechanisms can be hidden at the client level rather than in the model itself.
Anthropic has said it will remove the mechanism in an upcoming Claude Code update, but has not given an exact date for rolling out the fix to all users. Alibaba is maintaining the ban for now, and market observers expect the distillation dispute between the two companies to keep escalating regardless of the tool's fate.
Sources: TechCrunch (techcrunch.com), The Next Web (thenextweb.com), American Bazaar (americanbazaaronline.com)

