Monday, July 6, 2026

News

Anthropic Hid Code in Claude Code That Tracked Chinese Users

AI AgentsPatryk RabaJuly 6, 2026

Since April, Claude Code secretly checked whether users were connecting from China, using steganography hidden in a system date message. After the mechanism was disclosed, Alibaba banned employees from using the tool starting July 10.

Contents
  1. How the hidden mechanism worked
  2. Anthropic's explanation
  3. Alibaba's response
  4. What this means for companies using Claude

Anthropic has admitted that its coding tool Claude Code secretly checked, since April, whether the person at the keyboard was connecting from China. The location-detection code was hidden so cleverly that no one outside the company noticed it for three months. When the matter came to light, Alibaba ordered its employees to stop using the tool entirely.

The case concerns Claude Code, Anthropic's flagship agentic coding tool used by engineering teams worldwide. Security researchers discovered that the software was quietly checking whether it was running on a machine located in China or connected to Chinese network infrastructure. The detection result was fed into the system in a way invisible to the ordinary user.

How the hidden mechanism worked

The technique was steganographic, meaning it hid data inside a seemingly innocuous interface element. Claude Code subtly altered the date format in a system message and replaced the standard apostrophe in the phrase 'Today's date is' with one of three visually identical but technically distinct Unicode characters. The fragment responsible for the detection was additionally encrypted with an XOR operation using the numeric key 91, meant to prevent it from being read during an ordinary review of the code's text.

Two signals were checked: the system's time zone, compared against Asia/Shanghai and Asia/Urumqi, and the user's proxy address, matched against a hardcoded list of Chinese domains and AI lab identifiers, among them Alibaba, Baidu, Ant Group and ByteDance. In other words, the tool was designed to recognize whether someone was using Claude Code on behalf of a Chinese tech company, even if they were formally connecting from outside China through a proxy.

Anthropic's explanation

Thariq Shihipar, an engineer on the Claude Code team, described the mechanism as an internal experiment meant to protect the company from abuse. A pull request removing the code was merged into the repository on July 1, and the feature was set to disappear entirely in the next release.

It was an experiment we ran in March aimed at preventing account abuse by unauthorized resellers and protecting against distillation - Thariq Shihipar, engineer on Anthropic's Claude Code team

The team says it has since rolled out 'stronger safeguards' and had planned to retire the mechanism even before it came to light. That does not change the fact that a tool used by companies worldwide carried, for three months, a feature whose existence was disclosed to neither users nor corporate customers.

Alibaba's response

Alibaba classified Claude Code as high-risk software and ordered employees to stop using it starting July 10, 2026. Its replacement is to be Qoder, the company's own AI-assisted coding tool. The decision coincides with a dispute that has been building for weeks between Anthropic and Alibaba over alleged model distillation.

Anthropic claims that entities linked to Alibaba's Qwen lab carried out the largest known distillation attack against Claude. According to the company, between April 22 and June 5, nearly 25,000 fake accounts generated 28.8 million exchanges with the model, and the collected responses were meant to be used to train Qwen to bring its capabilities closer to Anthropic's flagship model, referred to as Mythos Preview, which specializes in coding, multi-step reasoning and cybersecurity-related tasks.

What this means for companies using Claude

For companies and development teams using Claude Code, the affair above all means a loss of trust in the tool's transparency. Even if the stated goal was to make model theft harder, hidden location-tracking mechanisms in a commercial product raise questions about what other undisclosed functions might be running in similar agentic tools that engineers use every day, including in Poland, where Claude Code has been gaining popularity among development teams.

The dispute is part of a broader geopolitical conflict over Chinese companies' access to American AI models. Anthropic has spent months tightening the rules on access to its services for entities linked to China, and the US Department of Commerce has imposed additional export restrictions on some of the company's models, citing concerns about possible military use. The disclosure of the hidden tracking mechanism adds a new, awkward dimension to the affair for Anthropic.

Sources: The Decoder (the-decoder.com), TechCrunch (techcrunch.com), South China Morning Post (scmp.com)

Share: