Alibaba bans Claude Code (Anthropic's AI coding tool) after alleging hidden China-detection backdoor; staff directed to switch to Qoder, escalating Anthropic-China relations breakdown.
Chinese tech giant Alibaba has banned its employees from using Anthropic's Claude Code for all work purposes, effective July 10, following security researchers' allegations that the AI coding agent contained hidden code designed to detect whether users were based in China or affiliated with Chinese AI labs. According to a July 3 South China Morning Post report, Alibaba cited "back-door risks" and added Claude Code to a list of high-risk software with security vulnerabilities following a comprehensive evaluation.
Employees have been instructed to adopt Qoder, Alibaba's in-house AI coding platform, as the replacement. According to reports from Chinese outlets citing company insiders, the directive extends beyond Claude Code itself, with staff reportedly instructed to uninstall all Anthropic products, including the Sonnet, Opus, and Fable model families.
The ban escalates a feud that began last month when Anthropic accused operators linked to Alibaba's Qwen AI lab of running the largest known model distillation attack against Claude. On June 10, Anthropic sent a letter to leaders of the U.S. Senate Banking Committee alleging that operators affiliated with Alibaba's Qwen lab used nearly 25,000 fraudulent accounts to generate 28.8 million exchanges with Claude between April 22 and June 5, characterizing this as an industrial-scale attempt to distill the model's software engineering and reasoning capabilities. Alibaba has denied wrongdoing and has not addressed the allegations in detail.
The specific trigger for the ban was a June 30 post on the r/ClaudeAI subreddit by a user who claimed to have reverse-engineered Claude Code while restoring a disabled remote-control feature. According to the write-up, obfuscated detection logic had shipped silently since version 2.1.91, released on April 2, with no mention in the release notes. Whenever a proxy was detected, the code reportedly checked whether the system timezone matched Asia/Shanghai or Asia/Urumqi and inspected the proxy URL against a hardcoded list of Chinese domains and AI lab identifiers, reportedly including Alibaba, Baidu, Ant Group, and ByteDance.
The discovery escalated from routine telemetry to scandal because of the exfiltration method. Rather than sending an overt signal, the tool allegedly encoded its findings steganographically, tweaking the date format and swapping a punctuation character in the system prompt sent back to Anthropic's servers—invisible to the user but machine-parseable on Anthropic's end. The Reddit author characterized the covert transmission of system and proxy data as "a fundamental violation of user trust," calling for transparency from Anthropic.
Anthropic has not issued a formal statement, but Thariq Shihipar, an engineer on the Claude Code team, addressed the findings on X, describing the mechanism as "an experiment we launched in March" intended to prevent account abuse by unauthorized resellers and to protect against distillation. Shihipar stated that the team had been planning to remove the code and that the pull request stripping it out was merged on July 1, the day after the Reddit post.
Following the Senate letter, Anthropic imposed sweeping account restrictions, reportedly cutting off numerous Chinese users without notice. The company has long maintained the industry's hardest line on access to China, stating it is the only frontier AI firm that restricts service to Chinese-owned entities, even through subsidiaries incorporated abroad. This restriction is precisely why Chinese developers access Claude Code through proxies in the first place, and why a proxy-triggered detection routine appears, to Chinese observers, as a tool built specifically to target them.
The episode reflects the broader U.S.-China AI relationship, which has oscillated throughout 2026. Washington initially placed export restrictions on AI chips to China but loosened hardware controls this year, clearing approximately 10 Chinese firms, including Alibaba, to purchase H200S processors in quantities up to 75,000 units per customer. Simultaneously, Beijing discouraged Chinese firms from buying approved American silicon, citing its own security concerns as part of a deliberate push toward an indigenous AI stack.
Software access now appears to be following a similar trajectory of restrictions. Anthropic is blocking China at the account level; China's largest tech company has now banned Anthropic at the workplace level. Earlier, OpenAI banned numerous China-linked accounts accused of artificially amplifying backlash against U.S. data center electricity prices.