Artificial IntelligenceBigTech CompaniesNewswireTechnologyWhat's Buzzing

Alibaba bans Claude Code for hidden tracking of Chinese users

▼ Summary

– Alibaba banned employees from using Claude Code after security researchers discovered steganographic tracking code that identified Chinese users by checking system timezone and proxy URLs.
– The tracking code, present since version 2.1.91, used obfuscation and Unicode character swaps to hide signals in system prompts sent to Anthropic servers.
– Anthropic engineer Thariq Shihipar stated the tracking was an experiment to prevent account abuse and distillation, and the code was removed on July 1.
– Anthropic accused Alibaba’s Qwen AI lab of running the largest known distillation attack with 25,000 fraudulent accounts generating 28.8 million exchanges; Alibaba denied the claim.
– The incident accelerates China’s push for domestic AI tools, as developers view US tools as carrying legal and security risks amid US-China AI competition.

Alibaba has formally prohibited its employees from using Claude Code, Anthropic’s AI-powered coding assistant, after security researchers uncovered hidden steganographic tracking code designed to identify users in China. The ban, which took effect on July 10, marks a significant escalation in the ongoing tensions between the two tech giants, following Anthropic’s accusation that Alibaba orchestrated the largest known distillation attack on its models.

In an internal notice reported by the South China Morning Post, Alibaba stated: “As Claude Code was recently discovered to carry back-door risks, after comprehensive evaluation, Claude Code has now been added to a list of high-risk software with security vulnerabilities.” The company advised employees to switch to Qoder, its own in-house coding agent platform.

How the tracking was uncovered

A Reddit user going by LegitMichel777 reverse-engineered Claude Code on June 30 and discovered obfuscated code that had been silently embedded since version 2.1.91, released on April 2, with no mention in the release notes. The code checked whether a user’s system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hardcoded list of Chinese domains and AI lab addresses.

Instead of logging this information directly, the system used steganography to hide its signals within the system prompt sent back to Anthropic’s servers. For Chinese timezones, the date format changed from dashes to slashes, and the apostrophe in “Today’s date is” was swapped with one of three visually identical but technically distinct Unicode characters, depending on which flags were triggered. These alterations are invisible to human users and even the AI model itself, but they are machine-parseable by Anthropic’s servers. Portions of the detection code were XOR-obfuscated with the key 91, a technique that prevents plain-text extraction during code analysis.

Anthropic’s justification

Thariq Shihipar, an Anthropic engineer on the Claude Code team, acknowledged the tracking on X, calling it “an experiment we launched in March that was meant to prevent account abuse from unauthorised resellers and protect against distillation.” He said the team had been “meaningful to take this down for a while” and that the pull request to remove it was merged on July 1.

This rollback coincided with the restoration of Anthropic’s Fable 5 and Mythos 5 models, which the US Commerce Department had ordered the company to disable for all foreign nationals in mid-June after Amazon researchers found a jailbreak vulnerability. The export controls were lifted on June 30, and Anthropic restored access on July 2, stating it would “scale up government collaboration” on frontier AI security.

The broader distillation conflict

Anthropic’s tracking code sits within a larger campaign against what it calls systematic theft of its models’ capabilities. In a June 10 letter to the US Senate Banking Committee, the company accused operators affiliated with Alibaba’s Qwen AI lab of running the “largest known distillation attack” on Claude, using roughly 25,000 fraudulent accounts to generate 28.8 million exchanges between April and June. Alibaba has denied the accusation. Anthropic previously named DeepSeek, Moonshot AI, and MiniMax in February as perpetrators of similar campaigns, framing distillation as an existential threat to frontier AI business models.

Distillation , the practice of using a powerful model’s outputs to train a smaller one , occupies a grey area in AI development. Asian AI startups have launched alternatives to Anthropic’s models partly because the export ban on Fable 5 and Mythos 5 left a market gap, making the line between legitimate competition and illicit extraction increasingly difficult to draw.

Developer trust and compliance risks

Claude Code requires deep access to a developer’s local file system to read, modify, and execute code, meaning any hidden functionality effectively has access to everything on the machine. Huorong Security, a Chinese cybersecurity firm, said Anthropic’s tracking was not only a transparency issue but also raised cross-border data compliance concerns.

“Today it’s a timezone check, tomorrow it could be system sabotage or data exfiltration,” one Reddit user wrote. Anthropic’s privacy policy states that it collects the kind of data in question, but critics argue the steganographic method , designed to be invisible to users , crosses a line that a standard privacy disclosure does not.

The bigger picture

This episode accelerates China’s push to reduce reliance on American AI tools, which Chinese firms increasingly view as carrying legal, security, and operational risks. Alibaba has been aggressively building its own AI stack, integrating its Qwen models across products from e-commerce to robotics, and the Claude Code ban gives it further justification to push employees toward domestic alternatives.

Lizzi Lee, a fellow at the Asia Society Policy Institute’s Centre for China Analysis, said the conflict showed how the US-China AI competition has moved beyond technology into access control and sovereignty. “If a US AI coding tool can detect Chinese usage or proxy access, then it’s not surprising for major Chinese tech companies to not want employees using it internally,” she said.

Anthropic’s models have long been officially inaccessible in China, but they remain popular among domestic developers who use workarounds to maintain access. Whether the tracking controversy pushes more of them toward Chinese alternatives or simply confirms what many already suspected about the risks of depending on American AI tools is a question that extends well beyond Alibaba.

(Source: The Next Web)

Topics

steganographic tracking 98% alibaba ban 95% distillation attack 93% us-china ai competition 91% developer trust issues 89% export controls 87% reverse engineering 85% chinese ai alternatives 83% cross-border data compliance 81% account abuse prevention 79%