Alibaba Bans Claude Code Over Hidden Chinese User Tracking
Security researchers found steganographic markers inside the AI coding tool that flagged users in Chinese time zones, and Anthropic called it an experiment.
July 3, 2026 – 7:25 pm
Image by: WTO / Flickr
TL;DR
Alibaba has banned its employees from using Claude Code, Anthropic’s AI-powered coding agent, after security researchers discovered that the tool contained hidden code designed to identify Chinese users. The ban follows weeks of escalating conflict between the two companies over allegations that Alibaba stole Anthropic’s AI capabilities through industrial-scale distillation.
"As Claude Code was recently discovered to carry back-door risks, after comprehensive evaluation… Claude Code has now been added to a list of high-risk software with security vulnerabilities," Alibaba said in an internal notice reported by the South China Morning Post. The company recommended employees use Qoder, its own coding agent platform, as a substitute.
How the Tracking Worked
A Reddit user identified as LegitMichel777 reverse-engineered Claude Code on 30 June and found obfuscated code that had been silently present since version 2.1.91, released on 2 April, with no mention in the release notes. The code checked whether a user’s system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hardcoded list of Chinese domains and AI lab addresses.
Rather than logging the results conventionally, the system used steganography to hide its signals in the system prompt sent back to Anthropic’s servers. If the timezone was Chinese, the date format changed from dashes to slashes, and the apostrophe in “Today’s date is” was swapped with one of three visually identical but technically distinct Unicode characters depending on which flags were triggered.
The alterations are invisible to human users and potentially even to the AI model itself, but they are machine-parseable by Anthropic’s servers. Portions of the detection code were XOR-obfuscated with the key 91, a technique used to prevent plain-text extraction during code analysis.
Anthropic’s Response
Thariq Shihipar, an Anthropic engineer on the Claude Code team, said on X that the tracking was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said the team had been "meaning to take this down for a while" and that the pull request to remove it was merged on 1 July.
The rollback coincided with the restoration of Anthropic’s Fable 5 and Mythos 5 models, which the US Commerce Department had ordered the company to disable for all foreign nationals in mid-June after Amazon researchers found a jailbreak vulnerability. The export controls were lifted on 30 June, and Anthropic restored access on 2 July, saying it would "scale up government collaboration" on frontier AI security.
The Distillation Backdrop
Anthropic’s justification for the tracking code sits within a broader campaign against what it calls system distillation—a process in which less capable models are trained on data from more advanced models to create cheaper, more accessible versions without disclosing the original training data or model architecture. Alibaba had previously accused Anthropic of engaging in this practice and stealing its AI capabilities through industrial-scale distillation.