Alibaba bans Claude Code for hidden tracking of Chinese users



TL;DR

Alibaba banned Claude Code after security researchers discovered that Anthropic had embedded steganographic tracking code to identify Chinese users. The ban follows Anthropic’s accusation that Alibaba carried out the largest known distillation attack against its models.

Alibaba has banned its employees from using Claude Code, Anthropic’s AI-based encryption agent, after security researchers discovered that the tool contained hidden code designed to identify Chinese users. The ban, which went into effect on July 10, remains Weeks of escalating conflict between the two companies. over allegations that Alibaba stole Anthropic’s AI capabilities through industrial-scale distillation.

As Claude Code was recently found to carry backdoor risks, after extensive evaluation, Claude Code has now been added to a list of high-risk software with security vulnerabilities.Alibaba said in an internal notice reported by the South China Morning Post. The company recommended employees use Qoder, its own encryption agent platform, as a substitute.

How tracking worked

A Reddit user identified as LegitMichel777 reverse engineered Claude Code on June 30 and found obfuscated code that had been silently present since version 2.1.91, released on April 2, with no mention in the release notes. The code checked whether a user’s system time zone was set to Asia/Shanghai or Asia/Urumqi and scanned the proxy URLs with a hashed list of Chinese domains and AI lab addresses.

Instead of recording results conventionally, the system used steganography to hide its signals in the system message sent to Anthropic’s servers. If the time zone was Chinese, the date format changed from dashes to slashes and the apostrophe to “Today’s date is” was swapped with one of three visually identical but technically distinct Unicode characters, depending on which flags were set.

The alterations are invisible to human users and potentially even the AI ​​model itself, but Anthropic’s servers can analyze them by machine. Parts of the detection code were Obfuscated XOR with key 91a technique used to prevent plain text extraction during code analysis.

The anthropic response

Thariq Shihipar, an Anthropic engineer on Claude Code’s team, said in X that the follow-up was “an experiment we launched in March aimed at preventing account abuse by unauthorized resellers and protecting against distillation.” He said the team had been “I intend to delete this for a while.”and that the pull request to remove it was merged on July 1st.

The decline coincided with the restoration of Anthropic’s Fable 5 and Mythos 5 modelswhich the US Department of Commerce had ordered the company to disable for all foreign nationals in mid-June after Amazon researchers found a jailbreak vulnerability. Export controls were lifted on June 30 and Anthropic restored access on July 2, saying it would “increase government collaboration” on AI border security.

The backdrop of distillation

Anthropic’s justification for the tracking code falls within a broader campaign against what it calls the systematic theft of its models’ capabilities. In a letter to the US Senate Banking Committee on June 10, the company accused traders affiliated with Alibaba’s Qwen AI lab of managing the largest known distillation attack on Claude, using approximately 25,000 fraudulent accounts to generate 28.8 million trades between April and June.

Alibaba has denied the allegation. Anthropic had previously named DeepSeek, Moonshot AI and MiniMax in February as perpetrators of similar campaigns, framing the distillation as an existential threat to the business models of frontier AI companies.

Distillation, the practice of using the results of a powerful model to train a smaller one, occupies a gray area in AI development. Asian AI startups have launched alternatives to Anthropic models partly because the ban on exports of Fable 5 and Mythos 5 left a void in the market, making it increasingly difficult to draw the line between legitimate competition and illicit extraction.

The problem of developer trust

Claude Code requires deep access to a developer’s local file system to read, modify, and execute code, meaning any functionality hidden in the tool effectively has access to everything on the machine. Huorong Security, a Chinese cybersecurity company, said Anthropic’s tracking was not only a matter of transparency but also raised concerns about cross-border data compliance.

Today it’s a time zone check, tomorrow it could be a system sabotage or data breach,” wrote one Reddit user. Anthropic’s privacy policy states that it collects the type of data in question, but critics argue that the steganographic method, designed to be invisible to users, crosses a line that a standard privacy disclosure does not.

The bigger picture

The episode accelerates China’s push to reduce reliance on American AI tools, which Chinese companies increasingly see as legal, operational and security risks. Alibaba has been aggressively building its own AI stackintegrating its Qwen models into products ranging from e-commerce to robotics, and the Claude Code ban gives it additional justification to push employees toward domestic alternatives.

Lizzi Lee, a fellow at the China Analysis Center at the Asia Society Policy Institute, said the conflict showed how the AI ​​competition between the United States and China has moved beyond technology to access control and sovereignty. “If a US AI encryption tool can detect Chinese usage or proxy access, then it’s not surprising that major Chinese tech companies don’t want their employees to use it internally.” she said.

Anthropic models have long been officially inaccessible in China, but remain popular with domestic developers who use workarounds to maintain access. Whether the controversy over tracking pushes more of them toward Chinese alternatives or simply confirms what many already suspected about the risks of relying on American AI tools is a question that extends far beyond Alibaba.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *