sakutto
Generative AI

Alibaba Bans Claude Code Internally: How the Detection-Code Dispute Unfolded

Claude CodeAnthropicAlibabaQoder
Alibaba Bans Claude Code Internally: How the Detection-Code Dispute Unfolded

Alibaba Bans Claude Code Internally (What Was Reported)

Overview of the internal ban (as reported)

Effective
July 10, 2026 (reported as an internal notice)
Scope
Employee use of Claude Code (reportedly also ordering Claude models deleted from company systems)
Reason
Designated high-risk software on the basis of "back-door risks"
Replacement
In-house AI coding tool "Qoder"
Sources
Multiple outlets incl. SCMP and TechCrunch (no comprehensive official statement from either company)

On July 4, 2026, Hong Kong's SCMP and US-based TechCrunch reported that Alibaba would ban internal use of Claude Code from July 10. Claude Code is an AI coding assistant from Anthropic that runs on the command line (a text-based interface). Let us start with what exactly was reported.

The "high-risk software" designation and internal notice

According to the internal notice reported by SCMP, Alibaba told staff that back-door risks had recently been found in Claude Code, and that after a comprehensive evaluation it had been added to a list of high-risk software with security vulnerabilities. The starting point for understanding this story is that the ban is reported as one company's internal rule, not a government regulation.

View official source →
"As Claude Code was recently discovered to carry back-door risks, after comprehensive evaluation, Claude Code has now been added to a list of high-risk software with security vulnerabilities." — wording reported as Alibaba's internal notice

The replacement is the in-house "Qoder"

Staff were reportedly directed to Qoder, Alibaba's in-house AI coding tool. Reports say the notice went beyond stopping Claude Code use by July 10 and also instructed employees to delete Claude models from company systems. In other words, it was framed not as a simple tool swap but as removing Anthropic's products from inside the company.

View official source →
"Alibaba ordered employees to cease all use of Claude Code by July 10 and to delete Claude models from company systems" — from the report

The Trigger: the June 30 Discovery of "China-User Detection Code"

Timeline to the Claude Code ban (2026)

Apr 2
Claude Code version 2.1.91 released; the detection code is analyzed as present from this build
Jun 30
A reverse-engineering analysis posted to Reddit uncovers the detection code
Jul 1
Anthropic removes the detection code in an update
Jul 4
SCMP and TechCrunch report Alibaba's internal ban
Jul 10
The Claude Code ban takes effect inside Alibaba (reported)

The direct trigger for the ban was the discovery that Claude Code contained code quietly judging whether a user was based in China. Let us look at who found it and what it did.

Detecting China-based users by timezone and proxy

The code came to light through a reverse-engineering analysis posted to Reddit on June 30. According to that analysis, the code had been present since version 2.1.91 (released April 2); it checked whether the system timezone matched Asia/Shanghai or Asia/Urumqi and matched proxy (relay-server) URLs against a list of Chinese corporate networks. That list reportedly included networks and cloud regions tied to Alibaba, Baidu, ByteDance, and Moonshot AI.

View official source →
"Anthropic secretly embedded obfuscated code inside its Claude Code command-line tool that identified users in China or connected to Chinese AI labs, according to a reverse-engineering analysis posted to Reddit on June 30 by a user known as LegitMichel777" — from the report

What stands out is that rather than transmitting the result directly, the code used steganography (hiding information inside other data). The analysis says it quietly swapped the date format and the apostrophe character inside the system prompt, thereby "watermarking" interactions from users judged to be China-linked.

View official source →
"Rather than transmitting telemetry data directly, the code employed a steganographic technique: it silently altered two elements of Claude Code's system prompt line — the date format and the apostrophe character in the phrase "Today's date is"" — from the report

Anthropic's explanation: a "misuse-prevention experiment"

After the discovery, Thariq Shihipar, an engineer on Anthropic's Claude Code team, explained that the code had started as an experiment to prevent account misuse and distillation attacks, and confirmed its removal. The code was indeed taken out in the July 1 update. What is confirmed is only that the code existed, was uncovered on June 30, and was removed on July 1; the full intent behind it rests on the parties' own accounts.

View official source →
"Anthropic's Thariq Shihipar confirmed the detection code's removal was merged and would be "fully rolled back" in the next release" — from the report

The Backdrop: Anthropic's "Distillation Attack" Accusation

Overview of the misuse Anthropic reported (as reported)

Reported to
The US Senate (reported late June 2026)
Period
April 22 – June 5, 2026 (about 44 days)
Scale
~25,000 fake accounts, 28.8M+ exchanges
Method
Distillation (training another model on a stronger model's outputs)
Attributed to
Operators linked to Alibaba and its AI lab Qwen, per Anthropic

The detection code did not appear out of nowhere; Anthropic's accusation came first. In the timeline, that accusation is the first point of conflict.

~25,000 fake accounts, 28.8 million exchanges

Anthropic reportedly told the US Senate that operators linked to Alibaba used about 25,000 fraudulent accounts to run more than 28.8 million exchanges with Claude between April 22 and June 5, describing it as the largest known attack of its kind against the company. The aim was "distillation" — using a high-performing model's outputs to train another model and replicate its abilities at lower cost.

View official source →
"Anthropic has accused Alibaba of using nearly 25,000 fraudulent accounts to extract capabilities from its Claude AI models, in what the US AI company described as the largest known attack of its kind against it. The campaign, carried out between April 22 and June 5, generated more than 28.8 million exchanges with Claude" — from the report

If distillation is unfamiliar, it helps to picture it as "having a stronger model answer a huge volume of questions, then using those answers as study material for your own model." Anthropic attributes the campaign to operators linked to Alibaba's AI lab, Qwen.

View official source →
"Anthropic said the effort involved 'distillation,' a technique in which a less capable AI model is trained on the outputs of a more advanced system, potentially allowing rivals to replicate some of its capabilities at lower cost." — from the report

Mutual exclusion of US–China AI tools, and the impact on everyday users

Laid out in sequence, the events form a pattern of mutual exclusion: Anthropic accuses a party of misuse and responds with detection code, and the exposed Chinese side then removes the US tool from inside the company. In the US Congress, there is also reported movement toward legislation that could sanction those who run large-scale distillation attacks — so the dispute between companies is widening into a policy question.

At the same time, the ban is Alibaba's internal rule; it does not mean everyday users lose access to Claude or Claude Code. On Anthropic's side, identity verification introduced from July 2026 is already in motion as an account-misuse countermeasure. For details, see the guide to Claude's identity verification. A separate strand — the regulatory back-and-forth between Anthropic and the US government — is covered in the Claude Fable 5 restoration article.

Conclusion: Read the Confirmed Facts and the Reporting Separately

What to watch next

Alibaba
How well the Qoder migration works, and whether other Chinese firms follow suit
Anthropic
Transparency of its misuse countermeasures (identity verification, detection methods)
US Congress
The fate of legislation enabling sanctions on those who run distillation attacks

Finally, it helps to sort this episode by how firmly each part is established.

ItemStandingBasis
The detection code's existence, June 30 discovery, July 1 removalFirmly established factPublished reverse-engineering analysis and an Anthropic engineer's acknowledgment
~25,000 fake accounts, 28.8M-exchange distillation attackAnthropic's claimConsistent across multiple reports of a Senate disclosure
The July 10 internal ban and Qoder migrationReportingCoverage by SCMP and TechCrunch citing an internal notice

So the facts around the detection code are backed by analysis and the parties' acknowledgment, while Alibaba's ban itself rests on reporting of an internal notice, with no comprehensive official statement yet from either company.

The picture of US and Chinese AI companies warily fencing off each other's tools is likely to continue in different forms. There is no direct practical impact for everyday users, but it is an instructive case for understanding how AI tools' terms of use and anti-abuse measures work. For the full picture of Claude's model lineup and pricing, see the guide to Claude.

Free ToolURL to Markdown ConverterConvert any public web page URL to Markdown. Preserves headings, tables, lists, and links — perfect for LLM and RAG preprocessing, research notes, and archiving web articles.Try it now →

FAQ

Q. Why did Alibaba ban Claude Code internally?
According to an internal notice reported by SCMP, Alibaba said that after a comprehensive evaluation it had added Claude Code to a list of high-risk software with security vulnerabilities, citing back-door risks. The immediate trigger was the discovery on June 30 of code that quietly detects China-based users. Note that no comprehensive official statement has come from either company, so the details of the ban rest on reporting.
SCMP — wording reported as Alibaba's internal notice
As Claude Code was recently discovered to carry back-door risks, after comprehensive evaluation, Claude Code has now been added to a list of high-risk software with security vulnerabilities. SCMP — wording reported as Alibaba's internal notice
Q. What was the China-user detection code?
It was code inside Claude Code that quietly determined whether a user was based in China or connected to a Chinese AI lab. According to a reverse-engineering analysis, it had been present since version 2.1.91 (released April 2), checking whether the system timezone matched Asia/Shanghai or Asia/Urumqi and scanning proxy URLs against Chinese corporate networks. It was uncovered on June 30 through reverse engineering and removed in a July 1 update.
MLQ News — Anthropic Embeds Hidden China-Detection Code in Claude Code
The code, present since version 2.1.91 released on April 2, checked system timezones against "Asia/Shanghai" and "Asia/Urumqi" and scanned proxy URLs for Chinese corporate networks MLQ News — Anthropic Embeds Hidden China-Detection Code in Claude Code
Q. What did Anthropic accuse Alibaba of?
Anthropic reportedly told the US Senate that operators affiliated with Alibaba used roughly 25,000 fraudulent accounts to run more than 28.8 million exchanges with Claude between April 22 and June 5, 2026, in an attempt to extract the model's capabilities through distillation. Distillation trains a less capable model on the outputs of a more advanced one to replicate its abilities at lower cost. This accusation sits behind both the detection code and the mutual exclusion that followed.
InfoWorld — Anthropic accuses Alibaba of using 25,000 fake accounts
Anthropic has accused Alibaba of using nearly 25,000 fraudulent accounts to extract capabilities from its Claude AI models, in what the US AI company described as the largest known attack of its kind against it. The campaign, carried out between April 22 and June 5, generated more than 28.8 million exchanges with Claude InfoWorld — Anthropic accuses Alibaba of using 25,000 fake accounts

Related Tools

Related Tool Categories

Articles