Alibaba has officially banned the use of Anthropic’s Claude Code among its employees following the discovery of hidden tracking mechanisms within the software. Security researchers identified code designed to detect Chinese users and proxy connections, prompting Alibaba to label the tool a high-risk security vulnerability. The move escalates ongoing tensions regarding AI data sovereignty and allegations of industrial-scale model distillation.
Why did Alibaba ban Claude Code?
Alibaba moved to restrict Claude Code on July 10, 2024, after internal security audits confirmed the presence of unauthorized tracking code. According to an internal notice reported by the South China Morning Post, the company categorized the tool as "high-risk software" due to potential back-door vulnerabilities.
The tracking mechanism, which allegedly went live in version 2.1.91 on April 2, 2024, was designed to identify users operating from within China. The system checked local timezones, specifically targeting "Asia/Shanghai" and "Asia/Urumqi," and cross-referenced network traffic against a list of Chinese domains and AI laboratory addresses.
How the detection mechanism functioned
Security researchers and community members, including a Reddit user identified as LegitMichel777, reverse-engineered the software to uncover how the tracking data was transmitted. The system utilized steganography—hiding data within standard prompts sent to Anthropic’s servers—to bypass traditional logging.

- Data Obfuscation: Portions of the detection logic were hidden using XOR-obfuscation with the key 91 to prevent standard text-based analysis.
- Signal Transmission: When the software detected a Chinese timezone, it altered the formatting of dates and swapped specific Unicode characters within the system prompt. These changes were invisible to human users but remained machine-parseable by Anthropic’s backend infrastructure.
Thariq Shihipar, an engineer on the Claude Code team, stated via X that the tracking was part of an "experiment" launched in March 2024 intended to prevent account abuse and protect against unauthorized model distillation. He confirmed the team initiated a pull request to remove the code on July 1, 2024.
The role of AI model distillation allegations
The conflict is rooted in a broader dispute over the unauthorized use of frontier AI models. On June 10, 2024, Anthropic informed the U.S. Senate Banking Committee that entities affiliated with Alibaba’s Qwen AI lab had engaged in a massive distillation attack. Anthropic alleged that approximately 25,000 fraudulent accounts were used to generate 28.8 million interactions with Claude to train competing models.

Alibaba has denied these allegations. The practice of distillation—using the output of a high-performance model to train a smaller, more efficient one—remains a contentious issue in the AI industry. As U.S. export controls continue to restrict access to advanced models like Fable 5 and Mythos 5, the competitive pressure on Chinese firms to develop domestic alternatives has intensified.
Security risks for local file systems
The controversy extends beyond corporate espionage to fundamental cybersecurity concerns. Because Claude Code requires deep access to a developer’s local file system to execute tasks, the discovery of hidden, obfuscated code raised alarms among security professionals.
Huorong Security, a Chinese cybersecurity firm, noted that the tracking feature created significant cross-border data compliance issues. While Anthropic’s privacy policy discloses general data collection, critics argue that the use of covert, machine-readable steganography exceeds the boundaries of standard user transparency.
Alibaba is now directing its workforce to utilize "Qoder," its proprietary coding agent, as a secure, domestic alternative to foreign AI tools. This shift mirrors a growing trend among Chinese technology firms to minimize reliance on American-made software to avoid potential legal, operational, and security risks in an increasingly bifurcated global AI landscape.