Alibaba Bans Claude Code After Hidden Tracking Code Surfaces

iEXExchanger
Alibaba Bans Claude Code After Hidden Tracking Code Surfaces

A researcher found obfuscated code in Claude Code that silently detected Chinese users via timezone checks and steganographic prompt changes. Anthropic removed it July 1, one day after public exposure.

On June 30, a researcher known as LegitMichel777 reverse-engineered Claude Code and found something uncomfortable. Hidden inside Anthropic's coding tool since version 2.1.91—released April 2—was obfuscated code quietly checking whether users were operating from China.

The mechanism was clever. It compared system timezones against Asia/Shanghai and Asia/Urumqi, and scanned proxy addresses for matches with Chinese domains and AI lab addresses. If triggered, the date format in the system prompt shifted from dashes to slashes, and the apostrophe in Today's date is was swapped for a visually identical Unicode character. The difference is invisible to humans, but fully machine-readable by Anthropic's servers.

Anthropic confirmed it. Engineer Thariq Shihipar described the code as an experiment launched in March to prevent account abuse from unauthorized resellers and protect against distillation, adding that the team had been meaning to take this down for a while. It was removed July 1—one day after the disclosure went public.

Alibaba moved fast. Starting July 10, the company bans employees from using Claude Code, labeling it high-risk software with security vulnerabilities and directing staff toward its own Qoder coding agent instead.

The backdrop is contentious. In late June, Anthropic accused Alibaba's Qwen lab of running the largest known model distillation attack on Claude—roughly 25,000 fraudulent accounts generating 28.8 million exchanges over three months to train competing models on Claude's outputs. Alibaba denied the charge. Anthropic framed the tracker as part of that same defense.

Critics ask a fair question: if a company embeds surveillance in production code and removes it only after public exposure, does protecting against abuse really hold as an explanation?

Questions and answers

Frequently asked questions about this article

What exactly was found in Claude Code?

Obfuscated code present since version 2.1.91 checked whether system timezones matched Asia/Shanghai or Asia/Urumqi, and scanned proxy addresses for Chinese domains. If triggered, it steganographically altered system prompts—changing date formats and substituting Unicode characters for apostrophes—invisible to users but readable by Anthropic's servers.

Why did Anthropic add this tracking code?

Anthropic engineer Thariq Shihipar said the code was an experiment to identify unauthorized resellers and guard against model distillation attacks—where competitors mass-generate Claude responses to train their own models. Anthropic separately accused Alibaba's Qwen lab of the largest such attack: 25,000 accounts generating 28.8 million conversations over three months.

What is Alibaba doing in response?

Starting July 10, 2026, Alibaba bans all employees from using Claude Code, calling it high-risk software with security vulnerabilities. The company recommends its own Qoder coding tool as a replacement.

What is a model distillation attack?

Model distillation is when one AI company trains its models by collecting massive amounts of responses from a competitor's model. It lets a company absorb the quality of the teacher model without original training costs. Anthropic alleged Alibaba's Qwen lab did exactly this using 25,000 fraudulent accounts over three months.