On June 30, a researcher known as LegitMichel777 reverse-engineered Claude Code and found something uncomfortable. Hidden inside Anthropic's coding tool since version 2.1.91—released April 2—was obfuscated code quietly checking whether users were operating from China.
The mechanism was clever. It compared system timezones against Asia/Shanghai and Asia/Urumqi, and scanned proxy addresses for matches with Chinese domains and AI lab addresses. If triggered, the date format in the system prompt shifted from dashes to slashes, and the apostrophe in Today's date is was swapped for a visually identical Unicode character. The difference is invisible to humans, but fully machine-readable by Anthropic's servers.
Anthropic confirmed it. Engineer Thariq Shihipar described the code as an experiment launched in March to prevent account abuse from unauthorized resellers and protect against distillation, adding that the team had been meaning to take this down for a while. It was removed July 1—one day after the disclosure went public.
Alibaba moved fast. Starting July 10, the company bans employees from using Claude Code, labeling it high-risk software with security vulnerabilities and directing staff toward its own Qoder coding agent instead.
The backdrop is contentious. In late June, Anthropic accused Alibaba's Qwen lab of running the largest known model distillation attack on Claude—roughly 25,000 fraudulent accounts generating 28.8 million exchanges over three months to train competing models on Claude's outputs. Alibaba denied the charge. Anthropic framed the tracker as part of that same defense.
Critics ask a fair question: if a company embeds surveillance in production code and removes it only after public exposure, does protecting against abuse really hold as an explanation?



