Alibaba Bans Claude Code, Citing Hidden Tracking Code

Alibaba classified Claude Code as high-risk software after a researcher alleged version 2.1.91 silently identified Chinese corporate users, escalating a bitter distillation war between the two companies.

Alibaba Bans Claude Code, Citing Hidden Tracking Code

On the evening of June 30, a post appeared on Reddit. The user "LegitMichel777" claimed to have reverse-engineered Claude Code and found something most developers don't expect to find in a coding assistant: silent identification code. According to the analysis, Claude Code 2.1.91 inspected proxy configurations and system time zones, compared the results against hidden lists of Chinese tech companies, then altered its behavior - all without informing users it was doing so.

Three days later, Alibaba announced that its employees must uninstall Claude Code by July 10.

TL;DR

  • Alibaba banned Claude Code internally, effective July 10, classifying it as "high-risk software"
  • A researcher alleged version 2.1.91 (released April 2) silently detected Chinese corporate users via proxy and timezone checks
  • Anthropic acknowledged the mechanism, calling it an anti-distillation experiment - and confirmed it'd be removed
  • Backdrop: Anthropic accused Alibaba's Qwen lab of running 28.8 million unauthorized Claude interactions through 25,000 fake accounts

The Mechanism

The Reddit post described a multi-step identification process embedded in Claude Code starting with version 2.1.91. The tool allegedly performed two silent environmental checks on startup, then encoded the results in a way that modified the model's behavior without sending raw data to a remote server:

Alleged detection flow (per reverse-engineering analysis, unverified):

1. Read system proxy configuration
2. Read local timezone
3. Compare against concealed lists containing:
   Alibaba, Baidu, ByteDance, Moonshot AI identifiers
4. On match: alter internal system prompt
   (method: date format changes, punctuation swaps)

No independent security researcher has confirmed these findings through a published analysis. Anthropic disputes the "backdoor" framing entirely.

What Anthropic doesn't dispute is that something like this existed. Thariq Shihipar, a member of the Claude Code team, acknowledged it on social media on July 1. "It was an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," he wrote. He added that the company had "landed stronger mitigations since then" and had "actually been meaning to take this down for a while."

The Events

April 2 - The Version: Claude Code 2.1.91 shipped. This is the version the Reddit post identified as the origin of the identification mechanism. The release date falls within the same window that Anthropic later told the U.S. Senate was when Alibaba's Qwen lab was actively running its distillation campaign against Claude.

June 30 - The Allegation: The post by "LegitMichel777" appeared on r/LocalLLaMA, describing the mechanism in detail. It spread quickly through developer communities and Chinese tech media. The description was specific enough - proxy checks, timezone detection, system prompt mutation via punctuation - to prompt immediate concern among developers at Chinese companies using Claude Code.

Alibaba Group headquarters in Hangzhou, China Alibaba Group's headquarters campus in Hangzhou, China. Source: commons.wikimedia.org

July 1 - The Admission: Shihipar's social media statement confirmed the core claim while reframing it. Anthropic wasn't surveilling developers for intelligence purposes - the mechanism was meant to identify and cut off accounts being used to extract model capabilities. Whether that distinction matters legally or ethically is a question neither company has answered in public.

July 3 - The Ban: Alibaba circulated an internal memo classifying Claude Code as "high-risk software." All employees were directed to migrate to Qoder, the company's in-house AI coding platform, by July 10. Alibaba hasn't issued a public statement and hasn't responded to media inquiries. The company didn't offer its engineers a technical explanation - just a deadline.

The Backdrop

This confrontation didn't happen in a vacuum. For months the relationship between Anthropic and Alibaba has been worsening into something resembling active conflict.

In testimony before the U.S. Senate on June 26, Anthropic described Alibaba's Qwen lab as the origin of the largest known AI distillation campaign it had ever detected. The operation ran from April 22 to June 5, 2026, and generated 28.8 million unauthorized interactions with Claude models through approximately 25,000 fraudulent accounts. Anthropic told senators the interactions were concentrated on Claude's most advanced agentic reasoning and software engineering capabilities - precisely the domains where Qwen's coding models have been improving fast. Our earlier coverage of the Senate testimony has the full breakdown.

Alibaba denied wrongdoing at the time, without expanding on.

Anthropic's terms of service have long prohibited Chinese entities from using its models directly. The distillation accusations widened that prohibition to cover use through VPNs, foreign subsidiaries, or third-party accounts. The Claude Code tracking mechanism - whatever its intent - is the logical extension of that enforcement posture into the developer tools layer.

The Dispute Has No Clean Winner

Anthropic's framing is that the mechanism was a rough anti-abuse measure, not a backdoor, and one that was already being phased out. That is a plausible account. Distillation attacks at the scale Qwen allegedly ran them require exactly the kind of signals Claude Code was reportedly checking for: patterns in proxy use and system configuration consistent with a data center scrape rather than an individual developer session.

Close-up of programming code on a dark terminal screen The alleged mechanism encoded its detection results by adjusting system prompts rather than sending data to a remote server. Source: pexels.com

Alibaba's framing is that a foreign tool with hidden code that profiles users by corporate affiliation is a security risk that warrants an immediate ban. That is also a defensible position. Most enterprise security policies would classify a tool that silently identifies which company you work for and changes its behavior as a result as high-risk, regardless of vendor intent.

Both positions can be true at the same time. That is the problem. Anthropic built a surveillance mechanism to defend against IP theft. Alibaba used IP theft to justify removing the tool that found them out. The Claude Code security record has been rough independent of this dispute - the RCE vulnerabilities and API key theft risks we covered earlier this year raised similar questions about the tool's security posture at enterprise scale.

The engineers at Alibaba now using Qoder didn't vote for any of this.


What Developers Should Do

  1. Update Claude Code as soon as Anthropic ships the patch removing the detection code. Shihipar confirmed removal is imminent as of July 1, 2026.
  2. Check your version. If you're running 2.1.91 or earlier, review Anthropic's release notes for changes to system prompt handling once the update drops.
  3. Review broader Claude Code risks. The enterprise pullback at Meta and Microsoft and the earlier RCE vulnerabilities are part of the same story about how agentic coding tools handle security at scale.
  4. If your team is at a Chinese company: Anthropic's ToS prohibits direct use regardless of this incident. Use through VPNs or foreign subsidiaries puts you at risk of account termination and potential legal exposure under the broader distillation enforcement posture Anthropic is now pushing with Congress.

Sources:

Elena Marchetti
About the author Senior AI Editor & Investigative Journalist

Elena is a technology journalist with over eight years of experience covering artificial intelligence, machine learning, and the startup ecosystem.