Some links on this page are affiliate links. We may earn a commission at no extra cost to you.
Updated: Jul 8, 2026
·
anthropicpolicycoding

Anthropic vs Alibaba: the 'distillation attack' feud, the hidden China-tracking code in Claude Code, and what it means if you build on Claude

TL;DR: Alibaba is banning all Anthropic products for employees from July 10, after security researchers found that Claude Code had — since version 2.1.91 in April 2026 — covertly detected China-routed users and encoded the result via “prompt steganography” hidden in the system prompt (a subtly altered apostrophe in “Today’s date is”). Anthropic engineer Thariq Shihipar called it “an experiment we launched in March” to stop reseller abuse and protect against distillation, and said the code was being removed (PR merged ~July 1). This caps a feud in which Anthropic told the US Senate Banking Committee that Alibaba ran “the largest known distillation attack” on Claude — roughly 25,000 fake accounts and 28M+ interactions (April 22–June 5). Both things are true, and both matter. What this means for you: audit your coding agent’s telemetry, expect tighter identity/geo checks on frontier APIs, and plan for a US–China tool split (Alibaba is pushing its in-house Qoder).

What happened

This is a two-sided story, and the honest version needs both sides. Neither “Anthropic got caught spying” nor “Alibaba stole Claude” is the whole picture.

Side one: the tracking code. A researcher probing privacy behavior in Claude Code — surfaced publicly via a Reddit post and reported by The Register and The Decoder — found that since version 2.1.91 (released April 2, 2026), Claude Code had been quietly checking whether a user looked China-connected. Specifically, it compared the system timezone against “Asia/Shanghai” or “Asia/Urumqi” and scanned any active proxy or custom API address for Chinese domains and AI-lab keywords (Alibaba, ByteDance, Baidu). Based on the result, it altered the date format and swapped in a subtly different apostrophe character in the phrase “Today’s date is” inside the system prompt. The user sees nothing; Anthropic can read the signal instantly. Researchers described the technique as “prompt steganography” — hiding data in plain sight.

Anthropic’s response was fast and specific. Claude Code team engineer Thariq Shihipar wrote on X that it was “an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.” He added that “the team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while,” and that the removal pull request was merged and would be fully rolled back in the next release (around July 1).

Side two: the distillation attack. The reason that “experiment” existed at all is the other half of the story. In June, Anthropic sent a letter to the US Senate Committee on Banking, Housing, and Urban Affairs accusing Alibaba of “brazenly” and “illicitly” trying to extract its AI capabilities. Per Anthropic’s account, Alibaba used roughly 25,000 fake accounts to run more than 28 million conversational interactions with Claude between April 22 and June 5, 2026 — which Anthropic called “the largest known distillation attack” on it to date. Distillation is the practice of training a cheaper “student” model on a stronger model’s outputs; it’s the shortcut that lets a fast follower approximate a frontier model without the frontier R&D bill.

Side three: the ban. Now Alibaba has responded in kind. Per CNBC and Tom’s Hardware, Alibaba is banning all Anthropic products for employees effective July 10, citing the hidden detection code as a security risk, and directing staff to its in-house coding tool, Qoder.

Why this matters

1. The “safety-first” brand just collided with covert telemetry — and that’s a governance lesson for buyers. Anthropic markets itself, more than any rival, on safety, honesty, and anti-surveillance values. Shipping covert user-detection that phones home via steganography in a developer tool sits awkwardly with that brand, which is exactly why it made headlines (Slashdot’s framing: a secret tracker “shocks users after Anthropic’s anti-surveillance stance”). The practical takeaway isn’t “Anthropic is evil” — the anti-distillation rationale is real and the code is being pulled. It’s that you should evaluate vendors on what their software actually does, not on their marketing. For any AI tool you deploy, the system prompt, the telemetry, and the network calls are all fair game to audit.

2. If you build on Claude Code, treat this as a telemetry wake-up call — not a breach. Precisely stated, this was covert detection and tagging, not a remote-access backdoor into your machine (some outlets used “backdoor,” which overstates the mechanism). If you weren’t routing through China-linked proxies, you almost certainly weren’t flagged. But the episode is a good reason to do what security-conscious teams should do anyway with any agentic dev tool: pin versions, watch the changelog, inspect outbound requests, and don’t assume a closed-source coding agent’s system prompt is inert. See our Claude Code review and the best AI coding tools guide for how it stacks up on trust and capability.

3. The distillation war is about to reshape API access — including for legitimate users. Anthropic is reportedly closing the loopholes (overseas subsidiaries, VPNs) that let restricted firms reach Claude, and this incident is what “anti-distillation enforcement” looks like in code. Expect tighter identity verification, geo-restrictions, and rate/abuse controls across frontier APIs — the same direction the government-gated release regime and the Fable 5 export-control saga are pushing. If you’re a legitimate international developer, plan for more friction, not less.

4. US–China AI decoupling is now operational at the tool level. This isn’t a policy abstraction anymore — it’s Alibaba ripping Claude out of its employees’ workflows and substituting Qoder, while Chinese labs standardize on domestic models like Qwen and Zhipu’s GLM-5.2. For anyone running cross-border engineering teams, the two ecosystems are visibly splitting: the tools your San Francisco office relies on may be banned in your Hangzhou office, and vice versa. Build your toolchain assuming that divergence continues.

5. It reframes the open-weight vs. frontier calculus. Distillation is precisely the pressure that makes cheap, fast Chinese models so competitive on price-performance — and precisely why frontier labs are hardening access. If you were weighing a frontier US model against a cheaper Chinese one, this feud is a reminder that the gap is partly sustained by aggressive IP protection, and that access politics (not just benchmarks) now belong in the buying decision.

What this means for you

The honest caveats

The uncomfortable, accurate summary: a lab that sells trust shipped covert tracking to defend against a rival it says stole 28 million conversations’ worth of its model — and got caught doing it. If you build on any of these tools, the lesson isn’t which side to root for. It’s to verify what your software does, and to assume the access ground will keep shifting under you.

Frequently asked questions

What did the hidden code in Claude Code actually do?

Since version 2.1.91 (released April 2, 2026), Claude Code checked whether a user appeared to be routing through China or a Chinese AI lab — comparing the system timezone against 'Asia/Shanghai' or 'Asia/Urumqi' and scanning proxy/custom API URLs for Chinese domains and lab keywords. It then encoded the result using 'prompt steganography': subtly tweaking the date format and swapping in a slightly different apostrophe in the phrase 'Today's date is' inside the system prompt — invisible to the user, readable by Anthropic. It was covert detection and tagging, not remote access to your machine.

Was Anthropic spying on all Claude Code users?

No. Per the researchers who found it and Anthropic's own explanation, the mechanism targeted signals of China-routing or Chinese-lab access — not a dragnet of every user. Anthropic engineer Thariq Shihipar described it on X as 'an experiment we launched in March' to prevent account abuse by unauthorized resellers and protect against distillation, said stronger mitigations had since shipped, and confirmed the code was being removed (the pull request merged around July 1). Even so, shipping covert, steganographically-hidden detection in a developer tool is a legitimate trust concern.

What is the 'distillation attack' Anthropic accused Alibaba of?

In a letter to the US Senate Committee on Banking, Housing, and Urban Affairs, Anthropic accused Alibaba of 'brazenly' and 'illicitly' extracting its AI capabilities — using roughly 25,000 fake accounts to run more than 28 million conversational interactions with Claude between April 22 and June 5, 2026, which Anthropic called 'the largest known distillation attack' on it to date. Distillation is training a cheaper model on a stronger model's outputs; these figures are Anthropic's characterization and Alibaba disputes the framing.

I use Claude Code from outside China — should I worry?

Your machine wasn't remotely accessed, and if you're not routing through China-linked proxies you were almost certainly not the target of the flag. The real takeaways are broader: (1) treat your coding agent's system prompt and telemetry as something to audit, not assume; (2) expect Anthropic to tighten identity checks and geo-restrictions on API access as it fights distillation, which can add friction for legitimate international users.

What is Qoder, and why is Alibaba pushing it?

Qoder is Alibaba's in-house AI coding tool. As part of banning all Anthropic products for employees from July 10, Alibaba is directing staff to Qoder instead. It's part of a broader US–China decoupling at the tool level: Chinese firms increasingly standardize on domestic models and coding agents (Alibaba's Qwen and Qoder, Zhipu's GLM) rather than US frontier tools they may lose access to.

Sources

Related tool reviews

Questions or corrections? Email Pick Right. Want the full list? See all news.