Alibaba Killed Claude Code Internally. The Backstory Is Messier Than You Think.
TL;DR
- Alibaba's internal ban on every Anthropic product hits July 10, 2026. Claude Code got slapped with a "high-risk" label over what the company calls "back-door risks" following a "comprehensive evaluation." - Anthropic fired first, telling U.S. senators that Qwen-linked operators burned through ~25,000 fake accounts and fired off 28.8 million Claude queries between April 22 and June 5. They're calling it their biggest distillation attack ever detected. - Hidden tracking code was sitting inside Claude Code binaries. It sniffed timezones, checked proxies, and slipped invisible markers into prompts. Anthropic's defense? "An experiment we launched in March." - Qoder is the replacement. Alibaba's in-house coding platform now gets the entire internal user base whether it's ready or not. - Both companies basically went quiet when Reuters came knocking for details.
How This Whole Thing Blew Up
Someone on r/ClaudeAI posted a June 30 reverse-engineering writeup that turned out to be legit.
They were trying to fix a broken remote-control feature in Claude Code. Stumbled onto something nastier instead. The binary had mechanisms poking around the user's environment. Checking timezone data. Looking at proxy configs. Then quietly injecting steganographic markers into prompts headed back to Anthropic's servers. Not a bug.
Not an accident.
Security researchers dug in and confirmed the hidden code could effectively flag anyone based in China or connected to Chinese AI labs. Reuters independently verified that the tracking mechanisms were real.
Not conspiracy stuff. Actual code doing actual surveillance.
So Alibaba didn't just hear rumors and panic.
They ran what they termed a "comprehensive evaluation" — and then labeled Claude Code high-risk software with "back-door risks." Per SCMP's reporting and The Information, starting July 10 any staffer caught running an Anthropic tool on company gear is in violation.
Anthropic's defense arrived via an employee posting on X. The tracking wasn't a China-targeted backdoor, they said. It was "an experiment we launched in March" to crack down on unauthorized resellers and model distillation.
Honestly? That answer might be technically accurate.
Doesn't make it okay.
A vendor shipped hidden surveillance code inside a developer tool. Didn't disclose it. Got caught because some random Redditor was poking around for a completely unrelated reason.
Then framed it as defensive research after the fact.
The Distillation Problem Nobody Talks About
Here's the part that makes the ban look less paranoid.
On June 10, 2026, Anthropic's letter to the U.S.
Senate Banking Committee spelled out the numbers. Operators tied to Alibaba's Qwen lab allegedly ran 24,800+ fraudulent accounts generating 28.8 million exchanges with Claude. The window was April 22 through June 5. Six weeks. Industrial scale.
France 24 and Tom's Hardware both corroborated the scale independently. Roughly 25,000 fake accounts.
Nearly 29 million individual conversations with Claude.
Anthropic told senators the campaign was aimed at shortcutting China's path to capabilities rivaling Anthropic's premium "Mythos Preview" tier.
Quick explainer on distillation for anyone who doesn't live in this space.
You fire millions of queries at a frontier model. Save every response. Use that big dataset to train your own competing model. You skip the expensive research phase entirely and just... absorb the output. It's IP extraction dressed up as API usage.
TNW's coverage notes Anthropic specifically framed the hidden Claude Code markers as a countermeasure against this exact pattern of systematic theft.
Alibaba denied the distillation accusations.
Then they banned everything Anthropic makes and pushed staff onto Qoder. Which is a denial and a retaliatory wall, simultaneously. The Daily Star frames the whole thing as a mutual lockout between two tech giants.
Side note: Qoder has got to be the worst product name of 2026. But that's neither here nor there.
What This Means If You Build On AI Tools
Let's say you run a small dev shop or an agency.
Probably got Claude Code, ChatGPT, GitHub Copilot, maybe some local models. Four or five vendors. You're handing them your source code, your business logic, client IP. Daily.
Now replay what just happened.
A $40-billion company put stealth tracking code in a CLI tool. It inspected user environments. It checked proxy settings. It embedded invisible identifiers into API calls. When someone found it, the vendor said it was defensive. And maybe it was — they were apparently getting hammered by 29 million fraudulent queries from fake accounts. You'd build detection too if that were your problem.
But here's what sticks.
You cannot audit what's inside a closed-source binary running on your own hardware. That's the real issue. Not whether Anthropic's intent was pure. The structural problem is that you're running code you can't inspect, making network calls you can't see, handling data you're responsible for protecting.
I started running commit attribution tracking on every client deliverable a while back. We check what tools phone home. After reading these reports, I'd extend that discipline to every AI-powered dev tool in the stack. Not just the ones with obvious network activity.
There's a geopolitical dimension too that most devs aren't thinking about. Anthropic already blocks Chinese companies from using Claude. Alibaba just returned the favor.
When your AI platform becomes an extension of export control policy, your tool choice is a geopolitical decision whether you meant it that out or not.
If your clients are international, that matters. Access can get cut. Terms can change overnight.
Practical Steps Before July 10
Three things worth doing this week if you're shipping code with AI assistance.
Check what your tools are actually sending.
Little Snitch on macOS or Wireshark on anything. Watch what your AI coding assistant transmits. Unexplained network calls? That's a question worth asking.
Read the actual data processing agreement.
Not the trust page with the nice gradient. The legal document. What data gets collected, how long it's stored, who it's shared with. No clear answer there? That's your answer.
Don't bet everything on one vendor. Keep a backup tool in your workflow even if it's worse. A single-vendor dependency means one policy change or one hidden "experiment" takes your whole pipeline down. Diversification isn't sexy. It's survival.
Look. The Alibaba-Anthropic fight isn't your war. But the blind trust that spooked Alibaba's security team? That's the same trust you give every AI vendor every time you open a terminal.
Sources
- Reuters: Alibaba bans Claude Code over alleged backdoor risks - South China Morning Post: Alibaba bans Claude Code over spyware concerns - Tom's Hardware: Claude Code hidden China-detection backdoor uncovered - The Next Web: Alibaba bans Claude Code after Anthropic tracking Chinese users - The Information: Alibaba bans employees from using Claude - The Daily Star: Alibaba bans Claude Code amid Anthropic feud
Comments ()