DEV Community

DrMBL
DrMBL

Posted on • Originally published at the-agent-report.com

The Anthropic–China AI Cold War: Claude Access Blocked, Alibaba Bans Claude Code, and the Escalating Rift

TL;DR — In the first week of July 2026, the conflict between Anthropic and Chinese tech companies escalated on three fronts simultaneously. Anthropic tightened access controls after discovering that Ant Financial, ByteDance, and other firms were bypassing its China ban via Singapore subsidiaries and VPN reimbursement programs. Alibaba retaliated by banning Claude Code for all employees starting July 10, citing a covert detection backdoor that a Reddit reverse-engineering effort uncovered in Claude Code v2.1.91. The bans land three weeks after Anthropic accused Alibaba's Qwen lab of executing the largest known model distillation attack — 28.8 million exchanges via 25,000 fake accounts — and days after US export controls on Claude Fable 5 were lifted. The escalation threatens to reshape the market ahead of Anthropic's IPO, currently priced at a $965 billion valuation.


Introduction: The Rift Timeline

What began as a contractual dispute over Pentagon AI safeguards has metastasized into a multi-front cold war between the world's most valuable AI startup and China's largest technology companies. The escalation in the first week of July 2026 is the culmination of events stretching back to February, and it moves at a speed that defies the usual pace of geopolitical entanglement:

Date Event
Feb 27 Trump orders all federal agencies to stop using Anthropic's Claude; Pentagon designates Anthropic a "supply chain risk" (Source: BBC — Trump Orders Agencies to Stop Using Anthropic)
Mar 26 Judge Rita Lin grants preliminary injunction, calls the Pentagon ban "the Orwellian notion that an American company may be branded a potential adversary" (Source: NPR — Judge Blocks Anthropic Ban)
Apr 2 Claude Code v2.1.91 ships with silent detection logic checking for Chinese timezones and proxy URLs (Source: Tom's Hardware — Alibaba Bans Claude Code)
Apr 22–Jun 5 25,000 fake accounts generate 28.8M exchanges with Claude in what Anthropic calls the largest-known distillation attack (Source: Anthropic — Letter to Senate Banking Committee)
May 28 Anthropic raises $65B Series H at $965B valuation, surpassing OpenAI as most valuable AI startup (Source: CNBC — Anthropic Tops OpenAI)
Jun 1 Anthropic files confidential S-1 with SEC (Source: The Agent Report — Anthropic S-1 Filing)
Jun 12 US imposes export controls on Claude Fable 5 and Mythos 5; Anthropic suspends global access
Jun 26 Anthropic publicly accuses Alibaba's Qwen lab of the distillation campaign
Jun 30 Export controls lifted; Reddit user reverse-engineers Claude Code's hidden China-detection logic
Jul 1 Fable 5 redeployed globally; Anthropic merges PR removing the detection code
Jul 3 FT reports Anthropic tightening access controls after discovering workarounds (Source: Financial Times — Anthropic Blocks Chinese Firms)
Jul 4 Alibaba announces Claude Code ban effective July 10 (Source: TechCrunch — Alibaba Bans Claude Code)

The timeline reveals a tit-for-tat pattern that has now crossed from regulatory theater into operational warfare — with access to frontier AI models becoming a weapon in itself.


Data: How Chinese Companies Bypassed Anthropic's Restrictions

Anthropic maintains what it calls "one of the toughest access policies among major US AI developers." The company requires user identity verification and blocks payments from Chinese banks. It explicitly prohibits "accessing or facilitating access to Claude in unsupported regions, including China," and uniquely among frontier labs, extends this restriction to "PRC-controlled companies, including subsidiaries incorporated outside China" (Source: Impact AI News — Anthropic Moves to Block Chinese Firms).

Despite this, the Financial Times documented three distinct workaround vectors that Chinese firms deployed at scale:

1. Offshore Subsidiary Access (Ant Financial)

Ant Financial, Alibaba's fintech affiliate, provided employees with corporate Claude accounts linked to the company's Singapore-based entity. Employees connected through Ant's internal corporate network, routing through Singapore infrastructure. Because the accounts were registered to a Singapore-incorporated subsidiary, they passed Anthropic's initial ownership checks.

Why this matters: Ant Financial's workaround exploited the exact loophole Anthropic had explicitly tried to close — the subsidiary exception. The discovery forced Anthropic to move from account-level checks to ownership-structure analysis, tracing ultimate beneficial ownership rather than merely the incorporation jurisdiction.

2. VPN Reimbursement Programs (ByteDance)

ByteDance engineers were allowed to purchase personal Claude subscriptions and claim reimbursement through the company's expense system, accessing the service through commercial VPNs. Unlike Ant's corporate-account method, this approach used individual consumer accounts — harder to trace to a corporate entity — while still providing systematic access at organizational scale (Source: MoneyControl — Anthropic Tightens Claude AI Access).

3. Transfer Station Services

Third-party intermediaries emerged offering "transfer stations" — services that relay requests from users in mainland China through Claude accounts registered in unsanctioned jurisdictions, then send responses back. These operate as API proxies, masking the true origin of each request. While individual developers use these services openly, larger Chinese AI companies reportedly avoid them because they "fear prompts and sensitive information could be stored or leaked."

Scale indicators: The fact that Anthropic's detection systems, deployed in March, only surfaced these patterns publicly in July suggests the monitoring infrastructure itself was insufficient until the distillation attack forced escalation. Anthropic has since introduced technical measures including timezone-based detection signals and proxy URL inspection.


Anthropic's Response: Account-Level Blocking Meets Ownership-Structure Analysis

Anthropic's countermeasures moved through three phases:

Phase 1 — Account flagging (pre-July): Standard terms-of-service enforcement. Accounts identified as Chinese-operated were terminated. This was easily bypassed through subsidiaries and VPNs.

Phase 2 — Covert detection (March–July 1): Claude Code v2.1.91 shipped with obfuscated detection logic that checked system timezone against Asia/Shanghai and Asia/Urumqi, and inspected proxy URLs against a hardcoded list of Chinese domains and AI lab identifiers — reportedly including Alibaba, Baidu, Ant Group, and ByteDance. The findings were encoded steganographically: the tool tweaked date formats and swapped punctuation characters in the system prompt sent back to Anthropic's servers — invisible to users, machine-parseable on Anthropic's end (Source: Tom's Hardware — Claude Code Backdoor).

Anthropic engineer Thariq Shihipar acknowledged the mechanism on X, describing it as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," adding that "the team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." The pull request removing the code was merged on July 1, one day after the Reddit post exposed it.

Phase 3 — Ownership-structure analysis (July 3 onward): The FT report confirmed Anthropic is now working with partners to identify and close loopholes, moving beyond simple account-level checks to trace ultimate beneficial ownership. The company now evaluates the ownership structure of corporate accounts, not just their jurisdiction of incorporation — a significantly more complex verification problem.


Alibaba's Claude Code Ban: The July 10 Deadline

On July 4, Alibaba announced it would ban employees from using Anthropic's Claude Code starting July 10. The company classified Claude Code as "high-risk software with security vulnerabilities" following what it called a comprehensive evaluation. According to internal sources, the directive goes further than Claude Code itself: staff have reportedly been instructed to uninstall all Anthropic products, including the Sonnet, Opus, and Fable model families (Source: Tom's Hardware — Alibaba Bans Claude Code).

The official replacement is Qoder, Alibaba's in-house AI coding platform. The ban covers all internal development infrastructure and explicitly steers engineers toward proprietary alternatives.

The trigger was not the distillation accusation — it was the backdoor. Alibaba's security assessment focused on the covert detection mechanism that Reddit user u/ReverseClaude reverse-engineered and published on r/ClaudeAI on June 30. The post detailed the steganographic exfiltration method and the hardcoded list of Chinese targets, calling it "a fundamental violation of user trust." For a company that had just been accused of industrial-scale model theft, running a tool that secretly reported user location data to a US AI lab was an unacceptable security posture.

What this means operationally: Alibaba employs over 200,000 people. The Claude Code ban removes a substantial chunk of Anthropic's enterprise user base in Asia overnight. It also signals to other Chinese tech companies — Tencent, Baidu, ByteDance — that using Anthropic tools carries security risks their corporate IT departments may not be willing to accept.


The Bigger Picture: Distillation, Export Controls, and Fable 5

The access war is the surface manifestation of three deeper structural forces:

The Distillation Precedent

On June 10, Anthropic sent a letter to the US Senate Banking Committee accusing operators affiliated with Alibaba's Qwen AI lab of running what it characterized as "the largest known distillation attack" on Claude. Between April 22 and June 5, 2026, nearly 25,000 fraudulent accounts generated 28.8 million exchanges with Claude, targeting its software engineering, agentic reasoning, and long-horizon task planning capabilities (Source: Digg — Anthropic Says Alibaba Used 25,000 Fraudulent Accounts).

The scale is staggering in context: 28.8 million exchanges over 44 days averages 654,545 exchanges per day — the equivalent of 27,272 continuous conversations running 24/7. Anthropic's disclosure to the US government, rather than a press release, signaled that it views model distillation as a national security issue, not just a terms-of-service violation.

Export Controls as a Policy Lever

The Fable 5 export control episode (June 12–30) demonstrated that the US government is willing to use immediate trade restrictions to constrain AI model distribution. The controls were imposed after Amazon researchers found a jailbreak technique that could extract exploit-generation capabilities from Fable 5 — capabilities that, as Anthropic's own testing showed, every frontier model including GPT-5.4 and Kimi K2.7 also possessed.

The pattern now looks like this: access restrictions start at the company level (terms of service), escalate to the national-security level (export controls), and backstop at the detection level (covert telemetry). Each layer reinforces the others, creating a progressively harder barrier for Chinese firms to cross.

The Orwellian Precedent

Judge Rita Lin's March 26 ruling established an important legal boundary: the US government cannot punish an AI company for refusing to remove safety safeguards, even on national-security grounds. Her characterization of the Pentagon's supply-chain designation as "the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for exposing a disagreement with the government" created First Amendment protections that now shield Anthropic's access policies from government retaliation (Source: NPR — Judge Temporarily Blocks Anthropic Ban).

This legal shield is strategically significant: it means Anthropic can maintain its hard-line China access policy without fearing that the US government will flip and demand broader access for geopolitical reasons.


Market Implications: The $965B Question

Anthropic is the most valuable AI startup in the world. Its $965 billion valuation — from a $65 billion Series H round led by Altimeter Capital, Dragoneer, Greenoaks, and Sequoia Capital — is built on a $47 billion revenue run rate, driven largely by Claude Code's enterprise adoption (Source: CNBC — Anthropic Tops OpenAI). The company filed its confidential S-1 with the SEC on June 1, putting it on a trajectory toward what would be the largest technology IPO in history.

The China conflict cuts both ways for that valuation:

Upside for the IPO narrative: Anthropic's aggressive stance on Chinese access is a differentiator. No other frontier lab — not OpenAI, not Google DeepMind, not Meta — restricts subsidiaries of Chinese companies. For institutional investors concerned about IP leakage and regulatory risk, Anthropic's position looks like a moat, not a liability.

Downside risk: The Chinese market represents approximately 18% of global GDP. A permanent decoupling from that market caps Anthropic's total addressable market at roughly 82% of what a competitor with China access could reach. If Alibaba's Qoder, Baidu's ERNIE, or ByteDance's Doubao achieve parity with Claude on coding benchmarks — and the distillation attack suggests they're trying — the ceiling on Anthropic's growth becomes a function of how fast Chinese models improve without access to Claude's outputs.

The Goldman Sachs signal: In April, Goldman Sachs blocked Anthropic Claude access for Hong Kong employees — before the current escalation (Source: India Today — Goldman Sachs Blocks Claude in Hong Kong). Financial institutions are often the canary in the coal mine for geopolitical risk. If more multinationals follow Goldman's lead and restrict Claude access in Asia-Pacific offices, the revenue impact compounds beyond direct Chinese market exclusion.


FAQ

Q: Can Chinese companies still access Claude through VPNs?

Technically, yes — but Anthropic's detection systems now check timezone signals and proxy URL patterns. The covert detection code has been removed, but the company says it has "landed stronger mitigations." Individual users with consumer accounts and VPNs may still get through; corporate-scale access through subsidiaries is the primary target of the crackdown.

Q: Does Alibaba's Claude Code ban affect non-Chinese employees?

The ban applies to all Alibaba employees globally, but the primary impact is on the company's China-based engineering workforce — estimated at over 100,000 developers. Alibaba's international offices may have separate policies, but the directive reportedly covers all internal development infrastructure.

Q: What is Qoder, and can it replace Claude Code?

Qoder is Alibaba's in-house AI coding assistant, built on the company's Qwen model family. While Qwen models have improved rapidly — Qwen 3.5 competes with GPT-5-class models on several benchmarks — independent comparisons of Qoder versus Claude Code for real-world software engineering tasks are not yet available. The July 10 deadline gives Alibaba less than a week to migrate its developer base.

Q: Is Anthropic's IPO at risk from the China conflict?

Not directly. The S-1 is filed, the $65B Series H closed, and institutional demand appears strong. The China conflict is more likely to feature in the "Risk Factors" section of the prospectus than to derail the offering. However, if the Chinese market is permanently foreclosed, long-term revenue projections will need to reflect that ceiling.

Q: Could the Trump administration re-impose export controls on Anthropic?

Yes. The Fable 5 controls were lifted on June 30, but the government retains the authority to re-impose them. The legal precedent from Judge Lin's ruling protects Anthropic from punitive action based on its safety stance, but does not limit the government's authority to regulate AI exports on genuine national security grounds.


Further Reading


Cet article a ete initialement publie sur The Agent Report.

Top comments (0)