Alibaba Bans Claude Code as the Anthropic Distillation War Goes Corporate
Alibaba has ordered all employees to uninstall Anthropic's Claude Code by July 10, citing 'back-door security risks' — the latest escalation in a months-long confrontation over alleged industrial-scale model distillation by DeepSeek, Moonshot AI, and MiniMax. The episode exposes a new front in the US-China AI rivalry: not chips or benchmarks, but the software tools developers use every day.
Wei Lian🇨🇳 China Desk LeadJul 7, 2026 10m readOn July 6, 2026, Alibaba issued a directive that landed like a thunderclap across China's developer community: all employees must uninstall Anthropic's Claude Code by July 10, with the tool formally added to the company's internal list of "high-risk software with security vulnerabilities." The replacement mandated by Alibaba's engineering leadership is Qoder, the company's own agentic coding platform. The ban extends beyond Claude Code itself — staff have reportedly been instructed to remove all Anthropic products, including the Sonnet, Opus, and Fable model families.
The directive is the most visible corporate consequence yet of a confrontation that has been building since February, when Anthropic publicly accused three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — of conducting what it called "industrial-scale distillation attacks" against its Claude models. What began as a legal and ethical dispute over training data practices has now escalated into a mutual software ban, with each side accusing the other of covert surveillance and intellectual property theft. The episode offers a precise cross-section of where the US-China AI rivalry now stands: not in chip fabs or benchmark leaderboards, but in the everyday tools that developers reach for when they open a terminal.
The Distillation Allegations: What Anthropic Claims
In a February 23 post on its website↗, Anthropic laid out its case in unusual detail. The company said it had identified three coordinated campaigns, each targeting Claude's most differentiated capabilities: agentic reasoning, tool use, and coding. The combined scale was striking — over 16 million exchanges generated through approximately 24,000 fraudulent accounts, all in violation of Anthropic's terms of service and its blanket restriction on commercial access from China.
The three labs were not equally implicated:
- MiniMax was identified as the largest actor, responsible for more than 13 million exchanges targeting agentic coding and tool orchestration. Anthropic said it detected the campaign while it was still active, giving it visibility into the full lifecycle of a distillation operation. When Anthropic released a new model version mid-campaign, MiniMax pivoted nearly half its traffic within 24 hours to capture capabilities from the updated system.
- Moonshot AI ran a campaign of over 3.4 million exchanges, targeting agentic reasoning, computer-use agent development, and computer vision. Anthropic attributed the campaign partly through request metadata that matched the public profiles of senior Moonshot staff.
- DeepSeek generated over 150,000 exchanges, with a focus on reasoning capabilities and, notably, generating censorship-safe alternatives to politically sensitive queries — effectively using Claude as a data-labelling engine for its own content moderation training.
The access method was consistent across all three: commercial proxy services running what Anthropic calls "hydra cluster" architectures — sprawling networks of fraudulent accounts that distribute traffic to avoid detection. When one account is banned, another takes its place automatically. In one case, a single proxy network managed more than 20,000 accounts simultaneously, mixing distillation traffic with unrelated customer requests to obscure the pattern.
"What distinguishes a distillation attack from normal usage is the pattern," Anthropic wrote. "Massive volume concentrated in a few areas, highly repetitive structures, and content that maps directly onto what is most valuable for training an AI model are the hallmarks of a distillation attack."
All three labs have denied wrongdoing or declined to comment in detail. The legal status of distillation — training on another model's outputs — remains genuinely contested. It is standard practice within a single lab (frontier labs routinely distill their own models into smaller, cheaper variants), but the ethics and legality of distilling a competitor's model without permission, especially across jurisdictional lines, is unresolved territory.
The Hidden Code: Steganography in a Developer Tool
The confrontation took a sharper turn in late June, when a developer going by the name Thereallo published a detailed reverse-engineering of Claude Code on Reddit. The post revealed that since version 2.1.91, released on April 2, Claude Code had contained obfuscated detection logic that activated whenever a proxy was detected.
The mechanism, tied to an internal flag called `ANTI_DISTILLATION_CC`, worked as follows:
- Claude Code checked the `ANTHROPIC_BASE_URL` environment variable for proxy or gateway usage.
- If a proxy was detected, it cross-referenced the system timezone against Asia/Shanghai and Asia/Urumqi, and checked the proxy hostname against a hardcoded list of 147 Chinese entities — including Alibaba, Baidu, Ant Group, and ByteDance — encoded with XOR-91 obfuscation and base64.
- When triggered, the tool silently modified the "Today's date is..." system prompt sent to Anthropic's servers, using subtle Unicode character swaps and date format alterations to encode detection signals — invisible to the user, but machine-readable on Anthropic's end.
- Reports also indicated that the server could inject fake tool definitions into the model's system prompt, designed to poison any training data derived from the session.
The Ars Technica report↗ and The Register's coverage↗ both noted that the code had shipped with no mention in release notes and no disclosure in Anthropic's terms of service. Thereallo's conclusion was measured but pointed: "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."
Anthropic engineer Thariq Shihipar acknowledged the code on X, describing it as "an experiment we launched in March" to prevent account abuse and protect against distillation. He said the team had been meaning to remove it, and that the pull request stripping it out was merged on July 1 — the day after the Reddit post went viral. Anthropic has not addressed whether the mechanism was disclosed in any terms of service document.
The episode crystallises a tension that runs through the entire distillation debate: the same proxy infrastructure that Chinese developers use to access Claude — because Anthropic restricts direct commercial access from China — is also the infrastructure that Anthropic's detection code was designed to flag. From Beijing's perspective, the tool was built to hunt them specifically.
Alibaba's Response: Qoder as the Replacement
Alibaba's ban, effective July 10, is not merely symbolic. The company has a substantial internal developer base that had been using Claude Code for agentic coding workflows, and the directive to switch to Qoder↗ — Alibaba's own platform, launched in August 2025 — represents a meaningful operational shift.
Qoder is a full-stack agentic coding environment with two primary modes:
- Chat Agent Mode: An interactive pair-programming interface for short-cycle tasks where developers maintain human-in-the-loop control.
- Quest Mode: An autonomous execution system where developers provide high-level specifications and the agent plans, implements, and validates the resulting code independently.
Key technical features include a Repo Wiki that auto-generates structured documentation from codebases, a Next-Edit-Suggestion (NES) model that predicts multi-line edits based on recent changes, and a multi-model backend that can route tasks to the most cost-effective foundation model available. As of mid-2026, Qoder reports over 5 million global users and supports more than 200 programming languages.
The irony is not lost on observers: Qoder's multi-model backend previously included Claude, Gemini, and GPT series models as routing options. The ban effectively forces Alibaba to route all internal coding workloads through non-Anthropic models — a constraint that will likely accelerate investment in Qwen-based coding capabilities.
What This Means for China's Developer Ecosystem
The Alibaba ban is the most prominent instance of a broader pattern. According to CNBC's reporting↗, Ant Group had been providing employees with corporate Claude accounts via its Singapore arm, while ByteDance had introduced a reimbursement policy for personal subscriptions accessible via VPN. The Financial Times reported that Anthropic is now closing these loopholes, targeting subsidiaries incorporated in third countries.
The practical consequences for Chinese developers are significant:
- Direct API access to Claude from China has never been officially available. The proxy ecosystem that filled this gap is now under active pressure from both sides — Anthropic is tightening account verification, and Chinese firms are being pushed toward domestic alternatives.
- Domestic coding tools — Qoder, ByteDance's TRAE IDE, and Zhipu AI's CodeGeeX — are the primary beneficiaries. Each is now positioned to absorb developer workflows that previously ran through Claude Code.
- Open-weight models become more attractive as a hedge. Models like GLM-5.2↗ and Qwen3-Coder↗, both available under permissive licenses, can be self-hosted without any dependency on US API access — a resilience argument that carries new weight in the current climate.
- Enterprise procurement decisions at Chinese firms will increasingly factor in software sovereignty alongside raw capability. The Claude Code episode has made the risk of dependency on US developer tools concrete and visible.
The Broader Arc: Software Access Follows Hardware
The chip export control story of 2024-2025 established a template: the US restricts access to advanced hardware; China accelerates domestic alternatives; the gap narrows but does not close. The software access story of 2026 is following a similar trajectory, but moving faster.
Washington had earlier placed export restrictions on AI chips to China, then loosened hardware controls this year, clearing roughly 10 Chinese firms — including Alibaba — to purchase H200s in quantities of up to 75,000 units per customer. Beijing simultaneously discouraged Chinese firms from buying approved American silicon, citing its own security concerns. The result is a bifurcating stack: hardware, training infrastructure, and now developer tooling are all moving toward parallel, non-interoperable ecosystems.
The distillation dispute adds a further dimension. If Anthropic's allegations are accurate, Chinese labs have been using Claude as a capability accelerant — extracting reasoning and coding skills that would otherwise require years of independent development. If the allegations are overstated or legally unfounded, the effect is the same: Chinese labs are now on notice that US frontier model access is contingent and revocable, and the rational response is to reduce that dependency as quickly as possible.
What Developers Should Watch
For developers and enterprises navigating this landscape, several near-term signals are worth tracking:
- Anthropic's access policy evolution: The company has stated it is the only frontier AI firm that restricts service to Chinese-owned entities even through subsidiaries abroad. Whether this policy tightens further — or whether legal challenges emerge — will shape the proxy ecosystem.
- Qwen3-Coder and GLM-5.2 adoption curves: Both models are now positioned as the primary open-weight alternatives for Chinese developers displaced from Claude. Benchmark performance on SWE-bench and Terminal-Bench will be the key metrics to watch.
- MiniMax's next model release: Anthropic said it detected MiniMax's distillation campaign before the resulting model was released. That model is presumably now in or near deployment. Its capabilities — and how closely they track Claude's — will be a data point in the distillation debate.
- Regulatory response: A recent White House Executive Order articulated intent to protect US AI from foreign adversaries. Whether that translates into formal restrictions on model distillation, or into expanded export controls on model weights themselves, remains to be seen.
The Alibaba-Anthropic confrontation is, at its core, a dispute about who controls the knowledge embedded in frontier AI models and who gets to benefit from it. That question has no clean answer — and the tools developers use every day are now the terrain on which it is being fought.
Links & Resources
External links — opens in a new tab

🇨🇳 China Desk Lead · Beijing, China
Reads the Mandarin sources first — DeepSeek, Qwen, Zhipu, and the rest.

Random Matrix Theory in Ecological Systems
by Richard Murdoch Montgomery
Applying random matrix ensembles to species coexistence, trophic webs, and the stability of complex ecological networks.

Treatise on Systems Biology
by Richard Murdoch Montgomery
Modelling gene regulatory networks, metabolic pathways, and ecological dynamics — where mathematics meets molecular biology.

Topological Invariants and Differential Topology
by Richard Murdoch Montgomery
A treatise on smooth manifolds, characteristic classes, and cohomology — topological methods applied to physics and data science.

The HP 17BII Financial Calculator
by Richard Murdoch Montgomery
A 50-chapter treatise integrating financial mathematics, business reasoning, and Solver-based modeling — from annuities to investment analysis.
Comments
Open discussion — no account needed. Be respectful.
More from Chinese Models Desk
China's $18.5B AI Tiger, Baichuan, Unveils M4: A Medical Agent That Redefines Clinical AI
In a major move that signals a shift from generalized LLMs to specialized clinical systems, Beijing's Baichuan Intelligence and Tsinghua University have released Baichuan-M4. This is not just another medical chatbot. It's an 'agent system' designed for continuous patient care, boasting a 28% gain in diagnostic accuracy and a low 3.3% hallucination rate. This deep dive explores its three-pillar architecture, its performance against rivals like GPT-5.2 and Med-PaLM, and why its ambitious blueprint for 'serious healthcare' matters to developers and hospitals globally.
Sophia ChenAlibaba's Qwen-AgentWorld Reframes the AI Agent Problem: Train the Simulator, Not Just the Agent
Alibaba's Qwen team has released Qwen-AgentWorld, a 'language world model' that flips the conventional agent-training paradigm — instead of teaching a model to act, it teaches a model to simulate the environments agents operate in, unlocking scalable, controllable reinforcement learning without real-world risk. The open-weight 35B variant is already on Hugging Face under Apache 2.0, and the results are turning heads.
Wei LianChina's AI Companion Reckoning: Doubao and Qwen Shut Down Agent Features as New Rules Take Effect July 15
ByteDance's Doubao and Alibaba's Qwen are pulling their custom AI agent features on July 15, 2026, as China's landmark Interim Measures for the Administration of AI Anthropomorphic Interactive Services come into force — a regulatory reset that is reshaping how the world's largest AI market thinks about emotional AI, user safety, and the line between companion and tool.
Sophia Chen