Alibaba Banned Claude Code. It Had Been Distilling It.

Alibaba told its employees to stop using Claude Code on July 10. The tool wasn't slow, expensive, or hard to integrate. It had been quietly checking whether the person typing was in China.

The mechanism, as far as anyone can tell, was small: a bit of identification logic sitting inside Claude Code's client, added back in March, that could flag whether a session originated from China or from an account tied to a Chinese AI lab. It surfaced publicly this week the way most quiet things do now, in a Reddit thread, and Alibaba responded within days by classifying Claude Code as "high-risk software" and ordering staff to switch to its own coding tool, Qoder, instead.

Anthropic didn't deny it. Thariq Shihipar, speaking for the company, called it "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," adding that stronger mitigations have since replaced it and that the team "had been meaning to take this down for a while." That's a plausible explanation. It's also an admission that Claude Code shipped with code whose purpose was to identify a user's nationality or employer, without telling anyone it was there.

Here's the part that makes this more than a privacy dust-up: Anthropic has spent the past several months accusing Alibaba's Qwen lab of running one of the largest distillation operations against Claude on record, an estimated 25,000 fraudulent accounts generating 28.8 million exchanges between April and June, all aimed at training a rival model on Claude's outputs. Alibaba denies it. Whichever side of that argument you believe, the identification code and the distillation accusation are clearly the same fight. Anthropic built a detector to catch exactly the kind of abuse it says Alibaba was running, and Alibaba is now using the existence of that detector as the reason to ban the product entirely.

Distillation is the mechanism worth understanding here, because it's the thing actually driving both the ban and the secret code. A distillation attack doesn't need to steal weights or breach a data center. It just needs enough conversation transcripts, prompts in, completions out, at large enough scale that a smaller model can be trained to imitate the larger one's behavior. Anthropic's problem is that Claude Code is a text interface by design, which makes every exchange with it a potential training example for whoever's on the other end. The identification logic was Anthropic's attempt to spot when "the other end" looked like a reseller or a competing lab funneling traffic through disposable accounts, rather than an actual paying developer.

That's a real problem for Anthropic to solve. It just solved it in a way that looks, from the outside, exactly like the thing everyone assumes AI companies are already doing: quietly fingerprinting users by geography and affiliation, inside a tool millions of people run locally on their own machines, without disclosure. Anthropic's terms of service already bar Chinese companies and their offshore subsidiaries from using Claude, an approach that hardened further after the Commerce Department's own export restrictions on Mythos and Fable 5 this spring, so the company has never hidden that it screens for exactly this. The problem isn't that Anthropic checks. It's that the checking happened inside client code that developers had every reason to assume was just, well, a coding tool.

Alibaba's response also isn't as clean as "security concerns" makes it sound. Pushing its own workforce onto Qoder instead is also just good business if you're trying to build a credible domestic alternative to the most popular AI coding assistant on the market. Framing a competitor's product as spyware is a more effective way to get there than framing it as "we'd like you to use our thing instead." Both companies have a commercial incentive layered under the security argument, and both are happy to let the security argument carry the story.

None of this is unique to Claude Code specifically. Every major model provider now runs some version of usage screening, rate limiting by account pattern, and geographic access controls, largely because distillation and reselling have become the default way smaller labs catch up without paying for their own training runs. What's unusual is that this time the mechanism got named, dated, and attributed to a specific person at a specific company, instead of staying the kind of thing security researchers speculate about in footnotes. Expect more of this exposure pattern going forward, not less. Every AI coding tool sitting on a developer's machine is now a plausible target for exactly this kind of scrutiny, and bans are already showing up on both sides of the Pacific as a result.

For developers stuck in the middle, the practical read is simpler than the geopolitics: if you're using Claude Code inside a company with any exposure to Chinese entities, expect your compliance team to have opinions about that soon, if it doesn't already.