Someone reverse-engineered a widely used AI coding tool and found hidden code watching them.
The code read your timezone. It checked your network configuration. It compared both against a list of Chinese identifiers. And if you matched, it sent your location and identity data back to servers in the United States, without telling you.
The tool was Anthropic's Claude Code. The hidden mechanism had been running since April 2. It was discovered on June 30 by a developer on Reddit. And on July 8, 2026, China's government did something it has never done before: it officially declared an American AI product a national security threat.
Both sides say the other one started it. And both sides have evidence.
The Official Warning: What Beijing Actually Said
The statement came from China's National Vulnerability Database, the NVDB, a cybersecurity platform directly operated by the Ministry of Industry and Information Technology (MIIT). It was published on the NVDB's official WeChat account on the morning of July 8.
The language was unusually direct for a government cybersecurity advisory:
"The AI coding tool Claude Code contains security backdoor risks, posing a severe threat.", China's National Vulnerability Database (NVDB), July 8, 2026. The NVDB said the tool's built-in monitoring mechanism was capable of transmitting sensitive user information, including geographic location and identity-related identifiers, to remote servers without the user's consent.
The NVDB identified the affected versions as 2.1.91 through 2.1.196, a window covering April 2 to June 29, 2026, exactly three months of Claude Code's release history.
Its instructions were unambiguous: immediately inspect all affected systems; uninstall the impacted versions or upgrade to the latest secure release in which the backdoor code has been removed; and strengthen network traffic monitoring to guard against unauthorised transmission of sensitive data.
It was the first time a Chinese state cybersecurity body had designated an Anthropic product a formal security threat. It will not be the last thing that happens as a result.
What Anthropic Says the Code Actually Was
The discovery did not come from a government lab. It came from Reddit.
On June 30, 2026, a user identified as LegitMichel777 posted that they had reverse-engineered Claude Code and found hidden code beginning in version 2.1.91. Starting on April 2, the tool had been checking whether a user's proxy configuration or timezone matched entries on a concealed list of Chinese identifiers. If the check returned a match, the tool transmitted the user's location and identity data back to Anthropic's servers.
The story spread through specialist tech media over the following week. Then Anthropic's own Claude Code engineer, Thariq Shihipar, confirmed it on X:
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then, and we've actually been meaning to take this down for a while."
The tracking feature was fully removed in version 2.1.198, released on July 1, one day after the Reddit post. It had been running for approximately three months without disclosure to users.
Anthropic's position, stated to CNBC, was clear: what China was calling a backdoor was an anti-distillation experiment. And it pointed out, pointedly, that Chinese users were never authorised to use Claude Code in the first place, Anthropic's terms of service explicitly prohibit access by entities majority-owned by China-headquartered organisations.
The unstated implication: if you were running Claude Code in China through a VPN, you were already violating the terms of service. You don't get to complain about what the tool was watching you do.
The War That Built This Moment
Nothing about this story happened in isolation. To understand why China declared Claude Code a national security threat on July 8, you need to understand what happened in the ten weeks before it.
| Date | Event | Actor |
|---|---|---|
| Apr 22 – Jun 5 | Approximately 24,900 fraudulent accounts generate 28.8 million interactions with Claude, what Anthropic calls the largest known coordinated distillation attack on its systems. Anthropic links the attack to operators associated with Alibaba's Qwen lab. | Alleged: Alibaba-linked operators |
| Apr 2 | Anthropic quietly deploys tracking code in Claude Code version 2.1.91, reading timezone and network signals to detect Chinese users engaging in distillation or account abuse. No public disclosure. | Anthropic |
| Jun 10 | Anthropic sends a letter to two US senators formally accusing Alibaba's Qwen lab operators of running the distillation attack, calling it the largest coordinated abuse of its systems to date. | Anthropic |
| Late Jun | Anthropic executes mass account restrictions, cutting off numerous Chinese users of Claude without individual notice, citing the distillation investigation. | Anthropic |
| Jun 30 | Reddit user LegitMichel777 reverse-engineers Claude Code and publishes findings revealing the hidden location-detection code. Story begins spreading through specialist tech media. | Independent researcher |
| Jul 1 | Anthropic engineer Thariq Shihipar confirms the tracking mechanism on X, describes it as an anti-distillation experiment. Version 2.1.198 released with the code removed. | Anthropic |
| Jul 3 | South China Morning Post reports that Alibaba has placed Claude Code on its high-risk software list and will ban employees from using Anthropic tools from July 10. Employees instructed to switch to Qoder. | Alibaba |
| Jul 7 | CNBC confirms Alibaba's Claude Code ban effective July 10. | Alibaba / CNBC |
| Jul 8 | China's NVDB, operated by MIIT, officially classifies Claude Code versions 2.1.91–2.1.196 as containing a "security backdoor posing a severe threat." First official Chinese government designation of an Anthropic product as a security risk. | China (NVDB/MIIT) |
The Question Nobody Can Cleanly Answer
Here is what makes this story genuinely uncomfortable, regardless of which side you are instinctively sympathetic to.
Anthropic's claim is true: Chinese firms were using Claude at industrial scale to steal its capabilities. The 28.8 million fraudulent interactions across 24,900 accounts is not a number that gets disputed. Distillation is real, it is ongoing, and it is costing US AI labs billions in competitive advantage.
China's claim is also technically true: the tracking code collected user location and identity data and transmitted it to US servers without disclosure. That is, by any definition of the term, a backdoor, even if the stated purpose was IP protection rather than intelligence gathering.
Anthropic's position, that users who violated its terms of service to access a product they weren't supposed to be using don't have standing to complain about what that product was watching them do, is legally interesting but politically toxic. Every enterprise in China that used Claude Code through a VPN for legitimate development work was caught in the same net as the distillation operators.
And the NVDB warning is simultaneously a genuine security advisory and a geopolitical counter-move. The timing, a week after the Alibaba ban, ten days after the Reddit disclosure, is not coincidental. It legitimises Alibaba's position, discourages Chinese enterprises from using American AI tools, and reframes Anthropic's anti-theft measures as state-level surveillance.
Claude Code Backdoor: FAQ
On July 8, 2026, China's National Vulnerability Database (NVDB), a cybersecurity platform operated by the Ministry of Industry and Information Technology (MIIT), published a warning stating that Claude Code "contains security backdoor risks, posing a severe threat." It said versions 2.1.91 through 2.1.196 contain a built-in monitoring mechanism capable of transmitting sensitive user information, including geographic location and identity-related identifiers, to remote servers without consent. It advised users and institutions to immediately inspect affected systems, uninstall the affected versions or upgrade to the latest secure release, and strengthen network traffic monitoring to prevent unauthorised data leakage.
China's NVDB identified Claude Code versions 2.1.91 through 2.1.196 as containing the backdoor vulnerability. Version 2.1.91 was released on April 2, 2026; version 2.1.196 was released on June 29, 2026, meaning the hidden tracking code was active for approximately three months. Anthropic's Claude Code engineer Thariq Shihipar confirmed the tracking feature was fully removed in version 2.1.198, released July 1, 2026. The latest version as of July 8 is 2.1.204, which does not contain the disputed code.
Anthropic said the code was an experimental anti-abuse mechanism, not a surveillance tool. Engineer Thariq Shihipar explained on X that it was launched in March 2026 to combat two specific threats: fraudulent account resellers and model distillation by Chinese competitors. It worked by reading timezone and network signals to determine whether a user was based in China or affiliated with a Chinese AI lab. Shihipar said the team "has landed stronger mitigations since then" and confirmed the feature was removed on July 1. Anthropic also noted Chinese users were never authorised to use Claude Code, its terms prohibit access by China-headquartered entities and their majority-owned subsidiaries, even when incorporated abroad.
Model distillation is a technique where the outputs of a more capable AI model are used to train a less capable one, stealing intelligence from a frontier model without accessing its weights. In a June 10, 2026 letter to US senators, Anthropic alleged that operators linked to Alibaba's Qwen lab ran nearly 25,000 fraudulent accounts that generated approximately 28.8 to 29 million interactions with Claude between April 22 and June 5, what Anthropic called the largest known coordinated distillation attack on its systems. The hidden tracking code in Claude Code versions 2.1.91–2.1.196 was specifically designed to detect and block users engaging in this practice.
Alibaba informed employees in late June / early July 2026 that Claude Code would be banned from all work use effective July 10, citing security concerns. The company placed Claude Code on its high-risk software list and instructed employees to switch to Qoder, Alibaba's in-house AI coding platform. The ban followed Anthropic's June 2026 letter to US senators accusing Alibaba of the largest known distillation attack on Claude, Anthropic's mass account restrictions cutting off numerous Chinese users, and the discovery of the hidden location-detection code. China's CNBC confirmed the ban on July 7, 2026.
No. The tracking mechanism was not disclosed to users and was not mentioned in Anthropic's standard terms of service or privacy documentation during its deployment period (April 2 – July 1, 2026). The alleged backdoor surfaced via a June 30 Reddit post by LegitMichel777, who reverse-engineered Claude Code. Anthropic did not issue a formal disclosure before the Reddit post. Engineer Thariq Shihipar confirmed the feature on X after it was publicly discovered. Security Boulevard noted this "highlights the increasingly geopolitical battleground of corporate AI development, where data privacy, intellectual property theft, and international compliance continue to collide."
The hidden tracking mechanism was discovered through independent reverse engineering. On June 30, 2026, Reddit user LegitMichel777 published findings claiming to have analysed Claude Code's binary and found code beginning in version 2.1.91 that checked whether a user's proxy configuration or timezone matched identifiers associated with China or Chinese AI labs. The findings spread through specialist tech media the following week. Chinese publication Yicai was among the first to report the story to a Chinese-language audience. The NVDB warning followed on July 8, citing the "built-in monitoring mechanism" identified in the same version range.
No. Anthropic's terms of service explicitly prohibit access by Chinese-headquartered organisations and their majority-owned subsidiaries, even if incorporated abroad. Anthropic describes itself as maintaining the hardest line on China access of any major frontier AI company. Despite these restrictions, Claude Code was widely used in China through VPNs and third-party proxy services. In March 2026, a Xiaomi AI developer acknowledged at a state-organised forum that many Chinese developers were using Claude Code. It was this proxy-based access that Anthropic's timezone and network detection code was specifically designed to identify and block.
Both framings contain truth. From a technical security standpoint, software that collects and transmits user location and identity data without disclosure is a legitimate concern for any organisation handling sensitive data. From a geopolitical standpoint, the warning, issued by a state cybersecurity platform affiliated with MIIT, days after Anthropic's mass account cutoffs and the Alibaba distillation accusations, is inseparable from the escalating US-China AI rivalry. The warning legitimises Alibaba's ban, discourages Chinese enterprises from using US AI tools, and reframes Anthropic's anti-distillation measures as hostile surveillance. Both things can simultaneously be true: the code was real, and China's use of its exposure is strategic.
The Claude Code story is one episode in a rapidly escalating pattern of mutual restriction. Simultaneously: Beijing is reportedly discussing restrictions on overseas access to Chinese AI models including Alibaba Qwen and ByteDance Doubao. Anthropic has cut off large numbers of Chinese user accounts following its Senate letter. The Trump administration maintains export restrictions on Nvidia's most advanced chips. US restrictions on Anthropic's Fable and Mythos models for foreign nationals remain partially in place. Each escalation tends to produce a counter-move. The cycle of restriction, detection, disclosure, and retaliation is now structural to the US-China AI relationship, and the Claude Code episode is its most recent chapter, not its conclusion.
China Rocks AI
The complete ecosystem behind this story: China's Six AI Tigers, national champions, sovereign chip strategy, and the $295 billion infrastructure buildout.
Jans Bock-Schroeder
Publisher & Founder of AI Angst
Coming from the world of art, photography, and the luxury market, Jans launched AI Angst in 2025 to explore the cultural, ethical, and psychological impacts of artificial intelligence. His work bridges creative vision with critical technology analysis, offering clarity in an era of rapid technological change.
Sources and Citations
This article is based on the following primary sources, all published July 8–9, 2026:
-
CNBC: "China warns about AI risks with Anthropic's Claude Code" (July 8, 2026)
Primary source for NVDB warning text, affected version range (2.1.91–2.1.196), Anthropic's backdoor-as-anti-distillation response, Xiaomi developer forum reference, and Alibaba ban confirmation.
https://www.cnbc.com/2026/07/08/china-anthropic-ai-claude-code-backdoor-security-threat.html -
South China Morning Post: "Anthropic hits back after China warns of Claude Code 'backdoor' risks" (July 9, 2026)
Source for NVDB WeChat post text, Claude Code's "not officially available in China" framing, MIIT affiliation detail, and version date confirmation.
https://www.scmp.com/news/china/article/3359901/anthropic-hits-back-after-china-warns-claude-code-backdoor-risks -
Reuters / US News: "China Issues 'Backdoor' Security Alert Over Anthropic's Claude Code" (July 8, 2026)
Source for Reuters wire text on NVDB warning, Alibaba ban detail, and Anthropic's "experiment" characterisation.
https://money.usnews.com/investing/news/articles/2026-07-08/china-issues-backdoor-security-alert-over-anthropics-claude-code -
CBS News: "China warns of 'security backdoor' in Anthropic AI coding tool" (July 8, 2026)
Source for Thariq Shihipar X post quote, "unauthorized resellers and distillation" framing, Alibaba ban timing (July 10), and AFP non-response note.
https://www.cbsnews.com/news/china-security-backdoor-anthropic-ai-coding-tool/ -
Tom's Hardware: "Alibaba bans Anthropic's Claude Code after an alleged hidden China-detection backdoor is uncovered" (July 2026)
Source for LegitMichel777 Reddit post discovery detail, version 2.1.91 April 2 release date, Qoder replacement instruction, and Anthropic Senate letter context.
https://www.tomshardware.com/tech-industry/artificial-intelligence/alibaba-bans-anthropics-claude-code -
Security Boulevard: "China Warns of Backdoor in Anthropic's Claude Code Amid Rising AI Geopolitics" (July 8, 2026)
Source for "largest coordinated attack" characterisation, July 1 rollback confirmation (version 2.1.198), and "geopolitical battleground" framing of data privacy vs IP theft collision.
https://securityboulevard.com/2026/07/china-warns-of-backdoor-in-anthropics-claude-code-amid-rising-ai-geopolitics/ -
Techzine Global: "A world turned upside down: Alibaba accuses Anthropic of backdoor" (July 2026)
Source for Yicai first-report attribution, LegitMichel777 technical reverse-engineering detail, and Anthropic June 10 Senate letter (28.8M interactions / 25,000 accounts) figures.
https://www.techzine.eu/news/privacy-compliance/142666/a-world-turned-upside-down-alibaba-accuses-anthropic-of-backdoor/
Published: July 9, 2026. Sources verified at time of publication. Story is developing. All external links open in a new tab.