Anthropic Claude Code logo on a laptop screen Image: South China Morning Post / cdn.i-scmp.com
by VibecodedThis

China Called Claude Code's Anti-Distillation Code a Backdoor. Anthropic Said It Wasn't.

China's cybersecurity agency warned that Claude Code versions from April through late June contained hidden code that sent user location and identity to remote servers. Anthropic confirmed the code existed — but says it was an experiment to block unauthorized resellers and model distillation.

Share

China’s Ministry of Industry and Information Technology flagged Claude Code last week as containing a security “backdoor” that could leak user location and identity data to remote servers. The advisory told Chinese developers to uninstall or upgrade away from versions 2.1.91 through 2.1.196, which covers roughly three months of releases from April 2 to June 29.

Anthropic confirmed the code existed. The framing is what the two sides dispute.

What the code actually did

Claude Code engineer Thariq Shihipar acknowledged the tracking mechanism in public comments: “This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.”

Model distillation is the practice of training a smaller or cheaper model on outputs from a frontier model, transferring capability without paying for it. Anthropic has been vocal about treating distillation as a terms-of-service violation. The hidden code appears to have been an attempt to detect it happening.

Shihipar noted the team had developed stronger mitigations since the original deployment and had been planning to remove the experiment for some time. It was fully removed in version 2.1.198, released July 1.

The monitoring mechanism reportedly collected location and identity information. Whether that data reached Anthropic’s servers, was processed there, or was used to block specific accounts isn’t fully disclosed. Anthropic told the South China Morning Post that China-based users were never authorized to use Claude Code to begin with, citing its terms of service prohibiting usage by entities majority-owned by China-headquartered organizations.

The disclosure problem

Whatever the intent, code that silently transmits user data to external servers and isn’t documented in the terms of service is a meaningful trust breach, regardless of jurisdiction.

Anthropic hasn’t explained why the capability wasn’t disclosed in its terms of service or release notes at the time it was deployed. The company also hasn’t clarified what data was actually transmitted, how long it was retained, or whether any of it was used to action specific accounts.

The Register asked Anthropic for comment during initial reporting and received no response. Anthropic’s later statements focused on the anti-distillation purpose and noted the code was already removed.

Alibaba banned Anthropic tools

Alibaba ordered its employees to stop using Anthropic products for work starting July 10. The timing followed both the Chinese government advisory and context around Anthropic’s earlier accusation that Alibaba had attempted to distill its models.

That accusation came from Anthropic last month. The company said it had identified Alibaba-linked accounts attempting to extract capabilities from Claude through large-scale API usage consistent with distillation. Alibaba’s response is that it never authorized any such activity.

This leaves a complicated picture: a Chinese tech company banned from using an American AI tool over security concerns, while the American AI company had previously accused that same tech company of stealing its capabilities.

What developers should do

If you’re running any Claude Code version below 2.1.198, update. The current release as of July 14 is 2.1.209. The tracking code has been out since July 1.

The broader question of what Anthropic does collect, under what circumstances, and how it’s disclosed remains open. The company’s response to this episode hasn’t fully addressed those questions.


Sources: The Register · South China Morning Post · CNBC · GovInfoSecurity

Share