China Called Claude Code a 'Backdoor.' Anthropic Says It Was Anti-Abuse Code. What Versions 2.1.91–2.1.196 Actually Did.
On July 8, 2026, China's cybersecurity authorities warned that specific versions of Anthropic's Claude Code contain a "backdoor" that can transmit users' location and identity information to a remote server without consent. The flagged builds: versions 2.1.91 through 2.1.196, released between April 2 and June 29, 2026. Anthropic's rebuttal is blunt — it wasn't a backdoor, it was an anti-abuse experiment meant to stop unauthorized resellers and model distillation, and the code was already being removed. Both statements can be technically accurate at the same time, which is exactly what makes this story worth understanding rather than picking a side on. Here's what the code did, why each side frames it the way it does, and what it means if you write software for a living.
This isn't a simple "US company spies on China" or "China smears a US firm" story. It's a case where the same lines of code look like surveillance from one seat and fraud-prevention from another — and the gap between those readings is now a geopolitical flashpoint. Let's separate what's documented from what's disputed.
What the code actually did (the documented part)
According to reverse-engineering write-ups cited across multiple outlets, the mechanism in question first appeared in Claude Code version 2.1.91 (released April 2, 2026) with no mention in the release notes. What it reportedly did:
- Checked for Chinese time zones and known proxy domains to detect likely users in China.
- Invisibly watermarked flagged sessions.
- Could transmit session-linked identifiers — including location and identity signals — back to Anthropic's servers.
Those are the facts both sides more or less agree happened. China's authorities describe transmitting "sensitive information" without consent. Anthropic doesn't dispute that a detection mechanism existed; it disputes what it was for. Note the guardrail here: Anthropic states Claude access isn't officially permitted in China in the first place, which is central to its framing below.
Two framings of the same lines of code
Here's the disagreement laid out side by side — not to declare a winner, but to show why competent people read it differently.
| Question | China's framing | Anthropic's framing |
|---|---|---|
| What is it? | A covert "backdoor" and security threat | An experimental anti-abuse mechanism |
| Purpose | Surveil and profile Chinese users | Stop unauthorized resellers and model distillation |
| The data flow | Sensitive info sent without consent | Detect fraud on a service not licensed in China |
| Disclosure | Hidden; absent from release notes | Not a user-facing feature; an internal experiment |
| Status | Ongoing risk; uninstall affected versions | Already being removed; PR merged July 1 |
Anthropic engineer Thariq Shihipar said on X that it was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," adding, "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." The pull request stripping it out was reportedly merged on July 1 — a day after a public Reddit post surfaced it, and a week before China's formal warning.
The uncomfortable truth: "anti-abuse fraud detection" and "covert user tracking" are often the same code. Detecting whether a user is a fraudulent reseller and detecting whether a user is in a specific country use overlapping techniques — timezone checks, proxy detection, session fingerprinting. Intent lives in the developers' heads and the internal docs, not in the bytecode. That's precisely why a security regulator and a company can look at identical behavior and reach opposite conclusions in good faith.

## The backstory this dispute is actually about
The backdoor warning didn't appear in a vacuum. It's the latest move in an escalating fight between Anthropic and China's AI ecosystem.
In a letter to the US Senate Banking Committee on June 10, 2026, Anthropic accused operators affiliated with Alibaba's Qwen AI lab of running "the largest known distillation attack" on Claude — allegedly using roughly 25,000 fraudulent accounts to generate about 28.8 million exchanges between April and June. Distillation is the practice of using a rival model's outputs to cheaply train your own; if true, it's a direct attempt to copy Anthropic's model behavior at scale.
Read in that light, the "anti-abuse experiment" timing lines up: a mechanism to detect unauthorized/fraudulent usage, launched in the same window Anthropic says it was being hit by mass distillation. And the response from the other side lines up too — on July 3–4, Alibaba told employees it would ban Claude Code starting July 10, classifying it as high-risk software and steering staff to its own Qoder tool. Each side's security concern is, conveniently, also a competitive concern.

## What developers should actually do
Strip away the geopolitics and there's a concrete takeaway for anyone using AI coding tools.
- Check your version. If you run Claude Code between 2.1.91 and 2.1.196, update to a build after the mechanism was removed, or uninstall. This is basic hygiene regardless of whose framing you believe.
- Assume cloud AI tools phone home. Coding assistants send data to run — that's how they work. The lesson isn't "this one tool is uniquely dangerous," it's that any hosted developer tool is a data-flow you should understand before pointing it at sensitive code.
- Read tools as data pipelines, not features. The dispute here is entirely about undisclosed telemetry. The defensible standard for any vendor is disclosure: say what's collected and why. Judge tools by that standard, not by their country of origin.
- Separate the security question from the trade war. China's warning may be technically valid and strategically motivated. Both can hold. Let your own version check and network policy drive your decision — not the headline's tone.
Frequently Asked Questions
Was there really a backdoor in Claude Code? There was a hidden mechanism in versions 2.1.91–2.1.196 that detected likely Chinese users (via timezone and proxy checks), watermarked sessions, and could send identifiers to Anthropic's servers. Whether "backdoor" is the right label is the disputed part — Anthropic calls it an anti-abuse experiment.
What does Anthropic say it was for? Preventing account abuse by unauthorized resellers and protecting against model distillation. Anthropic says stronger mitigations replaced it and the code was already being removed (PR merged July 1, 2026).
Which versions are affected? Claude Code 2.1.91 through 2.1.196, released between April 2 and June 29, 2026. Update past that range or uninstall.
Why did Alibaba ban Claude Code? Alibaba classified it as high-risk and told employees to switch to its own Qoder tool starting July 10, 2026. The ban follows Anthropic's June 10 accusation that Alibaba-affiliated Qwen operators ran a mass distillation attack on Claude.
Should I stop using AI coding assistants? Not necessarily — but treat every hosted tool as a data pipeline. Know your version, understand what's transmitted, and don't point unvetted cloud tools at sensitive code. Disclosure, not nationality, is the standard that matters.
Key Takeaways
- China warned (July 8, 2026) that Claude Code 2.1.91–2.1.196 contained a "backdoor" transmitting location/identity data without consent.
- Anthropic calls it an anti-abuse experiment against resellers and distillation — already being removed (PR merged July 1).
- The same code can honestly read as surveillance or fraud-detection; intent lives in docs and developers' heads, not the bytecode.
- Context matters: Anthropic told the US Senate on June 10 that Alibaba-linked Qwen ran a ~25,000-account, 28.8M-exchange distillation attack; Alibaba banned Claude Code from July 10.
- Developer takeaway: check your version, treat hosted AI tools as data pipelines, and judge vendors by disclosure — separate the real security question from the trade war.
How this was written This piece was drafted with AI's research help; a human verified every fact and polished the final wording.
References
- CNBC: "China warns about AI risks with Anthropic's Claude Code" — https://www.cnbc.com/2026/07/08/china-anthropic-ai-claude-code-backdoor-security-threat.html
- CBS News: "China warns of 'security backdoor' in Anthropic AI coding tool" — https://www.cbsnews.com/news/china-security-backdoor-anthropic-ai-coding-tool/
- Tom's Hardware: "China alleges that Claude Code contains backdoors, calls mechanism 'a serious threat'" — https://www.tomshardware.com/tech-industry/artificial-intelligence/china-alleges-that-claude-code-contains-backdoors-calls-mechanism-a-serious-threat-govt-claims-claude-sends-sensitive-information-to-remote-servers-without-consent
- TechCrunch: "Alibaba reportedly bans employees from using Claude Code" — https://techcrunch.com/2026/07/04/alibaba-reportedly-bans-employees-from-using-claude-code/
- CNBC: "China's Alibaba bans Anthropic AI for employees after 'distillation attack' accusation" — https://www.cnbc.com/2026/07/06/alibaba-anthropic-ai-ban-claude-china.html
- South China Morning Post: "Alibaba bans staff from using Claude Code over Anthropic spyware concerns" — https://www.scmp.com/tech/big-tech/article/3359375/alibaba-bans-staff-using-claude-code-over-anthropic-spyware-concerns
Comments ()