Chinese agency warns that Anthropic Claude has a 'back door'

On July 8, this government-run cybersecurity platform said that some versions of Claude released by Anthropic in the April-June period contained a "backdoor" that could send sensitive information such as location and user identity to a remote server without consent due to a "built-in monitoring mechanism", thereby posing a "serious threat".
NVDB recommends that Chinese users uninstall it to avoid possible security risks.

Last weekend, Alibaba Group also banned employees from using Claude Code at work, starting from July 10. "Due to the recent discovery that Claude Code contains security vulnerabilities, after a comprehensive review, this product has been added to the high-risk software list," according to a notice to Alibaba employees obtained by SCMP.
Some internal sources said that Alibaba believes that Claude has embedded code capable of tracking whether Chinese users are affiliated with any artificial intelligence laboratories in the country.
Alibaba and Anthropic have not yet commented.
According to Tom's Hardware, NVDB and Alibaba's move stems from developer Troye Sivan's discovery that Claude Code secretly sent information such as time zones and domain names, targeting Chinese users. On Twitter later, Anthropic engineer Thariq Shihipar confirmed that the company has been testing embedding code into Claude Code since March to "prevent account abuse from unauthorized resellers and protect against information theft," adding that the early option will be completely removed in an upcoming release.
A report by cybersecurity website International Cyber Digest after reviewing versions released in April and June also found that Claude Code contains a "backdoor" that records information about certain users, such as whether they are using a proxy server or are in the Chinese time zone. The data was then "hidden" in a message sent to Anthropic.
"Today it's just checking the time zone, tomorrow it could be system sabotage or data theft," one Reddit user commented.
Experts expressed concern. Huang Yong, a software developer in Beijing, warned that Anthropic's move could set a bad precedent. Cybersecurity firm Huorong Security said the issue raises concerns about cross-border data transparency and compliance.
Anthropic has not yet licensed Chinese users to use its AI tools. From September 2025, they updated the clause "blocking Claude access to any company majority-owned or controlled by a Chinese entity, regardless of where that business is headquartered", due to legal, regulatory and security risks.
Anthropic also repeatedly criticized Chinese AI laboratories for using illegal model "distillation" tricks. Earlier this year, they claimed that DeepSeek, Moonshot and MiniMax created 24,000 fake accounts to train miniature models. Last month, Alibaba was also accused by Anthropic of using similar methods to illegally train AI.
In the world of AI, the concept of "distillation" refers to the "transfer of knowledge" from one model to another in a teacher-student fashion. "Distillation is a technique designed to transfer the knowledge of a large pre-trained model (teacher) into a smaller model (student), allowing the student model to achieve comparable performance to the teacher model," scientists Vishal Yadav and Nikhil Pandey told Forbes. "This technique helps users leverage the quality of large language models (LLMs), while reducing inference costs."
Meanwhile, many Chinese developers are said to still be looking for ways to access Claude Code, according to WSJ. A study published in May by expert Zilan Qian of Oxford China Policy Lab showed that there is a "gray market" in this country specializing in selling Claude API (application programming interface) proxy services at a price equal to 10% of the official price. Intermediary networks, also known as “hubs,” operate publicly on GitHub, Taobao, and Telegram, offering “ultra-low prices” through a combination of credential theft, model replacement, and collecting user requests and outputs for resale as AI training data.