Multiple Chinese AI laboratories systematically queried Anthropic’s Claude Code agent to extract and replicate its capabilities through distillation techniques, according to an investigation published Monday by the Washington Post. In response, Anthropic embedded detection software in Claude Code’s March 2026 update to identify China-based usage patterns and block access from entities linked to Chinese AI labs.
NCT previously reported on July 5 that Alibaba had banned Claude Code internally after discovering what it described as a hidden China-detection backdoor, instructing employees to switch to the company’s own Qoder tool. The Washington Post investigation provides the other side of the conflict: Anthropic deployed the detection mechanism specifically because Chinese firms were conducting large-scale distillation attacks on Claude Code’s agentic capabilities.
Distillation as an Agent-Level Threat
Distillation, in this context, refers to the practice of systematically querying a model or agent with carefully crafted inputs to extract its reasoning patterns, then using those outputs to train a competing system. Unlike traditional model theft, which targets weights or parameters, distillation attacks against agents like Claude Code target the tool’s higher-order behaviors: its ability to plan multi-step tasks, manage code repositories, and orchestrate complex development workflows.
The technique has become a recurring flashpoint between U.S. and Chinese AI companies. According to Tom’s Hardware, the Alibaba ban landed roughly three weeks after Anthropic accused Alibaba’s Qwen lab of conducting a separate distillation attack. The Washington Post reporting suggests the scope extends beyond any single company to a pattern involving multiple Chinese AI labs.
Detection and Countermeasures
Anthropic’s March 2026 update to Claude Code included software designed to identify China-based IP addresses and usage patterns associated with AI laboratory operations, according to the Washington Post. This is the mechanism that Alibaba subsequently discovered and characterized as a “backdoor.” From Anthropic’s perspective, according to the Post’s reporting, the detection software was a defensive measure against intellectual property extraction.
The escalation mirrors a broader pattern in AI geopolitics where developer tools and coding agents have become targets of nation-state interest. Agents that can autonomously write, review, and deploy code represent valuable intellectual property not just in their model weights but in the behavioral patterns they exhibit during complex task execution.
The Fragmentation Signal
The incident accelerates what appears to be a structural decoupling of AI development toolchains between the U.S. and China. Alibaba’s directive to switch to Qoder, its own coding agent, combined with China’s July 15 deadline for new AI companion regulations, points toward parallel and increasingly incompatible AI ecosystems.
For teams building or deploying agents in multinational contexts, the Claude Code conflict raises direct operational questions about tool availability, data sovereignty, and the risk that agent infrastructure becomes subject to geopolitical restrictions with limited advance warning.