# Anthropic Defends Claude Code Security Measures Amid Chinese Backdoor Claims

> Anthropic responds to Chinese regulator's backdoor allegations, calling it an anti-abuse measure, not a security flaw.
> By Dave · 2026-07-09
> Source: https://otf-kit.dev/blog/anthropic-claude-code-security

Anthropic's Claude Code is one of the more useful agentic coding tools to ship this year — a single prompt can generate, debug, and review a pull request end-to-end. The fight over its alleged "backdoor" is, mechanically, a fight about what counts as anti-abuse. Both sides have a real point, and the technical answer is more interesting than either headline lets on.

## What Claude Code actually does

Claude Code is Anthropic's AI coding agent. It runs in your terminal, takes a prompt, and reads your repo before it writes anything. It isn't a chatbot that pastes snippets — it opens files, runs tests, edits functions, and reports back. The same agent that scaffolds a Next.js route will also walk a stack trace and propose a fix, and it does this by reading the actual files on your machine rather than guessing from context.

That capability is precisely why it's controversial: people outside Anthropic's supported regions want to use it, and Anthropic wants to keep them out. The mechanism at the centre of the dispute is how Anthropic enforces that line — and what it does to traffic when enforcement kicks in.

## What the mechanism actually checks

Per Anthropic's statement to AFP, the mechanism checks two things on every request: the device's timezone, and whether the request is routed through a domain tied to an unsupported region or a "known problematic entity." That's the entire payload. No keylogger, no covert exfiltration channel, no mystery outbound traffic. It's the same kind of geofencing you'd find in any region-locked SaaS — the kind that pops a "this content isn't available in your country" modal.

The "known problematic entity" phrase is doing real work. Anthropic has previously accused Alibaba of reverse-engineering its AI models in a process the industry calls distillation — querying a frontier model at scale and training a cheaper competitor on the outputs. Distillation is API-level IP theft: the attacker gets the capability without paying for the research. The check is, in part, an attempt to catch the reseller and the distiller before they rotate through accounts.

## How to actually use Claude Code today

If you're on a supported Anthropic plan and your timezone and routing line up, you'll never see the check. Three commands to try the agent on a real repo:

```bash
# Install (Node 18+)
npm install -g @anthropic-ai/claude-code

# Authenticate against your Anthropic account
claude auth login

# Point it at a local repo
cd ~/code/my-project
claude "find the N+1 query in src/db/queries.ts and propose a fix"
```

The agent runs locally, reads files, proposes edits as diffs, and asks before anything destructive. Worth using on a real codebase for an afternoon before forming an opinion about the larger fight — most of the "is this safe?" worry evaporates once you've watched it edit a single file in front of you.

## The bypass economy

Users in unsupported regions — including, per Anthropic's policy, China and other nations it deems adversarial — can sometimes get around the restriction through VPNs or third-party proxy services. That's the real threat surface the check is aimed at, not the average developer with a stale clock.

A typical bypass looks like this: a reseller buys an Anthropic API key on a US card, fronts it with a proxy that gives Chinese clients a US exit IP, and resells access at a markup. From Anthropic's perspective, the traffic looks domestic. The timezone check and the routing check together try to catch exactly this — the request claims to be from a US IP, but the device clock says Asia, or the upstream resolver maps to a known proxy front. The check isn't exotic; it's the same heuristic every streaming service uses to invalidate a credentials-dump account.



![honest Claude Code user vs VPN-routed reseller](https://cdn.otf-kit.dev/blog/anthropic-claude-code-security/inline-1.png)



The mechanic is well understood. The political question — whether a vendor has the right to enforce a region ban at the device level on a tool you've installed locally — is the part nobody has settled.

## Why both sides are partly right

China's National Vulnerability Database, affiliated with the Ministry of Industry and Information Technology, characterised the mechanism as "security backdoor risks, posing a severe threat." NVDB advised institutions and users to "conduct a comprehensive check immediately" and "promptly uninstall or upgrade to the latest secure version from which the relevant backdoor code has been removed." The advisory also urged organisations to "strengthen network traffic monitoring to prevent the unauthorised leakage of sensitive data."

That last clause is the load-bearing one. When an agent can read your repo, the agent's outbound traffic is now part of your attack surface. NVDB's framing as "severe threat" is regulatory theatre — but the underlying concern, that a foreign vendor's agent is reading local source code, is not invented.

Claude Code engineer Thariq Shihipar confirmed the mechanism on X: "This is an experiment we launched in March that was meant to prevent account abuse from unauthorised resellers and protect against distillation." He added that "the team has landed stronger mitigations" — the post is truncated in the public record, but the implication is the check has been refined rather than removed. The mitigation is anti-abuse, not surveillance. That's the honest read.

Alibaba, the named distillation target, told employees last week that Claude Code use would be banned from July 10 over the same security concerns — a small irony, given Anthropic's prior accusation that Alibaba was already distilling Claude outputs to train a domestic competitor. Two parties calling the same traffic a threat, for opposite reasons, and both being partly right about what traffic actually does.

## What this means for your own perimeter

The technical lesson survives the politics. Three things to do today, regardless of which side of the firewall you're on:

```bash
# 1. Egress-deny your agent's outbound traffic to anything you don't recognise
#    (iptables example for a dev box)
sudo iptables -A OUTPUT -m owner --uid-owner $(id -u) \
  -d api.anthropic.com -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner $(id -u) \
  -j REJECT

# 2. Run the agent inside a worktree, not your main checkout
git worktree add ../agent-sandbox main
cd ../agent-sandbox && claude "refactor src/auth to use jose instead of jsonwebtoken"

# 3. Audit what the agent actually read — every session leaves a transcript
ls ~/.claude/sessions/ | tail -5
```

An agent that can read your repo can read your secrets, your unreleased feature branches, and your internal naming. Whether the vendor is in Boston or Beijing doesn't change that — only your egress policy does.

## The part that doesn't change when the agent does

Tool churn is the rule right now. Today's agent is next quarter's deprecated one. Claude Code is genuinely good and worth using. So is Cursor, so is Aider, so is whatever ships next. The regulator-versus-vendor fight will keep moving; the model you pick this month will be displaced by a cheaper one next quarter.

What doesn't change is the spec layer underneath: the conventions your repo exposes, the runtime config the agent reads, the boundary between "the model can do this" and "the model cannot do this without a human." That part survives the model upgrade, the price drop, and the next round of theatre.

When a tool wants to read your repo, the durable answer is to make what it reads predictable. A single source of truth for component shape. The same `Button` on web, iOS, and Android — one API, identical props. When the agent opens the file, the file says what it does and does what it says. The agent can't quietly invent a convention because the convention is the only thing the file accepts.

That's not a framework choice. It's an outcome. And it survives the next agent, the next model, and the next regulator-versus-vendor flare-up.

## What to watch

Anthropic's engineer said the team has "landed stronger mitigations" — the X post is truncated, but the implication is the timezone and routing check has been refined, not removed. NVDB's advisory is in effect. Alibaba's internal ban starts July 10. Expect more US-China clashes over AI tooling in the next quarter, and more agentic features shipping inside the editors you already use.

Both will keep moving. The spec layer you commit to is the part that doesn't.