The Developer Tool Stack Starts to Split
Anthropic's export-control crisis and Alibaba's Claude Code ban mark a new front: the US-China AI split has moved from models into the developer workflow.
On June 12, enterprise users of Anthropic’s most capable models discovered that access had vanished. The US government had applied export controls to Fable 5 and Mythos 5, requiring restrictions on foreign nationals, whether inside or outside the United States. Because Anthropic said it could not verify nationality in real time, it suspended both models for all users. A policy decision had translated into a product outage.
Three weeks later, Alibaba, owner of Alibaba Cloud, issued an internal directive banning all Anthropic products, according to Chinese media reports. The directive, effective July 10, requires employees to uninstall Claude Code and every Claude model variant. The company designated its own AI coding platform, Qoder, as the replacement.
Two bans, three weeks apart, pointing in opposite directions: one imposed through Washington’s export-control machinery, the other inside Alibaba’s own engineering workflow. Previous rounds of US-China AI competition played out at the chip layer and the model cost layer. This one has reached the developer’s daily workflow: the IDE, the coding agent, the tool that reads entire codebases. That layer carries higher trust requirements and deeper integration than a typical model API call. That makes the separation harder to reverse than a typical model API switch.
Access, Distillation, Trust
The sequence began with a security finding. Amazon researchers discovered a method to bypass Fable 5’s safety classifiers, prompting the model to produce exploit demonstration code. Anthropic later confirmed that less capable models could reproduce the same behavior. The US government responded with an export-control directive on June 12; Anthropic then suspended access broadly because it could not verify nationality in real time.
By June 30, the export controls had been lifted. Anthropic said it had also trained an improved classifier that blocked the reported technique in over 99% of cases. For developers, however, the technical fix mattered less than the precedent. The episode introduced what one analysis described as “sovereign access risk” into enterprise AI procurement: a category in which the relevant question shifts from how capable a tool is to whether it will still be available tomorrow. Standard enterprise contracts, one review found, relied on vague “force majeure” clauses rather than provisions for regulatory suspension.
A second front had already opened. In a June 10 letter to the US Senate Banking Committee, the company alleged that Alibaba-affiliated operators had carried out the “largest known distillation attack” on Claude. Almost 25,000 fraudulent accounts, the letter claimed, generated more than 28.8 million exchanges between April 22 and June 5, targeting Claude’s agentic reasoning, software engineering, and long-horizon task capabilities. Anthropic framed the campaign as part of a broader pattern of “industrial-scale distillation attacks” by Chinese AI labs. The allegations remain Anthropic’s characterization; Alibaba has not publicly responded.
Then came the discovery that shifted the dispute from compliance to trust. Security researchers reverse-engineered Claude Code and found that, when a custom base URL or proxy was in use, version 2.1.91 contained a hidden classification mechanism. It checked the user’s timezone and proxy hostname for Chinese AI company keywords, then encoded the result into the system prompt through date-format and punctuation substitutions. An Anthropic engineer described the mechanism on X as “an experiment we launched in March” to prevent unauthorized resale and protect against distillation. He said it would be fully rolled back.
Alibaba’s response closed the loop. The company classified Claude Code as high-risk software, citing “back-door risks,” and ordered full removal. Zhidx (智东西), a Chinese specialist AI publication that broke the story, reported the ban extended to all Claude model variants.
Each step in this chain appeared to make the next one more probable. Export controls demonstrated that access could vanish. Distillation allegations raised the stakes. The hidden tracking mechanism turned a compliance dispute into a trust breach. The surface narrative runs on security and sovereignty. The structural question is different: when one of the leading coding models is both indispensable to Chinese engineers and a target for Chinese AI labs, can either side still trust the workflow layer that makes access possible?
The answer appears to lie in a trust spiral that both sides fed, and in the parallel ecosystem that China is now building to replace what it lost.



