The US-China AI War Finally Reaches the 'API Access' Layer — and the Hand Slamming the Door
When people say "US-China tech war," they usually picture semiconductors — blocking Nvidia GPUs from reaching China. But this story, broken by the Financial Times on July 3, 2026, shows the front line has shifted somewhere completely new. This time it's not about chips, it's about access. Anthropic is moving to shut down the various workarounds that Chinese heavyweights like Ant Financial and ByteDance have been using to reach its Claude models. Blocking hardware and blocking software access are fundamentally different games. A chip is a physical object you can at least catch at customs. A cloud API call flows across borders at the speed of light, no shipping container required.
Here's the whole thing in one sentence: Chinese firms have been dodging both US export controls and Anthropic's own terms of service by using Singapore-registered entities, VPNs, foreign subsidiaries running on Microsoft Azure, and "transfer station" proxy-reselling services to access Claude — and Anthropic is now closing those channels one by one. The genuinely interesting part is that most of these workarounds are not illegal. They break neither US nor Chinese law. They just violate Anthropic's terms of service. So this is less a government-led export control and more a private company doing its own self-regulation, filtering its own customers.
But why now? The backdrop is a lot uglier. On June 10, Anthropic sent a letter to the US Senate Banking Committee alleging that operatives tied to Alibaba's Qwen AI lab ran what it called an "industrial-scale model distillation attack" — roughly 25,000 fake accounts generating more than 28.8 million conversations against Claude between April 22 and June 5, 2026. Let me nail this down right here: that is an allegation by Anthropic. Alibaba has not admitted it, and no third party has verified it. But true or not, it explains why Anthropic suddenly got so sensitive about workaround access. If a company believes its model is being copied wholesale, slamming the back doors shut is the obvious first move.
So to really get this story, you have to read it in two layers. The surface is a technical, administrative move — cutting off access channels. But underneath it runs a spiral of mutual distrust. The US side says "China is stealing our models." The Chinese side, as we'll see, fires back with "your tools have a backdoor." Today I'll unpack both layers, carefully separating what's confirmed from what's still just an allegation.
The Cast — The One Locking the Door, The Ones Climbing Through, and The Self-Appointed Gatekeeper
First, the one locking the door: Anthropic. The US AI company behind Claude, famous for putting safety front and center in its brand. CEO Dario Amodei said publicly back in February 2026 that the company had "forgone several hundred million dollars in revenue" by cutting off Claude for firms linked to the Chinese Communist Party and stopping CCP-sponsored cyberattacks that tried to abuse the system. In other words, Anthropic already chose the "we'll take the financial hit and screen out China" path. This loophole crackdown is an extension of that line, not something that came out of nowhere. Its September 2025 policy update already explicitly barred any company majority-owned — directly or indirectly — by entities headquartered in unsupported regions like China from using its services.
Next, the ones climbing through: China's tech giants. According to the FT report, Ant Financial handed staff corporate Claude accounts tied to a Singapore-based subsidiary. ByteDance reimbursed engineers for personal Claude subscriptions they bought with VPN access. And some groups reached Claude through foreign-incorporated units running on cloud infrastructure like Microsoft Azure. These workarounds make enforcement much harder. On the surface it just looks like a Singapore company, using a US cloud, making normal API calls. To find out who the real owner is, you'd have to dig through payment flows, time zones, and usage patterns.
Third, a genuinely offbeat character enters: Justin Sun and his B.AI. Sun is the founder of the TRON blockchain and a lightning rod in crypto circles. B.AI is a blockchain-native "AI relay station" that lets users pay in crypto and anonymously access multiple LLMs — Claude, GPT, Gemini — through a single API. It sets up servers in Anthropic-supported countries and acts as a middleman between Chinese users and Anthropic. A user sends a prompt to a locally accessible website, which forwards it to Claude through overseas accounts or API keys, then passes the response back. But here too, let me be clear: Anthropic has not named B.AI in its enforcement actions, and no wrongdoing has been alleged against the platform. The crackdown simply threw a spotlight on the whole "relay" model.
Finally, standing in the background: US regulators. Anthropic's letter went to Senate Banking Committee Chair Tim Scott (R-SC) and Ranking Member Elizabeth Warren (D-MA), and Bloomberg first reported it on June 24, which is when this became a policy story. What's telling is that both a Republican and a Democrat were the recipients. On the subject of countering Chinese AI, US politics is speaking with a rare bipartisan voice. The government didn't issue a direct order, but with pressure coming from Congress saying "your model is leaking," Anthropic had every incentive to act.
What Actually Happened — Four Back Doors, and How to Lock Them
Okay, let's get concrete about the channels that existed and what Anthropic plans to do. Pulling together the FT report and follow-ups, the workaround channels Chinese firms used to reach Claude fall into four buckets. Here they are in a table.
| Workaround channel | How it works | Why it's hard to police |
|---|---|---|
| Singapore-registered entities/accounts | The Chinese parent opens corporate Claude accounts under a Singapore subsidiary and distributes them to staff | On paper it's a Singapore company, so it appears to belong to a supported region |
| VPN + personal subscriptions | Engineers use a VPN to bypass restrictions, buy Claude subs personally, and the company reimburses them | Thousands of scattered personal accounts make ownership hard to trace |
| Azure-hosted foreign units | A foreign subsidiary running on a US cloud like Microsoft Azure makes the API calls | Indistinguishable from normal cloud traffic |
| "Transfer station" proxy resellers | Third parties like Justin Sun's B.AI relay prompts and responses via overseas accounts/API keys | Anthropic can't see who the actual end user is |
Looking at this table, you can feel why it's a game of whack-a-mole. All four channels share a trait: they look like normal traffic on the surface and hide the real end user (the Chinese parent) behind at least one layer. The fourth "transfer station" model is especially nasty. From Anthropic's vantage point, all it sees is an overseas operator that legitimately bought an API key. Whether tens of thousands of Chinese developers are sitting behind it is invisible.
So how does Anthropic plan to block this? Per the reporting, it will monitor accounts for certain "signals" — things like a computer's time zone and usage patterns. Say a "Singapore entity" account has all its actual logins clustered in Beijing working hours, and its usage pattern closely mirrors a specific Chinese firm's internal workflow. That account is likely a transfer station or workaround channel, so Anthropic flags and filters it. It's not perfect, but it stacks signals to catch offenders probabilistically.
This is where the distillation allegation reconnects. The figures Anthropic cited to the Senate — 25,000 fake accounts and 28.8 million conversations between April 22 and June 5 — are the product of exactly this kind of pattern detection. When a huge volume of automated conversations clusters in a particular pattern, you start to suspect it's not humans but "distillation" — scraping a large model's outputs to train a smaller one. Again, to be clear: this distillation claim is an unverified allegation from Anthropic's side. Alibaba has offered no specific rebuttal, and no outside party has confirmed it.
And here's the real twist: China didn't sit still. In the next section, as we look at what each side gains and loses, we'll trace just how far this spiral of distrust has gone.
The Math for Each Side — Who Gains What, and Who Loses What
Start with what Anthropic gains. First, IP protection. If its model really is being distilled, blocking workaround access is a way of defending its core asset. Second, political trust. For a brand that leads with safety and national security, signaling to Congress and regulators that "we take Chinese infiltration seriously" pays off long-term. Amodei bragging about "forgoing hundreds of millions in revenue" fits this exact logic. What it loses is just as clear: near-term revenue. For giants like Ant and ByteDance, the API bills alone are enormous. But Anthropic has calculated that its position as a "trusted US frontier lab" is worth more than that money.
What Chinese firms lose is access to a best-in-class tool. Claude Code has effectively been treated as the benchmark in coding agents. Even Alibaba, in its own benchmarks, boasted that Qwen-Coder-Qoder hit 60.51% while comparing it to the frontier model Claude 4.5 Opus at 64.86% — which tells you that China's top firms were quietly using Claude as a reference point. Losing that access is a short-term productivity hit. But there's a gain too: the justification and the pressure to go it alone. If you can't use it anyway, you have to switch to a domestic tool, and that can actually catalyze China's own AI ecosystem.
What US policymakers gain is an expansion of control. Until now, export controls focused on physical objects like chips. This episode shows that even the intangible layer — cloud API access and model usage — can effectively be regulated. Sure, the government didn't order it directly; a private company acted on its own. But it sets a precedent that congressional pressure can actually change corporate behavior. The loss, or risk, is that this could be the trigger for "weaponized reciprocity." When the US blocks access, China gets a justification to block US tools in its own market — and Alibaba did exactly that.
Let me add one more weight to the scale. Underneath all this math sits an unverified variable: just how serious the distillation attack actually was. If the claim is exaggerated, then Anthropic gave up big revenue and lost the China market for relatively little in return. If the claim is true, it already paid a price for locking the back doors too late. So the "stakes" here aren't a single number — they swing wildly depending on how much you believe each side's claims. The judgment is yours, but the key is not to blend confirmed facts with allegations.
Past Similar Cases — Export Controls and AI Access Enforcement, the Wins and the Losses
This "access denial" game isn't new. The most famous precedent is semiconductor export controls. Starting in 2022, the US barred Nvidia's high-end AI chips (A100, H100, and so on) from China. The result? A partial success. It clearly slowed China's cutting-edge AI training. But it failed to be a total block. Nvidia kept shipping performance-downgraded chips (H800, H20) tuned to sit just under the regulatory ceiling, and smuggling and third-country routes never stopped. If even physical chips leak this much, borderless APIs are harder still — one of the lessons hanging over this episode.
Another case worth revisiting is Huawei. From 2019, the US put Huawei on the Entity List and hard-blocked its access to American tech. That genuinely hammered Huawei's smartphone business. But long-term, Huawei pivoted toward building its own ecosystem — HarmonyOS — and teamed up with SMIC to push domestic chip development. In other words, "denial" definitely delivers a short-term blow, but it also maximizes the opponent's motivation to become self-sufficient. It's the textbook double-edged sword.
Narrowing to AI access specifically, Anthropic itself already cut off Claude for CCP-linked firms back in February 2026. The justification then was national security, and the cost was revenue. This loophole crackdown is essentially the "plug the holes" sequel to that move. It locked the front door in February, only to find people climbing through the back doors and windows — so now it's tightening the window frames too. This very pattern illustrates the fundamental dilemma of denial policy. Locking it once isn't the end; when the other side drills a new workaround, you lock again, forever.
So history's lesson is cold. Access denial rarely wins outright; it's mostly about buying time. You slow the opponent's pace of progress in exchange for the side effect of stimulating their self-sufficient ecosystem. This Claude episode will likely trace a similar arc. And if you look at how the Chinese camp is actually fighting back, you'll see that prediction is already becoming reality.
The Chinese Camp's Counterplay — Alibaba's Qoder Pivot, and the 'Backdoor' Counterattack
This is the most contentious part of the whole affair, and therefore the part to handle most carefully. The story blew up in the community: Alibaba reportedly ordered employees, effective July 10, to stop using Claude Code, Sonnet, Opus, and Fable entirely and uninstall them, switching instead to its in-house tool, Qoder. This part was reported by multiple outlets including TechCrunch and The Information, so the fact that "Alibaba issued an internal ban" is fairly credible.
The problem is the reason offered for it. Chinese security researchers reportedly reverse-engineered Claude Code and claimed that starting with version 2.1.91 (shipped April 2026), it contained a covert "user detection" mechanism. The alleged mechanism reads the system time zone, checks proxy or custom API addresses for keywords tied to Chinese firms like Alibaba, ByteDance, and Baidu, then secretly tags and transmits those users' environment data. Alibaba reportedly branded this a "backdoor" / security threat and classified Claude Code as "high-risk software." But — this is a one-sided claim, not independently verified. The word "backdoor" itself carries a lot of weight, and the two sides' interpretations of the code's nature collide head-on.
Anthropic's explanation is a completely different framing. According to Anthropic engineer Thariq Shihipar, who acknowledged it on social media, it was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." In other words, not "spyware" to surveil Chinese users, but an "anti-resale, anti-distillation experiment" to filter out the transfer stations and distillation attacks we discussed above. He said it was already rolled back in a July 1 update and would be replaced with stronger security measures. To sum up: over the same code, one side calls it "a backdoor exfiltrating our data" and the other calls it "a defensive mechanism to filter out thieves." Where the truth lies, nobody has independently confirmed.
The Qoder pivot is symbolic in this context. For Alibaba, it captures both the justification — "your tool is dangerous so we'll use ours" — and the practical upside — "access is blocked anyway, so we'll go self-sufficient." Qoder is Alibaba's own tool built on an agentic model it trained end-to-end inside its coding platform, and as we saw, it posted benchmark numbers close to Claude Opus. In other words, this isn't an inferior fallback used only because access got cut — it was a near-frontier domestic alternative already waiting in the wings. That's the exact echo of the Huawei HarmonyOS case.
So what's happening now isn't a simple "unilateral US block" — it's a two-way decoupling. US companies block China's access, and Chinese companies purge US tools internally and replace them with domestic ones. Each side declares "I don't trust you," and the AI development tools market is splitting in two along the Pacific. Regardless of whether the backdoor-versus-defense debate ever gets resolved, the decoupling itself is fast becoming an irreversible reality.
So What Changes — For Devs, Policymakers, Enterprises, and the Open-vs-Closed Debate
For Chinese developers, the immediate effect is a changed toolbox. Engineers who got comfortable with Claude Code now have to move their workflows to domestic tools like Qoder. Short-term, that's a hassle and a productivity loss. But medium-term, it forcibly matures China's domestic AI coding ecosystem. When demand pours into domestic tools, investment and improvement there accelerate. Ironically, the US block becomes the domestic tools' biggest marketing campaign.
For US policymakers, this episode is the discovery of a new lever. Moving from an era of controlling only physical chips, they've confirmed they can effectively regulate intangible assets too — cloud API access and model usage. But a big challenge comes attached. Access denial is inherently whack-a-mole, and if the government tries to control all of it, there's no end. A more realistic model may be the "distributed enforcement" seen here, where a private company filters via its own terms and pattern detection. Policymakers are likely to lean toward moving companies through "pressure and incentives" rather than direct orders.
For enterprises, the key takeaway is that geopolitical risk is now a mandatory item on the AI adoption checklist. A multinational has to ask: "Whose side is our AI vendor on, and could a subsidiary in a particular region suddenly lose access?" For global firms with R&D hubs in China especially, this episode becomes a real operational risk. Vendor diversification — running multiple models rather than betting everything on one — becomes more important.
Finally, this episode poured fuel on the open-vs-closed model debate. Think about it — the root reason all this workaround, distillation, and backdoor drama can even happen is that Claude is a "closed" model, accessible only via API, which means access can be blocked and monitored. Alibaba's Qwen family, by contrast, is largely released as open weights, so this kind of access denial doesn't even apply. Download it and run it locally, done. So the more the US tightens access to closed models, the more strategically attractive the Chinese camp's open-weight play becomes — a genuine irony. The ability to control access is closed models' strength, and simultaneously the weakness that hands the opponent a rationale for going open.
🥄 Three Things You're Probably Wondering
— So was there a real "backdoor" or not? Honestly, nobody has independently confirmed it yet. Two things are established. One: multiple outlets reported that Alibaba banned Claude Code internally and told staff to switch to Qoder, so that's credible. Two: an Anthropic engineer acknowledged that "there was an account-abuse/anti-distillation experiment started in March that was rolled back on July 1" — that's a confirmed statement. But whether that code was a malicious "backdoor" aimed at Chinese users, or a defensive mechanism to filter out thieves — the two sides' readings of its nature collide head-on, and there's no neutral third-party verification yet. That's exactly why you shouldn't repeat the word "backdoor" as if it were established fact.
— Is the distillation claim (25,000 accounts, 28.8M conversations) believable? Those figures are an "allegation" contained in Anthropic's June 10 letter to the Senate Banking Committee, first reported by Bloomberg on June 24. The important point is that this isn't a court ruling or a third-party audit — it's numbers presented by one side, Anthropic. Alibaba offered no specific rebuttal, and no outside body has verified them. Inferring distillation from conversation-volume patterns is technically possible, but pinning it specifically on "Alibaba was behind it" is a different order of claim. So "Anthropic alleged this" is the fact; "Alibaba actually did it" remains unconfirmed.
— If Anthropic blocks like this, does China really lose Claude? Realistically, "total denial" is hard. As history shows, access denial is closer to "buying time" than a clean win. Block one Singapore entity and another workaround appears; filter one transfer station and another proxy pops up — whack-a-mole. But this time is a little different, because China's biggest firms are voluntarily switching to a domestic tool (Qoder). So rather than "China can't use Claude because Anthropic blocked it," the more accurate framing is "both sides are choosing not to use each other, and the market is splitting in two." The goal isn't total denial so much as decoupling is the result.
References
- Anthropic cracks down on Chinese workaround access to Claude, FT reports — Seeking Alpha
- Alibaba reportedly bans employees from using Claude Code — TechCrunch
- Anthropic claims China's Alibaba illicitly distilled its models from April to June 2026 — Tom's Hardware
- Claude Code's complicated China problem involves bans on both sides of the Pacific — The Decoder
- Justin Sun's B.AI Draws Attention Amid Anthropic's Crackdown on Claude Access Routes from China — CryptoTimes
Numbers and criteria are as of announcement and may change.



