Wire

China called Claude Code a security backdoor. Here's what it means for Anthropic's trillion-dollar IPO.

China called Claude Code a security backdoor. Here's what it means for Anthropic's trillion-dollar IPO.

Key points

  • China's National Vulnerability Database warned Wednesday that Anthropic's Claude Code contains a "security backdoor," and Alibaba has banned employees from using it starting July 10.
  • The issue: Claude Code silently checked users' timezones and proxy servers against a Chinese domain list starting in April, reporting matches back to Anthropic. Anthropic says it built this to fight fraud and pulled it July 1, before the story broke widely.
  • Anthropic has separately accused Alibaba's Qwen lab of running about 25,000 fake accounts to copy Claude's capabilities, a claim Alibaba denies. Neither claim is independently verified.
  • The timing matters: Anthropic confidentially filed for an IPO that could value it above $1 trillion, and Amazon (AMZN) and Google (GOOGL) together hold Anthropic stakes that drove more than half of each company's profit last quarter.

China's National Vulnerability Database, a cybersecurity arm of the Ministry of Industry and Information Technology, said Wednesday that Anthropic's Claude Code "contains security backdoor risks, posing a severe threat." Alibaba has told employees to stop using the tool entirely, effective July 10. Anthropic's actual China business isn't affected, since it already blocks China from its products. The bigger story is Anthropic's push toward what could be the largest AI company IPO ever, and the two mega-cap stocks that already have real money riding on how that goes.

What Claude Code was actually doing

The story surfaced from a Reddit post on June 30, when a user restoring a disabled feature in Claude Code said they found hidden detection logic buried in the code. Starting with a version released April 2, the tool reportedly checked whether a user's system timezone matched Shanghai or Urumqi, and whether their connection ran through a proxy address on a list of Chinese domains. A match didn't trigger an obvious flag. Instead, small details, like the date format and a punctuation mark, changed in data sent back to Anthropic's servers. Unless you knew to look, you would never see it.

Claude Code engineer Thariq Shihipar addressed it directly on X, calling it "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said stronger fixes had already shipped and the whole thing would be "fully rolled back" in the next release. The pull request removing the code was merged July 1, about a week before China's government made its warning public.

Here's the detail that actually bothers me: not that Anthropic tried to detect abuse, but how quietly it did it. A blunt IP block or a rate limit is a normal thing for any company to run. Rewriting your own system prompt so the detection is invisible to the person using the product is a different kind of decision, and it's the kind that tends to get made by an engineering team without anyone from legal or communications in the room.

Why Anthropic built it: the Alibaba dispute

Anthropic has its own accusation against Alibaba. It says operators tied to Alibaba's Qwen AI lab ran close to 25,000 fake accounts between April 22 and June 5, generating more than 28.8 million interactions with Claude, an attempt to extract enough responses to train a rival model on Claude's output. That practice is called distillation. Alibaba denies it, and none of the specific figures have been independently verified.

The timezone check used the same signals, a China-based location and a proxy connection, that this alleged fraud campaign would have used too. Anthropic's position is that the tool targeted fraud rings rather than ordinary users, and that it came down as soon as it was found. It still shipped for three months with no disclosure anywhere in the product's release notes, which is the part a security review would flag no matter the original intent.

My honest read: I don't think this is corporate espionage. I think it's a scrappy anti-fraud measure that nobody senior signed off on, built by a team more worried about a specific abuse pattern than about how the code would look if someone found it. Those are two very different stories. An institutional investor reading the S-1 risk factors will be able to tell them apart. Someone scrolling a headline that says "security backdoor" will not, and that gap is Anthropic's actual problem this week.

The stocks with actual money on this

There's no ticker for Anthropic itself since it isn't public. Amazon (AMZN) and Google (GOOGL) are the two names that actually matter here, because of what their existing stakes are already worth.

CompanyStake in AnthropicQ1 2026 impact
Amazon (AMZN)About $8 billion invested since 2023; carried at $74.2 billion on the balance sheet as of April, with a commitment to invest up to $20 billion more$16.8 billion pre-tax gain from the stake, more than half of Amazon's pre-tax income that quarter
Google (GOOGL)A 14% equity stake, contractually capped at 15%, worth an estimated $135 billion at Anthropic's current valuation; up to $40 billion committed in totalAbout $28.7 billion of Alphabet's $62.6 billion profit, nearly half, came from this stake alone

Those two numbers alone, Amazon's $74.2 billion carrying value and Google's estimated $135 billion stake, add up to more than $200 billion in paper value sitting on two balance sheets for a company that hasn't gone public yet. When Anthropic's reputation takes a hit, that shows up in Amazon's and Google's own numbers too.

I don't think this single story moves either stock on its own, and I'd be skeptical of anyone claiming it will. What it does do is remind you how much of Amazon's and Google's recent "record profit" headlines are really one private company's valuation, marked up on paper, sitting inside two of the most closely watched earnings reports in the market. That's worth knowing whether or not this specific week's headline turns out to matter.

What it actually means for the IPO

Anthropic confidentially filed a draft registration with the SEC on June 1. Bankers reportedly see a debut above $1 trillion as the base case as soon as October, on revenue that grew from a $9 billion target in 2025 to a $47 billion annualized run rate in May. This specific incident doesn't touch that growth number. China was never part of it.

What it does touch is due diligence. Enterprise customers running a security review on Claude Code now have a concrete incident to ask about: undisclosed code that quietly reported user location data for months. Whether that reads as a security tool that got sloppy or a company that tracked users without saying so, it's the kind of thing that lands in an IPO prospectus as a named risk factor. Not because it hurt revenue. Because it happened.

My take: this doesn't sink a trillion-dollar IPO. It's a single paragraph in a very long prospectus, next to a revenue number that's still doing all the actual work. But quietly tracking something for months and only stopping once you got caught is exactly the kind of episode you don't want sitting in a diligence file a few months before a roadshow, and Anthropic now has to explain it to institutional investors, not just to whoever's reading it on X.

This is general market commentary, not investment advice. Several of the underlying claims in this story, including Anthropic's fraud allegations against Alibaba and the exact scope of the tracking code, are disputed or not independently verified. Always do your own research.

Frequently asked questions

What did China say about Anthropic's Claude Code?

China's National Vulnerability Database, part of the Ministry of Industry and Information Technology, said on July 8, 2026 that Claude Code contains security backdoor risks. Alibaba separately banned employees from using the tool starting July 10.

What was Claude Code actually doing?

Starting with a version released April 2, 2026, the tool reportedly checked users' timezones and proxy connections against a list linked to China, then encoded a match in small details of data sent back to Anthropic's servers. Anthropic pulled the code on July 1, before the story became widely known.

How much money do Amazon and Google have riding on Anthropic?

Amazon's stake was carried at $74.2 billion on its balance sheet as of April 2026, and Google holds an estimated 14% equity stake worth about $135 billion. In Q1 2026, gains on these stakes accounted for more than half of each company's reported profit.

Could this affect Anthropic's IPO?

Anthropic confidentially filed for an IPO on June 1, 2026, and is reportedly targeting a valuation above $1 trillion as soon as October. This specific incident doesn't threaten Anthropic's revenue growth directly, but it gives enterprise customers and IPO investors a concrete data-handling incident to weigh in due diligence.

Dennis Singleton
Dennis Singleton

Dennis Singleton has followed the markets closely for years and still finds them genuinely fascinating. He writes about stocks, AI, and semiconductors in plain language, cuts through the hype, and is straight about the risks as well as the upside. He does this because he wants readers to win.