Anthropic is tightening access controls for its Claude AI assistant after discovering that Chinese companies have been using overseas entities, VPNs, and personal subscriptions to bypass a strict regional ban. The company explicitly blocks access from unsupported regions, including China, but firms such as Ant Financial and ByteDance reportedly found workarounds to keep Claude available to their engineers.
Ant Financial provided some employees with corporate Claude accounts through its intranet, linked to a Singapore-based entity. ByteDance allowed engineers to pay for personal Claude subscriptions and seek reimbursement, routing access through VPNs. Microsoft also sold API access to Chinese companies with Singapore entities, enabling mainland engineers to use Claude through internal networks.
While these methods violate Anthropic’s terms of service, they do not break US or Chinese law. Anthropic stated that it “explicitly prohibits accessing or facilitating access to Claude in unsupported regions, including China” and uses “changing detection systems to find and ban accounts that break its rules.”
The company is also targeting “transfer station” services that route requests from mainland China through overseas Claude accounts, making access appear to come from supported regions. Smaller users may rely on these services, but larger Chinese AI companies often avoid them due to fears that operators could store, copy, or resell prompts, especially when working with private code and internal data.
Claude Code has drawn strong demand from Chinese engineers because its coding outputs can support distillation—a process where smaller AI models learn to copy the behavior of stronger systems. This makes the tool valuable for firms trying to improve local models.
Meanwhile, China’s National Vulnerability Database flagged several Claude Code versions released between April and June, saying they can send user location and identity data to remote servers without clear consent. The database listed versions 2.1.91 to 2.1.196 as affected, describing the issue as “security backdoor vulnerabilities” and a “serious threat.”
Anthropic rejected the backdoor label, stating that the disputed function was an anti-abuse experiment meant to detect unauthorized users. It denied that Claude Code contained spyware or a tool built for secret surveillance. The dispute now links two separate issues: Anthropic’s effort to block Chinese access and China’s warning over Claude Code. Both sides frame the matter through security, but they point to different risks.

