According to the Financial Times, Chinese engineers at some of the country’s largest IT businesses have been using unauthorized workarounds to access Anthropic’s Claude, circumventing the AI company’s stringent ban on use by Chinese entities. According to the research, enterprises such as Ant Group provided staff with corporate Claude accounts linked to a Singapore-based subsidiary, while ByteDance programmers utilized personal Claude subscriptions accessible using VPNs, which the company repaid. Others routed access through foreign-incorporated subsidiaries that used cloud infrastructure such as Microsoft Azure, allowing mainland developers to utilize Claude internally while preserving a layer of separation from direct China-based access. Ant and ByteDance declined to comment on the report.
These practices do not violate US or Chinese law in isolation, but they directly breach Anthropic’s terms of service, which explicitly prohibit Chinese companies and any foreign entities under their control from using its AI models. Anthropic describes itself as the only frontier AI company that restricts sales to PRC-controlled companies, including subsidiaries incorporated outside China. In September 2025, it updated its terms to block any company more than 50% owned directly or indirectly by entities in unsupported regions such as China, Russia, Iran, and North Korea. That update, Anthropic said at the time, was specifically intended to prevent workarounds. The latest developments suggest the workarounds kept coming regardless.
“Anthropic moves to close loopholes that allow Chinese access to Claude.”~Financial Times
Transfer Stations and Distillation Attacks: The Scale of the Problem
When it comes to business workarounds and individual VPN users, a larger gray industry has emerged for gaining Claude access to China. Relay services known as “transfer stations,” which are situated between Chinese users and Anthropic’s servers, send prompts to Claude via reputable foreign accounts, get responses, and accept payment via WeChat or Alipay. Dozens of these businesses are listed on Chinese-language websites and GitHub pages, which also compare token prices and supported models. Some source enterprise discounts from Anthropic and licensed distributors, undercutting Claude’s stated API pricing by up to 90%. Because of worries that operators would store, resell, or analyze their prompts, analysts observe that larger Chinese AI groups typically steer clear of transfer stations in favor of the cleaner but more difficult-to-maintain path of overseas subsidiaries.
The scale of misuse is not just commercial. In a letter sent to US senators on June 10, 2026, Anthropic disclosed what it described as the largest known distillation attack it had ever identified. Between April 22 and June 5, 2026, approximately 25,000 fraudulent accounts generated more than 28.8 million interactions with Claude. The goal was to systematically extract Claude’s capabilities and use that data to train a competing model. Anthropic linked the accounts to operatives associated with Alibaba’s Qwen AI lab, though it stopped short of directly accusing Alibaba of orchestrating the attack. In the letter, Anthropic called for better information sharing between US AI companies when distillation attacks are detected and significantly harsher penalties for anyone caught running one.
“Chinese developers are buying Claude access through gray-market API transfer stations that can sell tokens at 5% to 10% of official prices while hiding the real user from Anthropic. A transfer station is a middle server that takes a user’s prompt, sends it to Claude, and returns the response.”~Rohan Paul
Anthropic Deploys Timezone Monitoring, Identity Checks and Hidden Code to Close the Gap:
Anthropic’s response has been multi-layered. It is now monitoring accounts for behavioural signals including users’ computer time zones and usage patterns to identify accounts acting as transfer stations or relay nodes for China-linked access. It also began requiring identity verification for flagged accounts in April 2026, asking for government-issued IDs and live selfies before restoring access. In a strange move, it also embedded hidden detection code within Claude Code that checked the base URL environment variable and cross-referenced system timezones and hostnames against a list of known Chinese AI labs, resellers, and gateway domains using a steganography-based approach to conceal the detection logic in plain sight. A developer named Thereallo made the code public, raising questions about the measure’s hidden nature. Anthropic later stated that it would remove the secret code, and a developer from the Claude Code team confirmed that the change was included in the July 2 version.
“How do Chinese users access Claude and get around Anthropic’s restrictions? Transfer stations: ‘a software interface that receives users’ requests and forwards them to Anthropic as if they originated from a legitimate account, a payment integration (usually Alipay or WeChat), and the unglamorous operational layer that keeps it running — cycling accounts before they get flagged, balancing load across the pool, and continuously adapting to Anthropic’s abuse-detection updates.'”~Kyle Chan
Why Chinese Engineers Want Claude Despite a Competitive Domestic AI Market?
The demand for Claude among Chinese engineers persists even as domestic models have grown more capable and that says a lot about where Claude still has an edge. Its coding capabilities, in particular, are widely regarded as superior for complex software tasks, and this has made it especially attractive for distillation: the practice of training smaller, cheaper models by feeding a more powerful model enormous volumes of questions and recording its answers. Chinese startups use this approach to leapfrog the research investment required to build frontier models from scratch. Claude’s coding reputation makes it a preferred target.
CEO Dario Amodei stated in February 2026 that Anthropic has already lost several hundred million dollars in income by refusing to sell to Chinese Communist Party-linked enterprises and preventing CCP-sponsored cyberattacks. Microsoft, for its part, informed Anthropic that it supports the company’s efforts to monitor usage and enforce its rules via Azure. Anthropic stated that it will continue to expand its detection systems in partnership with partners, a commitment that now extends to the government, as it addressed a letter to senators in June asking legislative backing for the initiative.
“Anthropic is moving to close loopholes that have allowed Chinese companies to bypass its strict bans on unauthorized AI usage. Claude’s coding capabilities are especially popular among Chinese start-ups for ‘distillation,’ a process where smaller models are trained to mimic more capable ones.”~Spotlight on China



