Anthropic Moves to Close Claude Access Loopholes: What Developers Need to Know

This article explains the key points behind the reported Anthropic crackdown on indirect Claude access. The affected routes include personal overseas accounts, overseas subsidiaries, Microsoft Foundry or Azure-style access paths, and third-party API relay services. The most sensitive issue is trust. Regional restrictions are one thing, but hidden environment checks or prompt-level signals inside a developer tool can make teams question what their tools are doing in the background. For companies and developers, the practical takeaway is clear: review supported regions, avoid informal relay channels for sensitive work, and evaluate model providers not only by capability but also by access stability, data handling, and compliance risk. **Claude may remain powerful, but predictable and compliant access is now part of the model-selection decision.**

发布于 2026年7月8日generalGEO 评分: 012 次阅读
Anthropic Claude restrictionsClaude access loopholesClaude Code timezone checkClaude Code API relayAnthropic unsupported regionsClaude API relayClaude Azure accessMicrosoft Foundry ClaudeClaude Code privacyChinese AI modelsQwenDeepSeekGLMAnthropic terms of service
图片展示了Anthropic Claude的标志,左侧是“Anthropic”和“Claude”文字,右侧是一个由多条橙色线条组成的放射状图案,背景为深色,底部有橙色波浪状线条。该图片位于文档开头部分,作为封面图,与文档中介绍Anthropic公司及其Claude模型的内容相呼应,起到吸引读者注意、传达品牌信息的作用。

Anthropic Moves to Close Claude Access Loopholes: What Developers Need to Know

Introduction

Anthropic is reportedly preparing a much stricter cleanup of unauthorized access paths to Claude. The original report focuses on one core issue: users and companies in unsupported or restricted regions have continued to reach Claude through indirect routes, and Anthropic now appears ready to close many of those routes more aggressively.

This is not just about ordinary account bans. The discussion now includes overseas subsidiaries, enterprise accounts, cloud provider access, API relay services, and even Claude Code behavior that some developers say was used to detect suspicious access patterns.

图片以“Anthropic下狠手 全面封禁”为标题,背景为夜景城市轮廓,画面中央是被铁链锁住的Claude标志,其上覆盖着“BLOCKED”字样。画面左上角有“突发!”字样,右上角有“新智元”标识。该图片与文档中关于Anthropic准备对未经授权访问Claude的途径进行更严格清理的内容相关,直观呈现了Anthropic对Claude访问的封禁措施,与上下文对Anthropic采取更严格限制措施的讨论相呼应。

Source Note

This article is based on the BAAI Hub repost of a Xinyu article, which cites a Financial Times report and several social media screenshots. The original source link is: BAAI Hub article.

Images that were directly related to the topic, such as report screenshots, social media screenshots, and code-related screenshots, have been kept in context. Decorative logos, QR codes, recruitment posters, business contact images, and engagement banners were intentionally omitted.

The Report That Sparked the Discussion

According to the original article, the Financial Times reported that Anthropic is moving to close loopholes that allow users in restricted regions to access Claude. The report quickly spread across AI communities because it touches several practical access routes that many teams may have relied on.

图片为FT China发布的推文,内容是“Anthropic采取措施堵住漏洞,防止中国用户访问Claude”,下方配图显示有人在操作类似锁具的装置,装置上有“c/c”“Think w/ Claude”字样。该推文与文档中关于Anthropic准备对未经授权访问Claude的途径进行更严格清理的内容相关,是对文档中提到的Financial Times报道的转发,报道指出Anthropic正关闭允许中国用户访问Claude的漏洞,引发AI社区关注。

The concern is not limited to one type of workaround. The article mentions special access channels, API relay services, foreign-registered subsidiaries, and cloud-provider-based access paths. In other words, Anthropic is not only looking at where an account is registered. It is also looking at who ultimately controls the user, where the actual user is located, and whether the access route is being used to bypass unsupported-region restrictions.

图片是一条Twitter推文,发布者为@Kalshi,发布时间为2026年7月3日20:55。推文内容为“JUST IN: Anthropic to close loopholes that allow Chinese access to Claude”,即Anthropic将关闭允许中国用户访问Claude的漏洞。该推文获得了108.5K次浏览。此推文是文档中提到的引发讨论的报告来源之一,与文档中介绍Anthropic准备对未经授权访问路径进行更严格清理的内容相关,反映了外界对Anthropic此举的关注。

2026’s “Absolute Block” Policy

The original article describes the July 2026 move as an “absolute block” against unauthorized access. The central point is simple: Anthropic does not want Claude to be accessed from unsupported regions, and it also does not want companies controlled from those regions to access Claude through foreign entities.

图片为新闻标题,背景为浅粉色,文字为黑色。标题为“Anthropic moves to close loopholes that allow Chinese access to Claude”,意为Anthropic采取措施关闭允许中国访问Claude的漏洞。下方副标题为“Engineers are still finding ways to use AI models despite stringent restrictions”,意为尽管有严格限制,工程师们仍在寻找使用AI模型的方法。该图片与上下文紧密相关,上下文提到Anthropic对Claude的访问限制,此图片标题和副标题进一步强调了Anthropic在限制访问方面所采取的措施及存在的挑战。

Two restrictions are especially important:

  1. Users should not access Claude from unsupported regions, and others should not help them do so.
  2. Companies controlled from unsupported regions may still be restricted, even if a subsidiary is registered outside that region.

This matches Anthropic’s public position from September 2025, when it said it was strengthening sales restrictions for companies or organizations controlled by jurisdictions where its products are not permitted. In that update, Anthropic also said the rule covered entities more than 50% owned, directly or indirectly, by companies headquartered in unsupported regions.

图片为一段文字,内容是Anthropic正采取措施关闭漏洞,这些漏洞曾让中国公司绕过AI公司对国内未经授权使用极为严格的限制。图片位于文档中介绍Anthropic限制措施的段落开头,是对上文提到的限制措施背景的总结,强调了Anthropic此举的背景是针对中国公司绕过其限制的行为。

To enforce these restrictions, the article says Anthropic may rely on more than ordinary account checks. It mentions payment method screening, suspicious IP detection, and system-level signals such as a user’s operating system timezone. The point is not only to identify where the account was created, but also to infer where the real user may be operating from.

Anthropic has also said it will continue updating detection systems with partners to identify and restrict accounts that appear to violate its terms.

All These Routes Are Now Under Pressure

The original article lists several access paths that are reportedly being targeted. These routes differ in structure, but they share the same basic idea: they try to make access look as if it comes from an allowed region, even when the actual user or controlling organization may be somewhere else.

Access Route How It Works Why It Is Being Targeted
Personal overseas accounts Employees register personal accounts outside the restricted region, sometimes with company reimbursement. It can hide the true organizational user behind an individual account.
Overseas subsidiaries A company buys Claude through a subsidiary in an allowed region, then routes access internally. Anthropic’s restrictions may apply based on control or ownership, not only registration location.
Cloud provider paths A company uses Claude through a cloud service such as Microsoft Foundry or Azure-related access. The user may appear to be using a cloud service while the final user sits elsewhere.
API relay services Third-party relay stations forward Claude API requests. These can obscure the real origin and user of the request.

1. Personal Overseas Accounts Paid by Companies

The first route is fairly simple. An employee registers an overseas Claude account in their own name, then the company reimburses the cost or gives informal financial support.

This may look like personal use from the outside, but the real purpose can be business use. If a company is located in or controlled from an unsupported region, that creates a clear compliance problem under Anthropic’s stated restrictions.

2. Overseas Subsidiaries and Enterprise Claude Accounts

The second route is more structured. A global company may have a legitimate overseas subsidiary in a supported region, such as Singapore. That subsidiary could purchase Claude access and then provide internal access to engineers in another region through a company network.

In the original article’s example, engineers connect to the company intranet and use Claude from inside that enterprise environment. From a technical routing perspective, the access may pass through the overseas subsidiary. From a policy perspective, however, Anthropic may still treat this as restricted access if the ultimate user or controlling entity falls under its unsupported-region rules.

This is why the new restrictions matter. If foreign registration alone is no longer enough, then overseas subsidiaries can no longer serve as a safe workaround.

3. Microsoft Azure and Cloud Access Paths

The third route involves cloud platforms. The original article points to Microsoft Azure and related cloud access as a possible path for companies that want to call Claude models through cloud infrastructure.

Microsoft is best known as OpenAI’s major partner, but Microsoft Foundry has also offered access to Anthropic Claude models. If a company buys access through a supported-region cloud account, requests could be routed through that cloud environment and then returned to users inside the company.

The article argues that this type of path may also be affected if Anthropic applies restrictions based on ownership, control, and actual usage rather than only cloud account location.

图片为一段文字内容,背景为浅粉色。文字提到Anthropic加强了通过漏洞检测并关闭中国使用方面的努力,相关人员称这曾难以执法。使用的方法包括通过外国子公司访问Microsoft Azure云服务来获取Claude。该图片与上文提到的Anthropic对海外子公司等路径的限制措施相关,进一步说明了Anthropic在检测和关闭中国使用方面所采取的措施及所用途径。

This does not mean every Microsoft Foundry or Azure Claude deployment is problematic. It means companies should review Anthropic’s terms, Microsoft’s regional requirements, and their own billing and user-location setup before assuming that cloud access is automatically compliant.

4. API Relay Services

The fourth route is API relay access. These services usually place a relay server between the user and the model provider. The user sends a request to the relay service, and the relay service forwards it to Claude or another model provider.

In 2026, the article says Anthropic has placed API relay stations among its key enforcement targets. The reason is obvious: relays can make it harder to identify the real user, the real organization, and the real request origin.

图片为Passluo于2024年6月30日发布的微博,内容是关于Anthropic的Claude模型API relay服务。图片展示了一个中转站名单,其中包含150个站点,如stephan - inc . com、ai - help . site等。名单中站点的用户,Claude可能随机修改prompt来干扰请求。该图片与文档中介绍的API relay服务相关,进一步说明了Anthropic在2026年将API relay站作为关键执法目标的原因,即中转站可能使识别真实用户、组织和请求来源变得困难。

The article also notes that large AI companies are less likely to depend on informal relay stations. For them, the risk is too high. Source code, product roadmaps, private algorithms, and internal data could all be exposed to an unknown intermediary.

For smaller teams, relay services may look convenient. But from a security and compliance perspective, they can create serious risk.

From Timezone Checks to Hidden Code: Why Trust Became the Real Issue

The most controversial part of the article is not only the access restriction itself. It is the claim that Claude Code included detection logic that could use local environment signals to identify suspicious usage.

According to the original article, security researcher Adnane Khan found that Claude Code, starting from version 2.1.91, contained hidden detection logic related to custom API forwarding addresses and user environment information.

When a user configured a custom API forwarding address, the program reportedly checked the operating system timezone and looked for signals linked to specific regions. The article says this created concern because the detection was not obvious to ordinary users.

图片展示了两条推文。上方推文由@Hesamation发布,称Anthropic已确认Claude Code正以中国用户难以察觉的方式,将时区、代理以及可能的AI实验室连接等信息发送到系统提示中,还提到如果一家中国AI实验室悄悄针对美国用户,会引发强烈反弹。下方推文是Thariq的回复,称该行为是3月为防止未经授权的转售商滥用账户并保护免受提炼而发起的实验,团队已采取更强措施,计划在明天发布中完全撤销。

The article also describes a strange prompt-level behavior. When Claude Code sent requests to the server, the system prompt could include a date string such as “Today’s date is 2026-06-30.” If the environment matched certain signals, the date separator could reportedly change from a hyphen to a slash, and the apostrophe in “Today’s” could be replaced with visually similar Unicode characters.

图片展示了Claude Code可隐秘更改的两件事相关代码。代码中,当满足特定条件时,会将“Today’s”中的单引号替换为类似Unicode字符,同时将日期分隔符从“-”改为“/”。该代码被从minified bundle中清理出来,用于说明Claude Code在用户不知情的情况下,可能根据环境检查悄悄修改提示内容,引发开发者担忧。此图与上文提到的Claude Code存在隐藏检测逻辑,可能通过环境信号识别可疑使用,以及系统提示日期格式变化等内容相呼应。

The visible change looked small:

2026-06-30

could become:

2026/06/30

图片展示了时间区时检查的变化示例。上方“text”区域显示“2026 - 06 - 30”,下方“text”区域显示“2026/06/30”。该图片对应文档中提到的奇怪提示级别行为,即当Claude Code向服务器发送请求时,系统提示可能包含如“Today’s date is 2026-06-30.”这样的日期字符串,若环境匹配特定信号,日期分隔符可能从连字符变为斜杠,且“Today’s”中的单引号可能被类似Unicode字符替换。此图直观呈现了这种日期格式变化,与上下文描述的日期格式变化现象相契合。

To users, this may seem like a tiny formatting detail. To a detection system, however, it could work as a hidden signal. That is why the reaction was so strong. Developers were not only upset about regional restrictions; they were worried that a coding tool they trusted might quietly modify prompt content based on environment checks.

According to the screenshot in the original article, a person named Thariq said the behavior was part of an experiment launched in March to prevent account abuse from unauthorized resellers and protect against distillation. The same response said stronger mitigations had landed since then and that the experimental behavior was expected to be rolled back in a later release.

Account Bans, Refund Disputes, and Internal Company Responses

The original article says that from late June to early July, many users in affected regions reported Claude account bans without advance notice. These reports included both individual subscriptions and team accounts.

A major complaint was refund handling. The article claims that accounts paid through the official website and then judged to be in violation were generally not refunded, and that successful appeals were difficult.

The article also says Alibaba had internally announced a reverse ban on Claude products, requiring employees to uninstall Anthropic-related tools including Claude models and Claude Code, with the ban taking effect on July 10. This part should be treated as a developing corporate-policy story unless confirmed through official company channels or reliable reporting.

What This Means for Chinese AI Models

The final question raised by the article is whether domestic models such as GLM, DeepSeek, Qwen, and Step may gain more room to grow.

The logic is straightforward. If overseas access to Claude becomes harder, more companies may shift development workflows to models that are locally available, easier to deploy, or more predictable from a compliance standpoint. For coding, knowledge work, agent workflows, and enterprise integration, availability can matter almost as much as raw benchmark performance.

This does not mean every team will immediately abandon Claude. Claude remains a strong model family, especially for coding and agentic workflows. But if access becomes unstable or policy risk becomes too high, teams will naturally evaluate alternatives.

FAQ

What is Anthropic reportedly trying to block?

Anthropic is reportedly trying to block indirect access to Claude from unsupported or restricted regions. The routes mentioned in the original article include overseas accounts, foreign subsidiaries, cloud-provider access, and API relay services.

Does registering a company overseas make Claude access compliant?

Not necessarily. Anthropic’s public restriction update says ownership and control can matter, not only where a subsidiary is registered. A company should review Anthropic’s current terms and supported-region rules before relying on a foreign entity structure.

Can Claude be accessed through Microsoft Foundry or Azure?

Anthropic provides documentation for using Claude in Microsoft Foundry, and Microsoft also documents partner model availability. However, cloud access still depends on supported regions, billing rules, and Anthropic’s terms. A valid cloud deployment should not be treated as a workaround for unsupported-region access.

What is an API relay service?

An API relay service forwards requests from users to a model provider such as Anthropic. It can make access more convenient, but it can also obscure the real requester and introduce privacy, compliance, and data-leak risks.

Why are developers concerned about Claude Code timezone checks?

Developers are concerned because the reported behavior involved checking local environment signals and possibly modifying prompt text in subtle ways. Even if the purpose was anti-abuse enforcement, hidden behavior inside a coding tool can damage trust.

Are relay services safe for company code or private data?

They are risky unless the operator is fully trusted and contractually accountable. A relay can see or process sensitive requests, which may include source code, business plans, customer data, or internal prompts.

Will this create opportunities for Qwen, DeepSeek, GLM, and other models?

It may. If Claude access becomes less predictable for some teams, locally available or regionally compliant alternatives become more attractive. That said, teams should evaluate models based on capability, privacy, deployment options, cost, and legal compliance.

Related Tools

  • Anthropic Claude: Anthropic’s official Claude model family for chat, coding, reasoning, and enterprise workflows.
  • Claude Code: Anthropic’s agentic coding system for working across codebases from a terminal or development workflow.
  • Claude API Documentation: Official developer documentation for building applications with Claude.
  • Microsoft Foundry: Microsoft’s AI platform for deploying and using foundation models, including partner models.
  • Qwen: Alibaba’s Qwen model platform and assistant experience.
  • DeepSeek API: Official DeepSeek API documentation for developers.
  • Zhipu AI BigModel: Zhipu AI’s official platform for GLM-family models and related APIs.

Related Links

Summary

This article explains the key points behind the reported Anthropic crackdown on indirect Claude access. The affected routes include personal overseas accounts, overseas subsidiaries, Microsoft Foundry or Azure-style access paths, and third-party API relay services.

The most sensitive issue is trust. Regional restrictions are one thing, but hidden environment checks or prompt-level signals inside a developer tool can make teams question what their tools are doing in the background.

For companies and developers, the practical takeaway is clear: review supported regions, avoid informal relay channels for sensitive work, and evaluate model providers not only by capability but also by access stability, data handling, and compliance risk.

Claude may remain powerful, but predictable and compliant access is now part of the model-selection decision.