The Singapore Detour: Anthropic Moves to Close China's Backdoor to Claude
Anthropic is hunting the offshore subsidiaries, VPNs and 'transfer station' accounts Chinese firms use to reach Claude — and testing how enf
What happened
On July 3, 2026, the Financial Times reported — and a wave of outlets quickly relayed — that Anthropic is stepping up efforts to block Chinese companies from reaching Claude through offshore workarounds. This is not a new policy so much as an enforcement push against the ways its existing policy has been quietly circumvented.
The specifics are what make the story concrete. According to the reporting, Ant Group gave staff corporate Claude accounts tied to a Singapore-based subsidiary, while ByteDance reimbursed engineers who bought personal Claude subscriptions using VPN access. Other routes reportedly ran through foreign-incorporated units operating on cloud infrastructure such as Microsoft Azure. None of these tactics is exotic; they are the everyday plumbing of a multinational software stack, repurposed to slip past a geographic block.
Anthropic's response, per the reports, is to monitor accounts for behavioral tells — computer time zones, usage patterns, and activity consistent with relay or "transfer station" accounts that funnel traffic on behalf of China-linked firms. The company is said to want to shut down a growing network of Singapore subsidiaries used to acquire U.S. AI technology with less scrutiny. Anthropic framed the tightening as intended to prevent workarounds and to reduce "legal, regulatory, and security risks," and to keep advanced models out of the hands of "authoritarian" regimes.
The rule being enforced
The line Anthropic is defending predates this week. In 2025 (Crypto Briefing dates the relevant terms-of-service change to September), Anthropic updated its terms to bar any company more than 50% owned — directly or indirectly — by entities based in unsupported regions including China, Russia, Iran, and North Korea. In April 2026, per the same reporting, it layered on identity verification for flagged users, requiring government-issued IDs and live selfies.
A crucial nuance runs through the coverage: the workarounds described do not appear to break U.S. or Chinese law. They violate Anthropic's terms of service. That distinction matters, because it defines what Anthropic can actually do about it. This is contract enforcement and account policing, not a court case or a sanctions action. Anthropic can suspend accounts and tune detection; it cannot subpoena a Singapore holding company.
Why a company is drawing its own export line
The most striking feature of this story is who is drawing the line. Export controls on advanced chips are set by governments. Here, a private AI lab is trying to enforce a geographic boundary on access to a service — one delivered over the open internet, purchasable with a credit card, reachable through any VPN. That is a fundamentally harder perimeter to hold than a shipment of GPUs at a port.
Anthropic has signaled it is willing to pay for the position. In February 2026, CEO Dario Amodei said the company had "forgone several hundred million dollars in revenue" by cutting off Claude for firms linked to the Chinese Communist Party. Taken at face value, that is a real cost — a rare case of a growth-stage AI company deliberately turning away demand on principle (or on risk calculus). It also, conveniently, aligns the company with Washington's prevailing posture on frontier-AI containment, which is not a bad place for an AI lab to stand right now.
The distillation angle
The enforcement push does not come out of nowhere. According to a letter Anthropic sent to U.S. senators on June 10, 2026, operatives it linked to Alibaba's Qwen AI lab carried out what it called the largest known distillation attack it has identified: roughly 25,000 fraudulent accounts generating more than 28.8 million interactions with Claude between April 22 and June 5, 2026. Distillation, broadly, is using a stronger model's outputs to train or sharpen a weaker one — turning paid API access into a teacher for a competitor.
Two cautions belong here. First, these figures come from Anthropic's own account, relayed via reporting; they have not, from the sources reviewed, been independently audited. Second — and this is a line Anthropic itself has drawn — the company linked accounts to Qwen-lab operatives but has not publicly accused Alibaba of directing the attack. That is a deliberate legal and rhetorical gap, and it should be preserved rather than collapsed into "Alibaba stole from Claude."
Hype versus what's real
Strip away the geopolitics and the mechanics are humbling. The detection signals reported — time zones, usage patterns — are the same heuristics any fraud team uses, and they are famously easy to spoof. A time zone is a setting. A usage pattern can be reshaped. Relay accounts exist precisely to launder these signals. There is little reason to expect a determined, well-capitalized firm to be permanently locked out by behavioral fingerprinting.
The system's own history underscores the point. Crypto Briefing reports that by early July 2026, Anthropic had already rolled back at least some of its covert detection measures after users pushed back — though it hasn't disclosed which. That is the core tension: measures aggressive enough to catch sophisticated evaders also catch legitimate customers, and legitimate customers complain. Enforcement lives on that knife-edge.
So the realistic read is not "China is now cut off from Claude." It is that Anthropic is raising the friction, the cost, and the reputational exposure of the workarounds — and, just as importantly, building a documented record it can hand to regulators. This looks less like a technical firewall than a compliance posture: demonstrate diligence, shift risk, and let Washington see you trying.
What to watch next
Three things will tell us whether this is substance or signaling. First, whether Anthropic publishes any enforcement metrics — accounts suspended, revenue impact — rather than leaving the "several hundred million" figure as a one-time talking point. Second, whether other frontier labs follow; a unilateral block simply reroutes demand to whichever provider polices least, so the policy only bites if it becomes an industry norm. Third, whether Congress acts on Anthropic's request for stronger penalties around distillation and better information-sharing between U.S. labs — the move that would convert a terms-of-service fight into actual law.
The takeaway
This is a real story with modest immediate stakes and large structural ones. What Anthropic can accomplish this week — nudging up the cost of offshore workarounds and documenting its diligence — is incremental. What it exposes is not: a single company is trying to hold an export boundary around software delivered over the internet, using fraud-detection heuristics against adversaries who specialize in defeating them. Chips can be stopped at a border. A model behind an API, reachable through a Singapore shell and a VPN, is a far leakier thing to contain. Anthropic is betting it can make the leak small enough to matter — and betting, too, that being seen to try is worth several hundred million dollars.