Anthropic is closing the routing tricks, including Singapore intranets, VPN billed subscriptions, and third country relay services, that let restricted firms reach Claude.
Anthropic's updated restrictions on sales to unsupported regions do not target the model weights. They target the wiring. The company is closing the routing tricks, including overseas subsidiaries, third-country cloud relays, Singapore-routed corporate intranets, and expensed personal subscriptions, that let restricted-jurisdiction firms keep reaching Claude despite a service policy that already banned them from doing so.
The pattern the company is now moving against was already mature before the policy update landed. Reporting from the Financial Times, cited by ZeroHedge, describes two specific shapes the workaround took inside two named Chinese tech firms.
At Ant Financial, the Alibaba-affiliated fintech whose largest shareholder Alibaba was recently added to a US military-end-user blacklist, staff routed corporate Claude accounts through a Singapore-linked intranet, making the requests look like they originated from a permitted geography. At ByteDance, the parent of TikTok, employees used consumer VPNs to mask their location and then filed the personal subscription cost as an expense. Neither pattern, on the FT's account, violated US or Chinese law. Both breached Anthropic's terms of service, which prohibit Chinese-controlled entities from using its models.
That distinction is the story. US export controls govern the movement of model weights and certain hardware. Anthropic's acceptable-use policy governs who can sit at the keyboard. The two regimes overlap, but they are not the same regime, and the FT's reporting is the most detailed public accounting so far of how the gap between them gets bridged in practice.
The most interesting access pattern in the package is not corporate. It is commercial. Anthropic's enforcement team has gone after what the FT calls transfer stations: third-party relay services that accept prompts from clients in restricted jurisdictions, re-originate them from overseas-registered Claude accounts, and return the answers to the original requester. Larger Chinese AI labs have tended to avoid these services because they fear prompt exfiltration on the way back through. That detail matters. It suggests the relay economy was bigger than anyone would publicly admit, and that the people most willing to use it were exactly the people with the least in-house model capacity to lose if their prompts leaked.
Anthropic's own statement frames the work as continuous: the company prohibits access from unsupported regions, including China, and "continuously updates [its] enforcement systems to detect evasion," according to its policy page. The substantive confirmation that those systems were not catching the corporate-intranet and reimbursed-subscription cases until now is the part that the FT-sourced reporting, and follow-on coverage from the South China Morning Post and MediaNama's summary of the September 2025 service policy update, actually supplies.
The threshold that matters for compliance teams is the ownership rule. Anthropic's revised policy bars firms with 50% or more Chinese ownership from accessing Claude, a line that pulls in entities the US government would not necessarily classify as restricted parties under the Commerce Department's export-control lists. That overlap, and the gap, is where most of the operational headache will sit.
The context is not nothing. The Commerce Department recently lifted three-week-old export controls on two Anthropic models, Fable and Mythos, that had been put in place over national-security concerns, a reminder that the export-control regime is moving in real time even as Anthropic tightens the terms-of-service regime underneath it. Coverage of that rollback has appeared across the trade press, and it sets the right frame for the present crackdown: the US government is currently more permissive on the model-weight side than it was a month ago, while the model provider is becoming more aggressive on the access side.
What the workaround map shows is that access control, not weight control, is where AI export governance actually has to live if it is going to live anywhere. Weights are a one-time leak. Routing is a continuous one. Anthropic's update is, on the FT's account, the most detailed public accounting to date by a frontier model provider of the routing layer beneath its access controls. Whether the new enforcement actually catches the next Singapore intranet is the test that will determine whether this is a clampdown or a press release.