Anthropic Removes Hidden Tracking Code from Claude Code After Developer Discovery
By douglasharrington // 2026-07-09
 
Anthropic has removed hidden detection code from its Claude Code tool after a developer reverse-engineered the binary and exposed how the company was monitoring users in China, according to a report by ZeroHedge [1]. The code, which Anthropic described as an experiment launched in March, used a form of prompt steganography to signal information about a user's environment back to Anthropic's servers, the report stated. The feature was designed to detect unauthorized resellers and attempts by other organizations to distill Claude's capabilities into their own models. Anthropic engineer Thariq Shihipar, who works on the Claude Code team, confirmed the feature on X, stating: "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow's release" [1]. The company removed the detection logic shortly after it became public, according to Shihipar's statement.

How the Detection Worked

The mechanism was first spotted by a Reddit user known as LegitMichel777, who stumbled on it while trying to restore a disabled feature in Claude Code, according to the report [1]. A separate developer known as Thereallo independently confirmed the finding on June 30, publishing a technical breakdown of how it worked, the report stated. The checks only ran when a user pointed Claude Code at a different server instead of Anthropic's own, something companies commonly do when routing traffic through internal systems or third-party gateways. From there, the code checked two things: whether the user's computer was set to a Chinese time zone (Shanghai or Urumqi), and whether the new server address matched a hidden list of Chinese AI companies or known resale and proxy services, according to the report [1]. If either check came back positive, Claude Code would quietly alter the system prompt – background instructions sent to the AI model with every request, invisible to the person typing. Specifically, it changed the date format from dashes to slashes and swapped the apostrophe in the phrase "Today's date is..." for one of three lookalike characters, each representing a different signal, the report stated. Thereallo called the approach "prompt steganography" – hiding a signal inside ordinary-looking text – and noted it let Anthropic sort and flag sessions without any separate, visible tracking system [1].

Anthropic's Explanation

In addition to Shihipar's public confirmation, Anthropic has stated that unauthorized resellers have been selling access to Claude accounts and subscriptions at steep discounts in certain markets, according to the report [1]. The company has also publicly documented large-scale efforts by Chinese AI labs to distill its models by querying them at high volume through proxies and fraudulent accounts [1]. Anthropic has previously detailed what it described as distillation operations targeting its models by labs including DeepSeek, Moonshot and MiniMax, as noted in a NaturalNews.com article on the AI competition between the U.S. and China [2]. The company emphasized that the detection feature was an experiment and that stronger mitigations had been developed, leading to its removal, according to the report [1]. Anthropic has not issued a detailed public postmortem on the experiment, the report stated, but continues to work with government and industry partners on mitigation strategies.

Alibaba Bans Claude Code for Employees

The disclosure prompted a swift response from Chinese technology giant Alibaba. According to internal documents reported by the South China Morning Post, Alibaba added Claude Code to its list of high-risk software and instructed employees to stop using it for work, effective around July 10, as cited in the ZeroHedge report [1]. The memo cited "back-door risks" following the discovery of the hidden markers, the report stated. Alibaba has not publicly commented on Anthropic's earlier accusations that its Qwen models benefited from large-scale distillation of Claude, according to the report [1]. The ban highlights the growing tensions between U.S. AI developers and Chinese technology firms over model protection and intellectual property.

Wider Context: Distillation and Trust

Model distillation – training a new model on the outputs of a more capable one – is a common technique in AI development. But Anthropic and other U.S. frontier labs argue that industrial-scale distillation campaigns by foreign entities, particularly Chinese labs, undermine export controls and intellectual property protections, according to the report [1]. The competition has escalated as Chinese models, such as those from Alibaba's Qwen and DeepSeek, have shown capabilities comparable to U.S. frontier systems, as noted in a NaturalNews.com article on the AI war between the U.S. and China [2]. Anthropic has previously refused requests from the Department of War for broad access to its Claude AI for mass surveillance or autonomous weapons, citing ethical concerns [3]. Thereallo's analysis raised questions about transparency, with the developer stating: "Coding agents already live on the wrong side of a scary boundary. Hiding the signal in the system prompt makes every other privacy claim harder to believe" [1]. Anthropic was a founding member of the Frontier Model Forum in 2023, a group dedicated to advancing AI safety research, according to Cornelia C. Walther in her book "Human Leadership for Humane Technology" [4]. However, the hidden tracking code has prompted critics to question the company's commitment to user privacy, especially given that Claude AI itself has acknowledged that "AI systems today are mostly trained on fixed datasets rather than dynamically interacting with the world," a distinction relevant to understanding how distillation operates, as recorded in a Trends Journal interaction [5]. The incident underscores the tension between protecting proprietary models and maintaining user trust in coding tools that require deep system access.

References

  1. ZeroHedge. "Anthropic Removes 'Scary' Secret Claude Tracker After Developer Stumbles Across It". July 7, 2026.
  2. Mike Adams. "The AI War China Is Winning: How Free Machine Cognition Is Undermining America's Virtual Economy". NaturalNews.com. February 26, 2026.
  3. Jacob Thomas. "Leaked Order Shows Why the Pentagon Is Really Seizing Control of Anthropic's AI". NaturalNews.com. March 20, 2026.
  4. Cornelia C. Walther. "Human Leadership for Humane Technology: The New AI: Agency Ignited".
  5. Trends-Journal-2023-09-35.

Explainer Infographic