Zendoric
← Back to the day · July 8, 2026

Anthropic secretly removes a hidden tracker in Claude Code that monitored Chinese users

🕒 Published on Zendoric: July 8, 2026 · 09:15

A security researcher and web developer known as "Thereallo" discovered that Anthropic had built into Claude Code a "prompt steganography" mechanism that hid code capable of tracking users in China.

🎉 We're already a big community — and growing every dayJoin the readers who never miss the AI analysis that sets the momentum. Subscribe free.

We'll send you a confirmation email (double opt-in). Privacy.

🎧 Listen to the analysis

A security researcher and web developer known as "Thereallo" discovered that Anthropic had incorporated into Claude Code a "prompt steganography" mechanism that concealed code capable of tracking users in China. This code, although not malicious, sent Anthropic information that most users could not detect: coded markers signaling the time zone, the use of proxies and a possible connection to Chinese AI labs that Anthropic accuses of carrying out "distillation attacks" against its models.

After the public disclosure, an Anthropic engineer, Thariq Shihipar, confirmed on X that the tracker had been added to Claude Code as an "experiment" in March, with the stated goal of preventing account abuse by unauthorized resellers and protecting the company against the distillation of its models. On the first point, The Washington Post had documented that there were unauthorized resellers selling access to free models for barely $1 a month, and professional subscriptions worth up to $100 a month for just $12. Shihipar added that Anthropic had wanted to remove that code for some time because its engineers had already implemented "more robust mitigations" since then.

The explanation did not convince privacy advocates, who interpreted the finding as proof that Anthropic is willing to cross lines to surveil its users. The contradiction is striking because the company had previously clashed with the Trump administration by refusing to let the U.S. government use Claude to surveil U.S. citizens, a clash that led to a lawsuit by Anthropic against the White House.

The article frames the episode within the growing tension between U.S. and Chinese AI labs over model distillation. According to The Washington Post, Chinese firms have "consistently" matched the capabilities of U.S. models within months; in fact, a new free model from the Chinese company Zhipu AI reportedly surpassed Claude Opus 4.8 (launched in May) at detecting computer vulnerabilities. In an attempt to maintain a 12- to 24-month lead over China, Anthropic has asked the United States to step up its interventions, including possible restrictions on access to advanced models, chips and data centers. Although distillation itself is not illegal —and U.S. firms also practice it— using Claude in a massive, automated way to accelerate the development of Chinese models violates Anthropic's terms of use, and the company, along with OpenAI, is calling for these practices to be treated legally as intellectual property theft. At a Senate hearing, Senator Tim Scott (Republican of South Carolina) agreed on the need for a "clear and concise" export control policy to prevent China from gaining a technological advantage by this route.

The text also includes concrete evidence of distillation: in February, researchers from Peking University and the Chinese Academy of Sciences (state-funded) developed methods to detect signs of distillation in large language models and found substantial indications in most of the Chinese models analyzed, mainly with respect to U.S. models. One of Alibaba's Qwen models —which Anthropic points to as a beneficiary of what it calls the largest distillation attack suffered by Claude, occurring in June— even identified itself as "Claude" in some intensive tests carried out in February.

As a direct consequence of the controversy, Alibaba banned its employees from using Claude Code for work. According to a memo cited by the South China Morning Post, the company justified the ban precisely because of the news about Anthropic's tracker, describing Claude Code as "high-risk" software with "backdoor risks." The article notes that, unlike an individual user who can easily circumvent Anthropic's geographic blocks with cheap evasion technology, a company like Alibaba exposes itself to legal and compliance risks if caught breaching Anthropic's terms.

The report suggests that Anthropic is in a delicate position: it cannot afford to lose users' trust while competing to keep its models ahead of the Chinese ones, in a context where the loyalty of chatbot users depends on a cost-benefit calculation between price and capabilities. Thereallo, the author of the finding, called Anthropic's decision to act in secret "strange," noting the company could instead have openly announced the detection of custom API gateways through an explicit telemetry field, documented and visible in the release notes. On his blog, he warned that coding agents already operate on delicate ground —they can inspect code, accidentally summarize secrets, execute commands, install packages, edit files and make commits on the user's local machine— and that hiding this signal within the system prompt itself "makes it harder to believe any other privacy claim" from the company. According to the researcher, the feature mostly affects "normal developers doing legitimate but unusual things," who are easier to identify through fingerprinting.

Anthropic did not immediately respond to Ars Technica's request for comment, although a spokesperson told The Washington Post that distillation attacks by Chinese labs "pose a serious national security threat and undermine AI safety standards across the industry," and that for this reason the company continues "speaking openly" about what it observes and collaborating with other labs, governments and partners in search of shared solutions.

🔗 Related on Zendoric

Sources & references

Get the analysis by email · free

One email a day analysing the AI essentials. Free, no spam, unsubscribe anytime.

We'll send you a confirmation email (double opt-in). Privacy.