Anthropic hid an anti-China tracker in Claude Code: when ethics becomes a brand and the brand becomes a liability

🕒 Published on Zendoric: July 8, 2026 · 09:15
A security researcher discovered hidden code in Claude Code's system prompt that detected time zones and proxy usage to identify connections with Chinese labs. Anthropic confirmed it: it was a March experiment against unauthorized resale and distillation of its models that was never removed.
We'll send you a confirmation email (double opt-in). Privacy.
By Futurism (via Ars Technica) · July 7, 2026. A researcher who goes by "Thereallo" found, hidden inside Claude Code's system prompt, code capable of tracking the system's time zone and the use of proxy servers to infer whether a user was connected to specific Chinese AI labs. It was not a bug: Thariq Shihipa, an Anthropic engineer, confirmed on X that it was an "experiment" added in March to "prevent account abuse by unauthorized resellers and protect against distillation," and that they had wanted to remove it for some time but had not done so.
The technical and commercial context is relevant to understanding why Anthropic did this. Distillation —training a cheaper "student" model with the outputs of a more expensive "teacher" model— is a common practice in the sector, but the big firms increasingly see it as a way for smaller competitors to benefit for free from their investment. Anthropic had already this year accused DeepSeek, Moonshot and MiniMax of illegally distilling its models. On top of this comes a very concrete problem: according to The Washington Post, resellers in China were offering access to Claude Pro subscriptions —which cost more than $100 a month in the U.S.— for just $12, eroding both Anthropic's revenue and its control over who really uses its technology.
The problem is not that Anthropic wanted to defend itself against unauthorized resale and distillation: that is a legitimate commercial objective any software company would pursue. The problem is the method: inserting a hidden detection mechanism into the system prompt, invisible to the user, with no notice or option to opt out. As the researcher himself pointed out, "hiding the signal in the system prompt makes any other privacy claim harder to believe." Code agents like Claude Code already operate on delicate ground by design —they can inspect code, run commands, install packages and make commits on users' machines— so trust that they do nothing more than what is declared is, literally, all they sell.
What makes this episode especially uncomfortable for Anthropic is its brand positioning. The company has built much of its reputation —and has won customers who left ChatGPT because of it— by presenting itself as the actor most committed to ethical and transparent AI development, to the point of publicly standing up to the Pentagon over the use of its technology in mass surveillance of U.S. citizens. A covert tracker aimed specifically at users connected to Chinese labs, however defensible the business objective, clashes head-on with that narrative. The data collected, according to the finding itself, was not particularly invasive, but the principle —doing one thing while preaching the opposite— is what ends up damaged.
Our reading: this fits into a structural tension we had already been pointing out between U.S.-China geopolitical competition and real AI governance. Western firms feel legitimately threatened by the speed with which Chinese labs —DeepSeek, Moonshot, Zhipu, Alibaba— are closing the capability gap by leaning on open models and reverse-engineering others' outputs. But the response to that competitive pressure cannot be to covertly cut back the very transparency guarantees sold as a brand differentiator. The closer China's open frontier gets to the West's closed one —something performance data has been confirming quarter after quarter— the more tempted current leaders will be to toy with intellectual-property protection mechanisms that border on covert surveillance. It is a pattern to watch across the entire sector, not an isolated incident at a single company: the future abundance that AI promises will only be sustainable if user trust does not become the first casualty of the trade war between labs.
🔗 Related on Zendoric
- Anthropic secretly removes a hidden tracker in Claude Code that monitored Chinese users · 2026-07-08
- Anthropic removes its hidden code against Chinese distillation: protecting the model, at the cost of trust · 2026-07-02
- Anthropic Accuses Alibaba of Mass Data Extraction: When Training Data Becomes a Battlefield · 2026-07-03
Sources & references
- Anthropic News (GN) — Anthropic hid an anti-China tracker in Claude Code: when ethics becomes a brand and the brand becomes a liability
- arstechnica.com — Anthropic secretly removes a hidden tracker in Claude Code that monitored Chinese users
- washingtonpost.com — Anthropic spied on Chinese Claude Code customers to detect 'distillation' of its AI by rivals
- axios.com — Anthropic says Claude has a hidden internal space ('J-Space') where it thinks without words
Get the analysis by email · free
One email a day analysing the AI essentials. Free, no spam, unsubscribe anytime.
We'll send you a confirmation email (double opt-in). Privacy.


