Anthropic Removes "Scary" Secret Claude Tracker After Developer Stumbles Across It Anthropic has removed hidden detection code from its Claude CodeAnthropic Removes "Scary" Secret Claude Tracker After Developer Stumbles Across It Anthropic has removed hidden detection code from its Claude Code

Anthropic Removes "Scary" Secret Claude Tracker After Developer Stumbles Across It

2026/07/08 05:20
9분 읽기
이 콘텐츠에 대한 의견이나 우려 사항이 있으시면 [email protected]으로 연락주시기 바랍니다

Anthropic Removes "Scary" Secret Claude Tracker After Developer Stumbles Across It

Tyler Durden's Photo
by Tyler Durden
Authored...

Anthropic has removed hidden detection code from its Claude Code tool after a developer reverse-engineered the binary and exposed how the company was subtly monitoring users in China.

The code, which Anthropic described as an experiment launched in March, used a form of prompt steganography to signal information about a user's environment back to Anthropic's servers. It was designed to help detect unauthorized resellers and attempts by other organizations to distill Claude's capabilities into their own models.

How The Detection Worked

The mechanism was first spotted by a Reddit user known as LegitMichel777, who stumbled on it while trying to restore a disabled feature in Claude Code. A separate developer known as Thereallo independently confirmed the finding the same day, June 30, publishing a technical breakdown of exactly how it worked.

The checks only ran in one specific situation: when a user pointed Claude Code at a different server instead of Anthropic's own - something companies commonly do when they route their traffic through internal systems or third-party gateways. From there, it checked two things:

  • Whether the user's computer was set to a Chinese time zone (Shanghai or Urumqi).
  • Whether the new server address matched a hidden list of Chinese AI companies (including well-known names like DeepSeek, Zhipu, and Moonshot) or known resale and proxy services.

If either check came back positive, Claude Code would quietly tweak a line of text called the "system prompt" - background instructions the app automatically sends to the AI model with every request, invisible to the person typing. Specifically, it changed how the date was written in that line:

  • If the user was in a Chinese time zone, the date switched from using dashes to slashes (e.g., 2026/06/30 instead of 2026-06-30).
  • The apostrophe in the phrase "Today's date is..." was swapped for one of three lookalike characters, each one a different signal, depending on which combination of checks the session had triggered.

None of this was visible to users, or likely even to the AI model itself in normal use - the characters look identical on screen. But Anthropic's servers could read the difference instantly. The lists of flagged domains and keywords were also scrambled inside the app's code using a basic encryption trick, so they wouldn't show up if someone just opened the file and searched for them.

Thereallo called the approach "prompt steganography" - hiding a signal inside ordinary-looking text - and noted it let Anthropic sort and flag sessions without needing any separate, visible tracking system.

Anthropic's Explanation

Last Tuesday, Anthropic engineer Thariq Shihipar, who works on the Claude Code team, confirmed the feature on X:

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow's release."

Anthropic has stated that unauthorized resellers have been selling access to Claude accounts and subscriptions at steep discounts in certain markets. The company has also publicly documented large-scale efforts by Chinese AI labs to distill its models by querying them at high volume through proxies and fraudulent accounts.

Anthropic removed the detection logic shortly after it became public.

Alibaba Bans Claude Code For Employees

The disclosure prompted a swift response from Chinese technology giant Alibaba. According to internal documents reported by the South China Morning Post, Alibaba added Claude Code to its list of high-risk software and instructed employees to stop using it for work, effective around July 10. The memo cited "back-door risks" following the discovery of the hidden markers.

Alibaba has not publicly commented on Anthropic's earlier accusations that its Qwen models benefited from large-scale distillation of Claude.

The Wider Context: Distillation And Geopolitical Competition

Model distillation - training a new model on the outputs of a more capable one - is a common technique in AI development. However, Anthropic and other U.S. frontier labs argue that industrial-scale distillation campaigns by foreign entities, particularly Chinese labs, undermine export controls and intellectual property protections.

Anthropic has previously published details of what it described as distillation operations targeting its models by labs including DeepSeek, Moonshot, and MiniMax. Chinese researchers have also published work showing that many leading Chinese models carry detectable signatures consistent with distillation from U.S. systems.

In this environment, companies like Anthropic face pressure to protect their models while maintaining user trust - especially in tools like Claude Code, which are granted significant access to users' local machines, files, and command execution.

Thereallo's analysis raises obvious questions about transparency. While the feature wasn't designed to steal user data or take control of anyone's computer, hiding this kind of tracking inside the system prompt without telling anyone erodes the trust these coding tools depend on.

"Coding agents already live on the wrong side of a scary boundary," Thereallo wrote. "Hiding the signal in the system prompt makes every other privacy claim harder to believe."

Anthropic has not issued a detailed public postmortem on the experiment. The company has emphasized that distillation attacks and account abuse pose risks to model safety standards and U.S. technological leadership, and that it continues to work with government and industry partners on mitigation strategies.

0

Anthropic has removed hidden detection code from its Claude Code tool after a developer reverse-engineered the binary and exposed how the company was subtly monitoring users in China.

The code, which Anthropic described as an experiment launched in March, used a form of prompt steganography to signal information about a user's environment back to Anthropic's servers. It was designed to help detect unauthorized resellers and attempts by other organizations to distill Claude's capabilities into their own models.

How The Detection Worked

The mechanism was first spotted by a Reddit user known as LegitMichel777, who stumbled on it while trying to restore a disabled feature in Claude Code. A separate developer known as Thereallo independently confirmed the finding the same day, June 30, publishing a technical breakdown of exactly how it worked.

The checks only ran in one specific situation: when a user pointed Claude Code at a different server instead of Anthropic's own - something companies commonly do when they route their traffic through internal systems or third-party gateways. From there, it checked two things:

  • Whether the user's computer was set to a Chinese time zone (Shanghai or Urumqi).
  • Whether the new server address matched a hidden list of Chinese AI companies (including well-known names like DeepSeek, Zhipu, and Moonshot) or known resale and proxy services.

If either check came back positive, Claude Code would quietly tweak a line of text called the "system prompt" - background instructions the app automatically sends to the AI model with every request, invisible to the person typing. Specifically, it changed how the date was written in that line:

  • If the user was in a Chinese time zone, the date switched from using dashes to slashes (e.g., 2026/06/30 instead of 2026-06-30).
  • The apostrophe in the phrase "Today's date is..." was swapped for one of three lookalike characters, each one a different signal, depending on which combination of checks the session had triggered.

None of this was visible to users, or likely even to the AI model itself in normal use - the characters look identical on screen. But Anthropic's servers could read the difference instantly. The lists of flagged domains and keywords were also scrambled inside the app's code using a basic encryption trick, so they wouldn't show up if someone just opened the file and searched for them.

Thereallo called the approach "prompt steganography" - hiding a signal inside ordinary-looking text - and noted it let Anthropic sort and flag sessions without needing any separate, visible tracking system.

Anthropic's Explanation

Last Tuesday, Anthropic engineer Thariq Shihipar, who works on the Claude Code team, confirmed the feature on X:

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow's release."

Anthropic has stated that unauthorized resellers have been selling access to Claude accounts and subscriptions at steep discounts in certain markets. The company has also publicly documented large-scale efforts by Chinese AI labs to distill its models by querying them at high volume through proxies and fraudulent accounts.

Anthropic removed the detection logic shortly after it became public.

Alibaba Bans Claude Code For Employees

The disclosure prompted a swift response from Chinese technology giant Alibaba. According to internal documents reported by the South China Morning Post, Alibaba added Claude Code to its list of high-risk software and instructed employees to stop using it for work, effective around July 10. The memo cited "back-door risks" following the discovery of the hidden markers.

Alibaba has not publicly commented on Anthropic's earlier accusations that its Qwen models benefited from large-scale distillation of Claude.

The Wider Context: Distillation And Geopolitical Competition

Model distillation - training a new model on the outputs of a more capable one - is a common technique in AI development. However, Anthropic and other U.S. frontier labs argue that industrial-scale distillation campaigns by foreign entities, particularly Chinese labs, undermine export controls and intellectual property protections.

Anthropic has previously published details of what it described as distillation operations targeting its models by labs including DeepSeek, Moonshot, and MiniMax. Chinese researchers have also published work showing that many leading Chinese models carry detectable signatures consistent with distillation from U.S. systems.

In this environment, companies like Anthropic face pressure to protect their models while maintaining user trust - especially in tools like Claude Code, which are granted significant access to users' local machines, files, and command execution.

Thereallo's analysis raises obvious questions about transparency. While the feature wasn't designed to steal user data or take control of anyone's computer, hiding this kind of tracking inside the system prompt without telling anyone erodes the trust these coding tools depend on.

"Coding agents already live on the wrong side of a scary boundary," Thereallo wrote. "Hiding the signal in the system prompt makes every other privacy claim harder to believe."

Anthropic has not issued a detailed public postmortem on the experiment. The company has emphasized that distillation attacks and account abuse pose risks to model safety standards and U.S. technological leadership, and that it continues to work with government and industry partners on mitigation strategies.

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

면책 조항: 본 사이트에 재게시된 글들은 공개 플랫폼에서 가져온 것으로 정보 제공 목적으로만 제공됩니다. 이는 반드시 MEXC의 견해를 반영하는 것은 아닙니다. 모든 권리는 원저자에게 있습니다. 제3자의 권리를 침해하는 콘텐츠가 있다고 판단될 경우, [email protected]으로 연락하여 삭제 요청을 해주시기 바랍니다. MEXC는 콘텐츠의 정확성, 완전성 또는 시의적절성에 대해 어떠한 보증도 하지 않으며, 제공된 정보에 기반하여 취해진 어떠한 조치에 대해서도 책임을 지지 않습니다. 본 콘텐츠는 금융, 법률 또는 기타 전문적인 조언을 구성하지 않으며, MEXC의 추천이나 보증으로 간주되어서는 안 됩니다.

$5M in SPCX Positions for Free

$5M in SPCX Positions for Free$5M in SPCX Positions for Free

0 fees, 100x leverage, daily prizes, 7K+ stocks/ETFs