Anthropic Removes "Scary" Secret Claude Tracker After Developer Stumbles Across It
Anthropic has removed hidden detection code from its Claude Code tool after a developer reverse-engineered the binary and exposed how the company was subtly monitoring users in China.
The code, which Anthropic described as an experiment launched in March, used a form of prompt steganography to signal information about a user's environment back to Anthropic's servers. It was designed to help detect unauthorized resellers and attempts by other organizations to distill Claude's capabilities into their own models.
How The Detection Worked
The mechanism was first spotted by a Reddit user known as LegitMichel777, who stumbled on it while trying to restore a disabled feature in Claude Code. A separate developer known as Thereallo independently confirmed the finding the same day, June 30, publishing a technical breakdown of exactly how it worked.
The checks only ran in one specific situation: when a user pointed Claude Code at a different server instead of Anthropic's own - something companies commonly do when they route their traffic through internal systems or third-party gateways. From there, it checked two things:
- Whether the user's computer was set to a Chinese time zone (Shanghai or Urumqi).
- Whether the new server address matched a hidden list of Chinese AI companies (including well-known names like DeepSeek, Zhipu, and Moonshot) or known resale and proxy services.
If either check came back positive, Claude Code would quietly tweak a line of text called the "system prompt" - background instructions the app automatically sends to the AI model with every request, invisible to the person typing. Specifically, it changed how the date was written in that line:
- If the user was in a Chinese time zone, the date switched from using dashes to slashes (e.g., 2026/06/30 instead of 2026-06-30).
- The apostrophe in the phrase "Today's date is..." was swapped for one of three lookalike characters, each one a different signal, depending on which combination of checks the session had triggered.
None of this was visible to users, or likely even to the AI model itself in normal use - the characters look identical on screen. But Anthropic's servers could read the difference instantly. The lists of flagged domains and keywords were also scrambled inside the app's code using a basic encryption trick, so they wouldn't show up if someone just opened the file and searched for them.
Thereallo called the approach "prompt steganography" - hiding a signal inside ordinary-looking text - and noted it let Anthropic sort and flag sessions without needing any separate, visible tracking system.
Anthropic's Explanation
Last Tuesday, Anthropic engineer Thariq Shihipar, who works on the Claude Code team, confirmed the feature on X:
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow's release."
Anthropic has stated that unauthorized resellers have been selling access to Claude accounts and subscriptions at steep discounts in certain markets. The company has also publicly documented large-scale efforts by Chinese AI labs to distill its models by querying them at high volume through proxies and fraudulent accounts.
Anthropic removed the detection logic shortly after it became public.
Alibaba Bans Claude Code For Employees
The disclosure prompted a swift response from Chinese technology giant Alibaba. According to internal documents reported by the South China Morning Post, Alibaba added Claude Code to its list of high-risk software and instructed employees to stop using it for work, effective around July 10. The memo cited "back-door risks" following the discovery of the hidden markers.
Alibaba has not publicly commented on Anthropic's earlier accusations that its Qwen models benefited from large-scale distillation of Claude.
The Wider Context: Distillation And Geopolitical Competition
Model distillation - training a new model on the outputs of a more capable one - is a common technique in AI development. However, Anthropic and other U.S. frontier labs argue that industrial-scale distillation campaigns by foreign entities, particularly Chinese labs, undermine export controls and intellectual property protections.
Anthropic has previously published details of what it described as distillation operations targeting its models by labs including DeepSeek, Moonshot, and MiniMax. Chinese researchers have also published work showing that many leading Chinese models carry detectable signatures consistent with distillation from U.S. systems.
In this environment, companies like Anthropic face pressure to protect their models while maintaining user trust - especially in tools like Claude Code, which are granted significant access to users' local machines, files, and command execution.
Thereallo's analysis raises obvious questions about transparency. While the feature wasn't designed to steal user data or take control of anyone's computer, hiding this kind of tracking inside the system prompt without telling anyone erodes the trust these coding tools depend on.
"Coding agents already live on the wrong side of a scary boundary," Thereallo wrote. "Hiding the signal in the system prompt makes every other privacy claim harder to believe."
Anthropic has not issued a detailed public postmortem on the experiment. The company has emphasized that distillation attacks and account abuse pose risks to model safety standards and U.S. technological leadership, and that it continues to work with government and industry partners on mitigation strategies.

