In brief

  • Anthropic removed hidden tracking markers from Claude Code after researchers discovered code used to identify some Chinese users.
  • The company said the experiment was intended to prevent account abuse and detect possible AI model distillation.
  • The discovery comes as Anthropic pushes lawmakers to crack down on unauthorized copying of frontier AI models.

Anthropic has removed a hidden tracking system from Claude Code after a security researcher discovered the AI coding assistant was using undisclosed markers to identify some users’ location, proxy use, and possible links to Chinese AI labs.

The feature, discovered in June by developer “Thereallo,” embedded signals in Claude Code’s system prompts that could flag users Anthropic believed were bypassing restrictions or attempting to extract model capabilities.

“Anthropic probably wants to detect API resellers, unauthorized Claude Code gateways, and model 'distillation attack' pipelines,” Thereallo wrote. “A custom ANTHROPIC_BASE_URL pointing at a known reseller domain is a useful signal. A hostname containing deepseek or zhipu is also a useful signal.”

Thereallo said Anthropic’s attempt to detect resellers, unauthorized Claude Code gateways, and potential distillation attacks made sense, but criticized how it was done, noting that Claude Code hid tracking signals inside system prompts using Unicode markers and encoded domain lists rather than disclosing the system through documentation or release notes.

“This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” Thereallo wrote.

After the tracker was revealed online, Anthropic engineer Thariq Shihipar said on X that it was introduced in March as an “experiment” to stop account abuse by unauthorized resellers and protect Claude from distillation attacks.

“The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while,” Shihipar wrote last week. “We merged the [pull request] and this should be fully rolled back in tomorrow’s release.”

The news comes as Anthropic has stepped up warnings about AI model distillation, where one system’s outputs are used to train another model. While the practice is common in AI research, when it comes to geopolitics, distillation becomes a national security concern. Earlier this month, Alibaba banned employees from using Claude Code, calling the tool “high-risk” software over security concerns.

In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses to train competing models. The claims drew pushback from critics who questioned how the practice differs from methods used across the AI industry.

In April, Elon Musk testified that xAI had “partly” used OpenAI models while training Grok, calling distillation a broader industry practice. In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction after alleging Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts.

Anthropic did not immediately respond to a request for comment by Decrypt.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Read full story at Decrypt