Technology

Anthropic removes hidden Claude Code tracker aimed at China users

A researcher said Claude Code used hidden prompt markers to flag some China-linked users, prompting Anthropic to pull the tool and defend its anti-abuse aims.

James Whitfield

By James Whitfield · Staff Writer

3 min read

Anthropic removes hidden Claude Code tracker aimed at China users
Photo: Ars Technica

Anthropic removed a hidden tracking mechanism from Claude Code after a security researcher said the tool quietly marked some users linked to China. The finding matters because Anthropic has built public trust partly on limits around surveillance while warning that Chinese AI labs are copying U.S. models.

The researcher, a web developer who publishes as Thereallo, said they found code embedded through “prompt steganography,” a technique that hides signals inside prompts. Thereallo said the mechanism did not appear to be malicious, but it sent information to Anthropic in a form many users would not notice.

According to Thereallo, the hidden markers could flag details such as a user’s time zone, proxy use and possible connection to Chinese AI labs. Ars Technica reported that Anthropic removed the tracker soon after Thereallo published the findings.

Anthropic engineer Thariq Shihipar said on X that the tracker was added in March as an “experiment.” Shihipar said it was intended to stop abuse by unauthorized resellers and protect Anthropic’s models against distillation, a method in which one AI system is trained by repeatedly querying another.

Shihipar also said Anthropic had planned to remove the code because its engineers had since put stronger protections in place. Privacy advocates cited by Ars Technica criticized that explanation, saying the hidden approach undermined confidence in Anthropic’s privacy claims.

Distillation fight puts pressure on AI firms

The Washington Post reported that Anthropic and other U.S. AI companies have been taking more forceful steps to slow Chinese competitors they believe are using U.S. models to improve their own systems. The Post reported that Chinese firms have been matching U.S. model capabilities within months over the past year.

The Post also reported that a recent model from Chinese company Zhipu AI outperformed Anthropic’s Claude Opus 4.8 at finding software vulnerabilities. Anthropic has argued that the U.S. should treat some distillation attacks as intellectual property theft, while the Post reported that distillation itself is not illegal and is also used by leading U.S. companies.

Anthropic has said that large-scale querying of Claude to advance rival Chinese models violates its terms of service. At a Senate hearing cited by the Post, Sen. Tim Scott, R-S.C., said the U.S. needs clear export controls to prevent China from gaining a technological edge through such methods.

Alibaba bans Claude Code at work

The South China Morning Post reported that Alibaba told employees last Friday not to use Claude Code for work. According to a memo reviewed by the newspaper, Alibaba classified Claude Code as high-risk software after reports about the tracker.

Reuters reported, citing a person familiar with the matter, that Alibaba could face legal and compliance risks if it were found violating Anthropic’s terms. Alibaba has not commented on Anthropic’s accusations that one of its Qwen models benefited from a major distillation attack on Claude, according to Ars Technica.

Thereallo said Anthropic could have disclosed the telemetry directly, documented it and described it in release notes. The researcher argued that hiding the signal in a developer tool was especially troubling because coding agents can inspect files, run commands, install packages and alter code on a user’s machine.

Ars Technica reported that Anthropic did not immediately respond to its request for comment. A company spokesperson told the Washington Post that Chinese labs’ distillation attacks threaten national security and AI safety standards, and said Anthropic continues to work with other labs, government and partners on responses.

This story draws on original reporting from Ars Technica.