Mon 06 Jul 2026 / 17:13 ET
Kernel
Internet 4 min read

Anthropic pulls hidden Claude Code tracker after China user backlash

A researcher found prompt markers in Claude Code that flagged Chinese users, proxies and possible links to AI labs, prompting Anthropic to remove the code.

Riley Okafor

By Riley Okafor / Senior AI Reporter

Anthropic pulls hidden Claude Code tracker after China user backlash
img: Ars Technica

Anthropic removed hidden tracking logic from Claude Code after a web developer said the tool was quietly flagging users in China and routing signals back to the company. The finding matters because Claude Code is a developer agent with access to local workspaces, and Anthropic has spent the past year arguing that others should not use AI systems for surveillance.

The researcher, who publishes as Thereallo, said in a blog post that Claude Code used “prompt steganography” to hide tracking instructions in plain sight. According to Thereallo, the code used shorthand markers to identify a user’s timezone, proxy use and possible connection to Chinese AI labs. The researcher said the feature was not malicious, while calling it a “serious breach of user trust.”

Prompt steganography in this context means hiding operational signals inside the prompt text rather than exposing them as ordinary telemetry. That makes the behavior harder for normal users to notice, especially in a tool that already receives broad access to project files, shell commands and code changes.

Anthropic engineer Thariq Shihipar wrote on X that the tracker was added to Claude Code in March as an “experiment.” Shihipar said the aim was to stop account abuse by unauthorized resellers and to protect against distillation, the practice of querying a model at scale to train or improve another model. He added that Anthropic had “actually been meaning to take this down for a while” because engineers had since shipped stronger protections.

The reseller concern is not theoretical, according to The Washington Post. The Post reported that unauthorized sellers have offered access to free models for $1 per month and sold subscriptions that normally cost $100 per month for as little as $12.

Distillation fight spills into client software

Anthropic has accused Chinese AI firms of using Claude to advance rival models through large-scale distillation attacks. The company has argued that the United States should treat such activity as intellectual property theft, even though distillation itself is not illegal and leading U.S. labs also use the technique. Anthropic says using Claude millions of times to improve Chinese models violates its terms.

The Washington Post reported that Chinese AI companies have repeatedly caught up with U.S. model capabilities within months. The Post also reported that a recent free model from Zhipu AI outperformed Anthropic’s Claude Opus 4.8 on computer vulnerability-finding tasks.

Anthropic has urged U.S. officials to consider stronger penalties for distillation attacks, including blocking access to advanced models, chips and U.S. data centers. Sen. Tim Scott, Republican of South Carolina, said at a recent Senate hearing that export control policy should be crafted to stop China from using such attacks to gain a technological edge, according to the Post.

The hidden tracker has already triggered a corporate response in China. The South China Morning Post reported that Alibaba barred employees from using Claude Code for work after the tracking issue surfaced. A memo reviewed by SCMP said Claude Code had been added to a list of high-risk software because of “back-door risks.”

Reuters reported that a person familiar with Alibaba’s decision said the company faced legal and compliance exposure if it violated Anthropic’s terms, unlike individual users who might use cheap tools to bypass location checks.

Trust problem for a local coding agent

Thereallo argued that Anthropic could have disclosed the detection plainly, for example through documented telemetry fields, visible policy language or release notes. The researcher wrote that hiding the signal in a system prompt makes other privacy claims harder to trust.

The criticism lands awkwardly for Anthropic. Ars Technica has reported that the company previously resisted U.S. government use of Claude to surveil Americans, angering the Trump administration, and later sued the White House over the dispute.

Anthropic did not immediately respond to Ars Technica’s request for comment. A company spokesperson told The Washington Post that Chinese labs’ distillation attacks “pose a serious threat to national security and undermine AI safety standards across the industry,” and said Anthropic works with other labs, government and partners on shared responses.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗