Anthropic has removed a hidden tracking system from Claude Code after a security researcher discovered the AI coding assistant was embedding undisclosed markers to identify some users’ location, proxy use, and potential ties to Chinese AI labs. The feature, uncovered in June by a developer known as Thereallo, worked by injecting signals into Claude Code’s system prompts to flag users Anthropic suspected of bypassing restrictions or trying to extract model capabilities.
How the Tracking Worked
According to Thereallo, Claude Code hid these markers using Unicode signals and encoded domain lists inside system prompts, without any mention in documentation or release notes. The system could detect things like a custom ANTHROPIC_BASE_URL pointing to known reseller domains, or hostnames containing keywords like deepseek or zhipu. Thereallo acknowledged that Anthropic’s goal of catching unauthorized resellers, gateways, and model distillation attacks made sense, but criticized the lack of transparency. “This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” he noted.
Anthropic’s Response
After the tracker went public, Anthropic engineer Thariq Shihipar confirmed on X that the feature was introduced in March as an experiment to stop account abuse by unauthorized resellers and protect Claude from distillation attacks. He added that the team had since developed stronger mitigations and had been planning to remove the tracker anyway. “We merged the pull request and this should be fully rolled back in tomorrow’s release,” Shihipar wrote last week.
Broader Context on Distillation
The incident comes amid heightened tensions around AI model distillation, where one system’s outputs train another. While common in research, it becomes a national security concern in geopolitical contexts. Earlier this month, Alibaba banned employees from using Claude Code, calling it high-risk software. In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses for training rival models—a claim critics said mirrored practices across the industry. Elon Musk testified in April that xAI had partly used OpenAI models for Grok, calling distillation a broader industry norm. And in June, CEO Dario Amodei urged Congress to strengthen protections after alleging Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fake accounts. Anthropic did not immediately respond to a comment request.

