Anthropic removed a hidden tracking system from Claude Code after security researcher Thereallo discovered in June that the AI coding assistant was using undisclosed markers to identify users' location, proxy use, and possible links to Chinese AI labs. The feature embedded signals in system prompts to flag users Anthropic believed were bypassing restrictions or attempting to extract model capabilities. The discovery comes as Anthropic pushes lawmakers to crack down on unauthorized copying of frontier AI models, following accusations in February that Chinese AI developers used fraudulent accounts to extract millions of Claude responses.
Researcher Exposes Unicode Markers and Encoded Domain Lists in System Prompts
Thereallo discovered that Claude Code hid tracking signals inside system prompts using Unicode markers and encoded domain lists rather than disclosing the system through documentation or release notes. The researcher noted that Anthropic appeared to be attempting to detect API resellers, unauthorized Claude Code gateways, and model distillation attack pipelines. A custom ANTHROPIC_BASE_URL pointing at a known reseller domain served as a useful signal, as did a hostname containing deepseek or zhipu.
Thereallo criticized the implementation method while acknowledging the security rationale. "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust," Thereallo wrote.
Anthropic Engineer Confirms March Implementation and Planned Removal
After the tracker was revealed online, Anthropic engineer Thariq Shihipar said on X that the feature was introduced in March as an experiment to stop account abuse by unauthorized resellers and protect Claude from distillation attacks. Shihipar stated last week that the team had landed stronger mitigations since March. "We merged the [pull request] and this should be fully rolled back in tomorrow's release," Shihipar wrote.
Alibaba Bans Claude Code Amid Distillation Attack Concerns
Earlier this month, Alibaba banned employees from using Claude Code, calling the tool "high-risk" software over security concerns. In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses to train competing models. The claims drew pushback from critics who questioned how the practice differs from methods used across the AI industry.
In April, Elon Musk testified that xAI had "partly" used OpenAI models while training Grok, calling distillation a broader industry practice. In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction after alleging Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts.
FAQ
What did Anthropic remove from Claude Code in June?
Anthropic removed a hidden tracking system from Claude Code after researcher Thereallo discovered in June that it used undisclosed Unicode markers and encoded domain lists in system prompts to identify users' location, proxy use, and possible links to Chinese AI labs.
Why did Anthropic implement the tracking feature in Claude Code?
Anthropic engineer Thariq Shihipar stated the feature was introduced in March as an experiment to stop account abuse by unauthorized resellers and protect Claude from distillation attacks, where one AI system's outputs are used to train another model.
What action did Alibaba take regarding Claude Code?
Earlier this month, Alibaba banned employees from using Claude Code, designating the tool as "high-risk" software over security concerns related to AI model distillation and data extraction.