Anthropic has officially removed a hidden tracking system from its AI coding assistant, Claude Code, after a security researcher identified that the tool was covertly tracking user location data, proxy usage, and potential connections to Chinese AI laboratories. The discovery sparked immediate concerns regarding privacy and transparency in developer-facing software.
How the Tracking Worked
The system was first uncovered in June by a developer identified as “Thereallo.” The researcher discovered that Claude Code was embedding specific signals within its system prompts to identify users suspected of bypassing access restrictions or attempting to extract, or “distill,” the model’s core capabilities.
According to the researcher, Anthropic’s goal was likely to detect API resellers, unauthorized Claude Code gateways, and pipelines attempting model distillation attacks. For instance, specific triggers included a custom ANTHROPIC_BASE_URL associated with known reseller domains, or hostnames containing keywords like “deepseek” or “zhipu.” While Thereallo acknowledged that Anthropic’s desire to prevent unauthorized use was logical, they criticized the execution. The tracking markers were hidden inside system prompts using Unicode characters and encoded domain lists, rather than being disclosed in official documentation or release notes. The researcher noted that while the feature was not malicious, it was a strange design choice for a tool built on developer trust.
Official Response from Anthropic
Following the public exposure of the tracker, Anthropic engineer Thariq Shihipar addressed the situation on X. He explained that the mechanism had been introduced back in March as an “experiment” designed to prevent account abuse by unauthorized resellers and to safeguard the Claude model from aggressive distillation attempts. Shihipar stated that since that time, the team had implemented more robust mitigations and had been planning to decommission the tracker. Following the internal review, the company merged a pull request and confirmed the feature was fully rolled back in the following release.
The Broader Context of Model Distillation
This incident occurs amidst growing tension regarding AI model distillation, a process where outputs from one AI system are used to train competing models. While industry standard, distillation has become a significant national security focal point. Earlier this month, Alibaba explicitly banned its employees from utilizing Claude Code, labeling the tool as “high-risk” software.
Tensions between Anthropic and Chinese AI entities date back to February, when Anthropic accused DeepSeek, Moonshot AI, and MiniMax of operating fraudulent accounts to scrape millions of responses for competitive training. These claims faced skepticism from critics who argued that such data gathering is common across the entire AI sector. In April, Elon Musk testified that xAI had “partly” utilized OpenAI models while training Grok, framing distillation as a broad industry practice. Furthermore, in June, Anthropic CEO Dario Amodei testified before Congress, urging lawmakers to strengthen protections against foreign AI extraction, alleging that Alibaba-linked operators had generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts.











