Summary

  • Anthropic has eliminated concealed tracking markers from Claude Code after researchers uncovered their use to identify certain Chinese users.
  • The company stated the tracking was part of an experiment aimed at preventing account misuse and recognizing potential AI model distillation.
  • This revelation coincides with Anthropic's advocacy for stricter regulations against unauthorized replication of advanced AI models.

Anthropic has taken down a covert tracking system from Claude Code after a security researcher identified that the AI coding assistant was employing undisclosed markers for pinpointing user locations, proxy utilization, and potential affiliations with Chinese AI laboratories.

This feature, exposed in June by developer “Thereallo,” incorporated signals within Claude Code’s system prompts that could indicate users suspected of evading restrictions or attempting to extract the model’s capabilities.

According to Thereallo, “Anthropic likely aims to identify API resellers, unauthorized Claude Code gateways, and potential model 'distillation attack' pathways. A custom ANTHROPIC_BASE_URL linked to a known reseller domain serves as a significant indicator. A hostname featuring deepseek or zhipu also acts as a useful signal.”

While Thereallo acknowledged that Anthropic's goal of identifying resellers and unauthorized gateways made sense, he criticized the implementation, highlighting that Claude Code concealed tracking signals within system prompts using Unicode markers and encoded domain lists, rather than providing transparent documentation or release notes.

“This is not a malicious feature, but it is an odd choice for a developer tool that relies on trust,” Thereallo remarked.

In response to the tracker’s exposure, Anthropic engineer Thariq Shihipar mentioned on X that it had been introduced in March as an “experiment” to prevent account abuse by unauthorized resellers and to safeguard Claude from distillation attacks.

“The team has implemented stronger mitigations since then, and we’ve been intending to remove this for some time,” Shihipar stated last week. “We merged the [pull request], and this should be fully rolled back in tomorrow’s release.”

This development arises as Anthropic has intensified its warnings concerning AI model distillation, where the outputs from one system are utilized to train another model. Although this practice is prevalent in AI research, it raises national security concerns in geopolitical contexts. Earlier this month, Alibaba prohibited its employees from using Claude Code, labeling the tool as “high-risk” due to security worries.

In February, Anthropic accused Chinese AI firms DeepSeek, Moonshot AI, and MiniMax of employing fraudulent accounts to extract millions of Claude responses for training competing models. This accusation faced skepticism from critics questioning how it differed from widely accepted practices in the AI sector.

In April, Elon Musk testified that xAI had “partly” utilized OpenAI models to train Grok, characterizing distillation as a common practice in the industry. In June, Anthropic CEO Dario Amodei urged Congress to bolster protections against the foreign extraction of AI after alleging that operators linked to Alibaba generated 28.8 million Claude exchanges through nearly 25,000 fraudulent accounts.

Anthropic did not respond immediately to a request for comments from Decrypt.

Daily Debrief Newsletter

Stay informed every morning with the latest news stories, along with original features, podcasts, videos, and more.