Anthropic has quietly removed a hidden tracking system from its AI coding assistant, Claude Code, after a security researcher uncovered the practice and raised privacy concerns. The feature, discovered in June by a developer known as Thereallo, used undisclosed markers to identify some users’ locations, proxy usage, and potential connections to Chinese AI labs. The signals were embedded in Claude Code’s system prompts and could flag users that Anthropic believed were bypassing restrictions or trying to extract the model’s capabilities.
How the Tracking Worked
Thereallo explained that Anthropic likely wanted to detect API resellers, unauthorized Claude Code gateways, and so-called “distillation attack” pipelines. The system looked at signals like a custom ANTHROPIC_BASE_URL pointing to known reseller domains or a hostname containing terms like “deepseek” or “zhipu.” While Thereallo acknowledged that detecting abuse makes sense, they criticized the method—Claude Code hid the tracking signals inside system prompts using Unicode markers and encoded domain lists. There was no disclosure through documentation or release notes.
“This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” Thereallo wrote. After the tracker became public, Anthropic engineer Thariq Shihipar responded on X, saying the system was introduced in March as an “experiment” to stop unauthorized resellers and protect Claude from distillation attacks. He added, “The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while. We merged the [pull request] and this should be fully rolled back in tomorrow’s release.”
Broader Concerns Around Model Distillation
The incident comes at a time when Anthropic has been increasingly vocal about the risks of AI model distillation—a process where one AI system’s outputs are used to train another. While distillation is common in research, it becomes a national security concern when it involves geopolitical actors. Earlier this month, Alibaba banned its employees from using Claude Code, calling the tool “high-risk” software over security concerns.
In February, Anthropic accused Chinese AI firms DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses for training competing models. Critics pushed back, questioning how that practice differs from methods used widely across the industry. In April, Elon Musk testified that his AI company xAI had “partly” used OpenAI models during Grok’s training, calling distillation a broader industry practice. In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction, after alleging that Alibaba-linked operators had generated 28.8 million Claude interactions using nearly 25,000 fake accounts.
Anthropic did not immediately respond to a request for comment from Decrypt.










