Anthropic has abruptly removed a Claude Code secret tracker after a security researcher caught the AI firm using "prompt steganography" to quietly monitor users in China. The discovery has triggered intense backlash, severely undermining Anthropic's public anti-surveillance stance and prompting major corporate bans. The hidden code was designed to flag users' timezones, proxies, and potential connections to Chinese AI labs.
The tracking mechanism was exposed by a web developer known as Thereallo, who discovered that Anthropic was hiding the surveillance code in plain sight. Anthropic engineer Thariq Shihipar confirmed the tracker was added as an "experiment" in March. Shihipar stated the code was intended to prevent account abuse from unauthorized resellers - who sell $100 monthly pro subscriptions for as little as $12 - and to protect against distillation attacks.
Coding agents already live on the wrong side of a scary boundary. They can inspect code, summarize secrets by accident, run commands, install packages, edit files, and push commits on your local machine.
- Thereallo, Security Researcher
The tracker deployment highlights the escalating "distillation" war between US and Chinese AI firms. Distillation involves prompting advanced models millions of times to rapidly train competing models. According to reports, Chinese firms are consistently matching US capabilities within months; recently, a free model from Zhipu AI outperformed Anthropic's Claude Opus 4.8 (released in May) in finding computer vulnerabilities. Anthropic also claims that Alibaba's Qwen AI model mimicked Claude following a massive distillation attack in June.
To maintain a 12- to 24-month technological lead, Anthropic and OpenAI are urging the US government to classify distillation as intellectual property theft. At a recent Senate hearing, Sen. Tim Scott (R-S.C.) supported this stance, arguing for clear export control policies to prevent China from gaining a technological edge through these attacks.
The fallout from the secret tracker was immediate. Last Friday, Alibaba banned its employees from using Claude Code for work. According to an internal memo reviewed by the South China Morning Post, Alibaba classified the developer tool as high-risk software, citing "back-door risks" and security vulnerabilities directly related to Anthropic's hidden tracking mechanisms.
How the Prompt Steganography Operated
Instead of using standard, transparent data collection methods, Anthropic utilized prompt steganography to embed tracking signals directly into the system prompts. This allowed the company to quietly monitor developers without triggering standard privacy alerts.
The hidden code specifically targeted users employing custom API gateways, attempting to fingerprint developers doing legitimate but unconventional work. Security researchers noted that if Anthropic wanted to detect abuse, it could have easily sent an explicit telemetry field, documented the policy, and included the behavior in its release notes.
The Hypocrisy of Weaponized Developer Tools
The decision to secretly track users is a glaring contradiction for Anthropic, a company that recently sued the White House after refusing to allow the US government to use Claude for surveillance. Fighting intellectual property theft is a valid business imperative, but weaponizing a local developer tool with hidden spyware tactics destroys the very trust required for coding agents to operate on local machines.
This aggressive digital rights management strategy carries significant market risks. Fortune 500 CEOs are actively searching for cheaper AI solutions, and open-source Chinese models are already gaining traction over their American counterparts. If US AI leaders prioritize covert surveillance over user transparency to protect their models, they risk driving enterprise developers directly into the arms of the Chinese ecosystems they are desperately trying to suppress.