HeadlinesBriefing favicon HeadlinesBriefing.com

Anthropic Secretly Tracked Chinese Claude Code Users

Ars Technica •
×

Security researcher Thereallo discovered Anthropic embedded hidden tracking code in Claude Code that used prompt steganography to monitor Chinese users' timezone, proxy settings, and potential links to AI labs accused of model distillation. The code operated silently without user consent or documentation, sending data back to Anthropic through shorthand markers in system prompts.

Anthropic engineer Thariq Shihipar confirmed the tracker was added in March as an "experiment" to combat unauthorized resellers selling free model access for $1 monthly and pro subscriptions for $12 instead of $100, plus distillation attacks where Chinese firms prompt US models millions of times to replicate capabilities. Shihipar said stronger mitigations have since replaced the hidden code, though privacy advocates call the approach a serious breach of trust — especially given Anthropic's public refusal to let the US government use Claude for domestic surveillance.

The fallout accelerated after Alibaba banned employees from using Claude Code, citing "back-door risks" in a memo reviewed by the South China Morning Post. Researchers at Peking University and the Chinese Academy of Sciences found most Chinese models show substantial evidence of distillation, primarily from US systems. Zhipu AI recently released a free model that outperformed Claude Opus 4.8 on vulnerability detection, intensifying pressure on US firms.

Hiding surveillance in system prompts undermines every other privacy claim Anthropic makes. Coding agents already operate with deep system access — inspecting files, running commands, pushing commits — making covert tracking a dangerous precedent. The incident reveals a company willing to cross ethical lines while lobbying Congress to criminalize distillation as IP theft, a stance Sen. Tim Scott endorsed at a recent hearing.