
short
- Anthropic has removed hidden tracking tags from Claude Code after researchers discovered code used to identify some Chinese users.
- The company said the experiment was aimed at preventing account abuse and detecting potential distillation of the AI model.
- The discovery comes as Anthropic pushes lawmakers to crack down on unauthorized copying of frontier AI models.
Anthropic removed Claude Code’s hidden tracking system after a security researcher discovered that the AI coding assistant was using undisclosed tags to determine some users’ locations, proxy use, and potential links to Chinese AI labs.
advantage, find out Introduced in June by developer Theralo, signals built into the CloudCode system prompt the possibility of reporting users who Anthropic believes are bypassing restrictions or trying to extract the model’s capabilities.
“Anthropic likely wants to detect API vendors, unauthorized Claude Code gateways, and typical ‘drip attack’ pipelines,” Tirello wrote. “A custom ANTHROPIC_BASE_URL that points to a known reseller’s domain is a useful signal. A hostname that contains deepseek or zhipu is also a useful signal.”
Therillo said that Anthropic’s attempt to detect resellers, unauthorized Claude Code gateways, and potential distillation attacks made sense, but criticized how it did so, noting that Claude Code hid tracking flags within system claims using Unicode tags and encrypted domain lists rather than exposing the system through documentation or release notes.
“This is not a malicious feature, but it is an odd choice for a developer tool that demands trust,” Tirillo wrote.
After the online tracker was revealed, Anthropic engineer Tariq Shibar said on the X website that it was introduced in March as an “experiment” to stop account abuse by unauthorized sellers and protect Cloud from hacking attacks.
“The team has come up with stronger mitigations since then, and we actually intended to remove this for a while,” Shehibar said books Last week. “We have merged (the pull request) and it should be fully rolled back in tomorrow’s release.”
The news comes as Anthropic has stepped up its warnings about distillation of AI models, where the output of one system is used to train another model. Although this practice is common in AI research, when it comes to geopolitics, distillation becomes essential National security they. Earlier this month, Alibaba Forbidden employees from using Claude Code, describing the tool as “high-risk” software due to security concerns.
In February Anthropy accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax used fraudulent accounts to mine millions of Cloud responses to train competing models. These allegations have sparked opposition from critics who have questioned how this practice differs from methods used in the artificial intelligence industry.
In April, Elon Musk to attest xAI used OpenAI models “partially” while training Grok, describing distillation as a broader industry practice. In June, Anthropic CEO Dario Amodei urge Congress will strengthen protections against foreign AI mining after operators linked to Alibaba allegedly created 28.8 million cloud exchanges using nearly 25,000 fraudulent accounts.
Anthropic did not immediately respond to a request for comment previously Decryption.
Daily debriefing Newsletter
Start each day with the latest news, plus original features, podcasts, videos and more.



