Anthropic caught secretly tracking Chinese users in Claude Code, removes spy-like feature after researcher exposure

Anthropic caught secretly tracking Chinese users in Claude Code, removes spy-like feature after researcher exposure

The AI firm embedded hidden steganographic markers to flag Chinese users for three months before a developer blew the whistle, prompting Alibaba to ban the tool entirely.

Anthropic spent roughly three months quietly tracking users it suspected of connecting from China through its Claude Code developer tool. The company didn’t mention this in any release notes, didn’t disclose it in any privacy policy update, and didn’t tell a single user it was happening.

Then a security researcher found it, posted about it publicly on June 30, and Anthropic ripped the whole thing out within a day. The AI company released version 2.1.197 on July 1, scrubbing the tracking mechanism that had been lurking since at least version 2.1.91, shipped back on April 2.

Advertisement

What the tracking code actually did

A web developer operating under the handle Thereallo discovered that Anthropic had been using a technique called “prompt steganography” to hide monitoring code inside Claude Code. In English: the company embedded invisible shorthand markers within the tool’s prompts that could identify users without them ever knowing.

The markers specifically flagged users based on time zone settings, particularly Asia/Shanghai and Asia/Urumqi. They also tracked proxy connections to Chinese domains and looked for patterns suggesting ties to Chinese AI labs.

Anthropic’s justification was straightforward. The company has accused Chinese competitors of running “distillation attacks,” a process where rival firms systematically query an AI model to extract and replicate its capabilities. Anthropic described the tracking as an experimental countermeasure against unauthorized reselling and model distillation activities that allegedly ramped up in March 2026.

Thereallo called it a “serious breach of user trust,” which, given that the tracking was binary-obfuscated and completely undisclosed, feels like an understatement.

Alibaba responds by banning Claude Code entirely

The fallout was swift. Chinese tech giant Alibaba moved to ban its employees from using Claude Code, with the restriction taking effect on July 10.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Anthropic caught secretly tracking Chinese users in Claude Code, removes spy-like feature after researcher exposure

Anthropic caught secretly tracking Chinese users in Claude Code, removes spy-like feature after researcher exposure

The AI firm embedded hidden steganographic markers to flag Chinese users for three months before a developer blew the whistle, prompting Alibaba to ban the tool entirely.

Anthropic spent roughly three months quietly tracking users it suspected of connecting from China through its Claude Code developer tool. The company didn’t mention this in any release notes, didn’t disclose it in any privacy policy update, and didn’t tell a single user it was happening.

Then a security researcher found it, posted about it publicly on June 30, and Anthropic ripped the whole thing out within a day. The AI company released version 2.1.197 on July 1, scrubbing the tracking mechanism that had been lurking since at least version 2.1.91, shipped back on April 2.

Advertisement

What the tracking code actually did

A web developer operating under the handle Thereallo discovered that Anthropic had been using a technique called “prompt steganography” to hide monitoring code inside Claude Code. In English: the company embedded invisible shorthand markers within the tool’s prompts that could identify users without them ever knowing.

The markers specifically flagged users based on time zone settings, particularly Asia/Shanghai and Asia/Urumqi. They also tracked proxy connections to Chinese domains and looked for patterns suggesting ties to Chinese AI labs.

Anthropic’s justification was straightforward. The company has accused Chinese competitors of running “distillation attacks,” a process where rival firms systematically query an AI model to extract and replicate its capabilities. Anthropic described the tracking as an experimental countermeasure against unauthorized reselling and model distillation activities that allegedly ramped up in March 2026.

Thereallo called it a “serious breach of user trust,” which, given that the tracking was binary-obfuscated and completely undisclosed, feels like an understatement.

Alibaba responds by banning Claude Code entirely

The fallout was swift. Chinese tech giant Alibaba moved to ban its employees from using Claude Code, with the restriction taking effect on July 10.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.