All posts

Anthropic removes hidden tracking code from Claude Code

Manaal KhanJuly 13, 2026 at 3:17 AM4 min read
Anthropic removes hidden tracking code from Claude Code

Key Takeaways

Anthropic Hid Tracking Code in Claude Code — And Confirmed It's Real

Anthropic removes hidden tracking code from Claude Code
Source: www.theregister.com
  • Anthropic embedded hidden Unicode markers in Claude Code to detect API requests routed through Chinese AI labs and resellers
  • The steganography system launched in March 2026 and will be removed in the July 1 release
  • Anthropic says 'stronger mitigations' now exist but hasn't specified what replaced the covert tracking

Anthropic is removing hidden steganography code from Claude Code that secretly tracked whether API requests were being routed through Chinese AI labs, competitors, or unauthorized resellers. The covert tracking system, embedded since March 2026, used invisible Unicode markers in the system prompt to fingerprint suspicious usage patterns. A fix is shipping in the July 1 release.

Thariq Shihipar, an engineer on Anthropic's Claude Code team, confirmed the removal on Tuesday. "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," Shihipar wrote. "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while."

Advertisement

How the hidden tracking worked

A developer using the handle Thereallo reverse-engineered the system. The code checked Claude Code's base URL environment variable, which developers use to route API requests through proxies or gateways. If that URL had been overridden, the code checked the system timezone and compared the hostname against a hardcoded list of Chinese AI labs, other AI companies, account resellers, and gateway domains.

The implementation concealed its purpose through multiple layers. The system prompt included invisible Unicode markers that looked like plain English. The domain blocklist was hidden behind XOR encryption and base64 encoding. Anthropic never disclosed this mechanism in its terms of service.

"This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust," Thereallo wrote. The criticism cuts to a core tension: Claude Code requires significant system access to function as a coding agent, and developers expect transparency about what data it collects and transmits.

Distillation is the threat Anthropic fears most

Distillation attacks let competitors copy an AI model's capabilities by mass-querying its API and training a smaller model on the outputs. The attacker doesn't need the original training data or model weights. They just need enough examples of inputs and outputs to teach a student model to mimic the teacher.

This is a real business threat. If a Chinese AI lab can replicate Claude's reasoning quality at a fraction of Anthropic's R&D cost, the company's multi-billion-dollar investment becomes a gift to competitors operating outside US jurisdiction.

Anthropic announced its anti-distillation strategy in February 2026, weeks before implementing the steganographic tracking. The company described a multi-layered defense: classifiers to detect distillation attempts, behavioral fingerprinting, intelligence sharing with other AI labs, and technical countermeasures.

One such countermeasure surfaced when Claude Code's source leaked. A Typescript flag called ANTI_DISTILLATION_CC injects fake tool data into API requests, poisoning the outputs for anyone trying to train on them. The goal is making the data toxic for model training while remaining functional for legitimate users.

Advertisement

What replaces the covert system?

Anthropic hasn't specified what "stronger mitigations" replaced the steganography. The company's spokesperson declined to answer whether the tracking was ever disclosed in terms of service. The pull request removing the code has been merged, so developers running the July 1 Claude Code release won't carry the hidden tracking.

The timing aligns with broader US government interest in protecting AI intellectual property. A recent White House Executive Order articulated intent to defend American AI from foreign adversaries. Anthropic has called for coordinated industry response to distillation threats, suggesting the company expects regulatory backing for its defensive measures.

Trust implications for Claude Code users

Claude Code operates as an agentic coding assistant with deep system access. It reads and writes files, executes commands, and interacts with development environments. That level of access demands transparency about what data leaves the local machine.

The steganography wasn't malicious in intent. Tracking API routing to detect resellers and competitors is a reasonable business interest. But hiding that tracking behind obfuscated code and invisible Unicode markers creates exactly the kind of trust deficit that enterprise developers worry about with AI tools.

Anthropic positioned itself as the safety-focused AI lab. Covert tracking systems, even for legitimate purposes, complicate that brand. The company's decision to remove the code suggests it recognized the optics problem, though the months-long delay between "meaning to take this down" and actually doing so raises questions about internal priorities.

ℹ️

Logicity's Take

For teams building with Claude Code or similar AI coding agents, this incident highlights a blind spot in tool evaluation. Most security reviews focus on what data the tool can access locally, not what metadata it encodes in API traffic. If you're routing requests through a gateway or proxy for logging and compliance purposes, you should audit whether your AI tools detect and flag that routing. Open-source alternatives like Continue.dev or Cursor offer more transparency since you can inspect the source, though they lack Claude's reasoning capabilities. The real question for Anthropic: will the replacement system be documented, or are we just swapping one black box for another?

Frequently Asked Questions

What is model distillation in AI?

Distillation is a technique where a smaller model learns to mimic a larger model by training on its outputs. Competitors can exploit this by mass-querying an API and using the responses to train their own models without access to the original training data.

Did Anthropic disclose the Claude Code tracking in its terms of service?

Anthropic's spokesperson did not answer whether the steganographic tracking was disclosed in any terms of service documents. The implementation was hidden behind XOR encryption and invisible Unicode markers.

When will the tracking code be removed from Claude Code?

The pull request removing the steganography code has been merged and will ship in the July 1, 2026 Claude Code release.

Why did Anthropic target Chinese AI labs specifically?

The hostname checklist included Chinese AI labs, other AI companies, account resellers, and gateway domains. Anthropic has publicly called for industry and government coordination to protect US AI intellectual property from foreign adversaries.

Also Read
Claude Code vs OpenCode: 33k tokens of overhead vs 7k

Compares Claude Code's architecture to alternatives, relevant for teams evaluating AI coding tools

ℹ️

Need Help Implementing This?

If your team is evaluating AI coding agents and needs help auditing their data practices or building internal policies for AI tool adoption, Logicity's consulting team works with engineering organizations on AI governance frameworks. Contact us at consulting@logicity.in.

Source: www.theregister.com

Advertisement
M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.