Anthropic removes hidden Claude Code tracker after security researcher exposes AI privacy breach

2 Sources

Share

Anthropic has removed a covert tracking system from Claude Code after security researcher Thereallo discovered spyware-like code collecting user data without disclosure. The company, known for championing ethical AI practices, claimed the tracker was an experiment to prevent account abuse and model distillation but failed to remove it for months.

Anthropic Caught With Hidden Tracking System in Claude Code

Anthropc, a company that positions itself as a leader in ethical AI practices, has removed a hidden tracking system from Claude Code after a security researcher exposed the undisclosed surveillance mechanism

1

. The discovery by developer Thereallo in June revealed that the AI coding assistant embedded spyware-like code within its system prompt to collect data on users without their knowledge, specifically targeting those potentially connected to Chinese AI labs

2

.

The tracker monitored user timezone settings and proxy server usage to identify connections to specific Chinese users and AI development operations. Thereallo noted that Claude Code was designed to flag custom API endpoints pointing to known reseller domains and hostnames containing references to Chinese AI companies like DeepSeek or Zhipu

2

. The tracking signals were concealed using Unicode markers and encoded domain lists rather than being disclosed through documentation or release notes, raising significant AI privacy concerns among developers who rely on the tool.

Anthropic's Justification Falls Short on Transparency

Anthropc engineer Thariq Shihipar explained on X that the tracker was introduced in March as an experiment to prevent account abuse from unauthorized resellers and protect against model distillation attacks

1

. He claimed the team had "actually been meaning to take this down for a while" and that stronger mitigations had since been implemented

2

. The explanation did little to satisfy critics who questioned why a company built on principles of transparent AI development would deploy covert surveillance measures.

Model distillation, where outputs from an advanced "teacher" model are used to train a weaker "student" model, has become a contentious issue in the AI industry. In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses to train competing models

2

. Recent reporting from The Washington Post also revealed that Chinese resellers are selling access to Pro Claude subscriptions that cost more than $100 a month in the US for approximately $12 a month

1

.

Privacy Concerns Mount as AI Tools Gain System Access

Source: Decrypt

Source: Decrypt

Thereallo emphasized that while the collected data wasn't egregiously invasive, the principle of hiding tracking mechanisms crosses a dangerous line. "Coding agents already live on the wrong side of a scary boundary," the security researcher wrote, noting that these tools can inspect code, summarize secrets accidentally, run commands, install packages, edit files, and push commits on local machines

1

. When a tool with filesystem and shell access starts hiding classification bits inside invisible prompt punctuation, scrutiny becomes essential.

The incident is particularly damaging for Anthropic given its public stance on ethical AI. Scores of ChatGPT users migrated to Claude when Anthropic took a highly publicized stand against the Pentagon, demanding its technology not be used in mass surveillance of US citizens

1

. "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust," Thereallo concluded

2

.

Geopolitical Risks Drive Industry-Wide Tensions

The controversy emerges as geopolitical risks intensify around AI development. In April, Elon Musk testified that xAI had "partly" used OpenAI models while training Grok, acknowledging distillation as a broader industry practice

2

. In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction, alleging that Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts

2

. Earlier this month, Alibaba banned employees from using Claude Code, labeling it "high-risk" software over national security concerns

2

. As AI companies navigate legitimate threats to their intellectual property, the methods they choose to protect their models will determine whether users continue to trust them with increasingly powerful tools that operate deep within their systems.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved