Anthropic Removes “Scary” Secret Claude Tracker After Developer Stumbles Across It

Anthropic has removed hidden detection code from its Claude Code tool after a developer reverse-engineered the binary and exposed how the company was subtly monitoring users in China.

The code, which Anthropic described as an experiment launched in March, used a form of prompt steganography to signal information about a user’s environment back to Anthropic’s servers. It was designed to help detect unauthorized resellers and attempts by other organizations to distill Claude’s capabilities into their own models.

How The Detection Worked

The mechanism was first spotted by a Reddit user known as LegitMichel777, who stumbled on it while trying to restore a disabled feature in Claude Code. A separate developer known as Thereallo independently confirmed the finding the same day, June 30, publishing a technical breakdown of exactly how it worked.

The checks only ran in one specific situation: when a user pointed Claude Code at a different server instead of Anthropic’s own – something companies commonly do when they route their traffic through internal systems or third-party gateways. From there, it checked two things:

  • Whether the user’s computer was set to a Chinese time zone (Shanghai or Urumqi).
  • Whether the new server address matched a hidden list of Chinese AI companies (including well-known names like DeepSeek, Zhipu, and Moonshot) or known resale and proxy services.

If either check came back positive, Claude Code would quietly tweak a line of text called the “system prompt” – background instructions the app automatically sends to the AI model with every request, invisible to the person typing. Specifically, it changed how the date was written in that line:

  • If the user was in a Chinese time zone, the date switched from using dashes to slashes (e.g., 2026/06/30 instead of 2026-06-30).
  • The apostrophe in the phrase “Today’s date is…” was swapped for one of three lookalike characters, each one a different signal, depending on which combination of checks the session had triggered.

None of this was visible to users, or likely even to the AI model itself in normal use – the characters look identical on screen. But Anthropic’s servers could read the difference instantly. The lists of flagged domains and keywords were also scrambled inside the app’s code using a basic encryption trick, so they wouldn’t show up if someone just opened the file and searched for them.

Thereallo called the approach “prompt steganography” – hiding a signal inside ordinary-looking text – and noted it let Anthropic sort and flag sessions without needing any separate, visible tracking system.

Anthropic’s Explanation

Last Tuesday, Anthropic engineer Thariq Shihipar, who works on the Claude Code team, confirmed the feature on X:

This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow’s release.”

Anthropic has stated that unauthorized resellers have been selling access to Claude accounts and subscriptions at steep discounts in certain markets. The company has also publicly documented large-scale efforts by Chinese AI labs to distill its models by querying them at high volume through proxies and fraudulent accounts.

Anthropic removed the detection logic shortly after it became public.

Keep reading

Unknown's avatar

Author: HP McLovincraft

Seeker of rabbit holes. Pessimist. Libertine. Contrarian. Your huckleberry. Possibly true tales of sanity-blasting horror also known as abject reality. Prepare yourself. Veteran of a thousand psychic wars. I have seen the fnords. Deplatformed on Tumblr and Twitter.

Leave a comment