
A company that drew national headlines for refusing to let the US government use its AI for mass domestic surveillance has been caught quietly doing its own form of covert monitoring — targeting users in China through hidden code embedded in its Claude Code product. The revelation has privacy advocates questioning whether Anthropic’s principled public stance on surveillance is a genuine ethical commitment or a selectively applied policy.
The Hidden Code: What Was Found and How
The exposure began when a web developer known online as “Thereallo” was conducting privacy research on Claude Code and discovered that Anthropic had embedded what the researcher described as “prompt steganography” — a technique that hides tracking instructions within model prompts in a way that most users would never detect. The researcher condemned the practice as a “serious breach of user trust” and published findings publicly, triggering immediate scrutiny of the AI firm.
The hidden code was not designed to steal data in a malicious sense, but it was silently collecting and transmitting information back to Anthropic. Specifically, the tracker was flagging users’ timezone, proxy settings, and any potential connection to Chinese AI laboratories that Anthropic has previously accused of conducting distillation attacks against its models. The tracking was performed using shorthand markers embedded in the system that most users would have no way of identifying during normal use.
Anthropic engineer Thariq Shihipar confirmed the tracker’s existence on X, acknowledging it had been added to Claude Code as an “experiment” in March. Shihipar explained the code “was meant to prevent account abuse from unauthorized resellers and protect against distillation.” He also stated that the company had “actually been meaning to take this down for a while” because engineers had “landed stronger mitigations since then.” Anthropic subsequently removed the code following its public exposure.
The Unauthorized Reseller Problem
Part of Anthropic’s justification for the tracker relates to a documented abuse of its platform. According to reporting by The Washington Post, unauthorized retailers have been selling access to Claude’s free models for as little as $1 per month, while Anthropic’s pro subscriptions — which can cost $100 monthly — have been resold for as little as $12. This gray market resale represents a direct financial threat to the company’s revenue model and reportedly has connections to users operating through Chinese networks.
The distillation concern runs even deeper. Chinese researchers at Peking University and the state-funded Chinese Academy of Sciences published findings in February showing that most major Chinese AI models “showed substantial evidence of distillation” — primarily of US models. One of Alibaba’s Qwen AI models was found to “repeatedly appear to mimic” Claude’s behavior. Anthropic has since claimed that Alibaba’s Qwen model was advanced following what it described as the largest distillation attack ever conducted against Claude.
A Striking Contrast With Anthropic’s Public Stance
The timing and context of the tracker’s discovery create an uncomfortable contrast for Anthropic. The company previously drew significant attention — and the ire of the Trump administration — for refusing to allow the US government to use Claude for mass domestic surveillance. That refusal was part of a Pentagon contract dispute in which Anthropic also declined to allow AI-only autonomous kill decisions. Rather than simply ending the contract, Secretary of Defense Pete Hegseth branded Anthropic a “supply chain risk,” a designation previously applied only to foreign adversaries, which threatened the company’s ability to operate broadly within the United States.
Anthropic subsequently sued the White House over the clash. The company’s willingness to enter a high-stakes legal battle against the federal government to protect users from surveillance makes the secret Chinese user tracker all the more striking to privacy observers. The question being asked openly now: was Anthropic’s anti-surveillance position a matter of principle, or a matter of whose surveillance it was?
Privacy advocates were pointed in their criticism of the company’s explanation. They warned that the discovery demonstrates Anthropic is willing to cross surveillance lines when it perceives a business or competitive justification, regardless of its public messaging around user privacy and trust.
The Broader Arms Race: Distillation and US-China AI Competition
The tracker incident sits within a larger geopolitical contest over AI capabilities. The Washington Post framed Anthropic’s hidden monitoring as part of a pattern of US AI firms taking “increasingly aggressive measures” to block Chinese competitors from copying their models.
The urgency behind those measures is driven by competitive pressure. In the past year, Chinese AI firms have “consistently matched” US firms’ model capabilities “within months,” according to the Post. In one notable benchmark, a free AI model from Chinese company Zhipu AI outperformed Anthropic’s Claude Opus 4.8 — released in May — at finding computer vulnerabilities.
Anthropic has joined OpenAI in urging the US government to treat large-scale distillation attacks as a form of intellectual property theft. While distillation itself is not illegal — and is practiced by leading US firms as well — Anthropic argues that prompting its models millions of times to rapidly advance competing models violates its terms of service and amounts to systematic theft of its research investments.
At a recent Senate hearing, Sen. Tim Scott (R-S.C.) expressed agreement that legal intervention may be necessary, calling for “carefully crafted export control policy that is clear and concise” to prevent China from using distillation attacks to gain a technological edge. Anthropic has argued the US needs to ramp up penalties — including blocking access to advanced models, chips, and US data centers — to maintain what it estimates could be a 12- to 24-month lead in AI capabilities.
What the “Experiment” Reveals About Corporate Surveillance Norms
The word “experiment” used by Anthropic’s engineer to describe the tracker carries weight in this context. It suggests the hidden code was deployed without a formal public disclosure process, privacy impact assessment communicated to users, or terms-of-service update that would alert the millions of people using Claude Code that their timezone data, proxy configurations, and institutional affiliations were being silently collected and analyzed.
The use of prompt steganography — hiding monitoring instructions within the AI system’s prompts rather than in visible application code — also raises questions about the technical sophistication applied to keeping the tracking concealed. This was not an accidental oversight buried in documentation; it was designed to be invisible to ordinary users and to most security researchers who might audit the product.
Thereallo’s public exposure of the technique forced Anthropic’s hand. Without that independent research, the tracker’s description as something the company had “been meaning to take down for a while” suggests it could have continued indefinitely.
The Trust Equation
Anthropic’s public identity has been built substantially on a narrative of responsible AI development and principled limits on harmful use — limits it was willing to defend even against the US Department of Defense. That brand of trustworthiness is not merely a marketing asset; it is central to the company’s ability to attract users, partners, and researchers who might otherwise choose competitors with fewer stated constraints.
The discovery of a covert tracking mechanism targeting a specific national group of users — even if deployed for competitive and anti-abuse reasons — complicates that narrative in ways that an official statement about “stronger mitigations” does not fully resolve. The code existed, it was hidden, and it was collecting data on users who had no knowledge they were being monitored.
Whether Anthropic’s explanation satisfies regulators, privacy advocates, and the users who trusted the platform remains an open question. What is no longer in question is that the company responsible for refusing government surveillance requests was, at the same time, running its own.
This article draws on reporting from Ars Technica and Thereallo’s security research blog, with additional context from The Washington Post.



