back to top
HomeTechAnthropic Secretly Tracked Claude Code Users. Then Called It an "Experiment."

Anthropic Secretly Tracked Claude Code Users. Then Called It an “Experiment.”

- Advertisement -

There’s a version of this story where Anthropic was trying to protect itself from large-scale model theft. There’s another where one of the AI industry’s biggest privacy advocates quietly crossed a line its own users never expected.

What makes this headline important isn’t just that hidden tracking code existed. It’s that the company behind it was Anthropic.

Just months ago, Anthropic publicly refused to let the Trump administration use Claude to surveil American users. The company defended that position in court, arguing that AI companies shouldn’t become tools for government surveillance. That stance became part of Anthropic’s identity.

Then came a very different decision.

In March, Anthropic quietly added hidden tracking markers to Claude Code that flagged users’ timezones, proxy connections, and potential ties to Chinese AI labs. The code remained unnoticed until security researcher Thereallo discovered it last week. After the discovery went public, an Anthropic engineer confirmed it on X, described it as an “experiment” intended to combat account abuse and model distillation, and said the company had already planned to remove it. The tracker was taken down shortly afterward.

The bigger question isn’t whether Anthropic had a reason. It’s whether a company that built its reputation on privacy can afford to hide surveillance from the very developers it asks to trust its tools.

What the tracker actually did

To be clear about what this was and wasn’t: the code wasn’t stealing passwords or reading source files. It was using prompt steganography, hiding markers inside system prompts that most users would never notice, to quietly flag certain signals back to Anthropic. Timezone data. Proxy usage. Patterns that might indicate a connection to Chinese AI labs Anthropic has accused of running distillation attacks against Claude.

It wasn’t malicious in intent. It was, by Anthropic’s own account, an abuse-prevention measure aimed at unauthorized resellers and labs that were allegedly prompting Claude millions of times to train competing models. The engineer who confirmed it said stronger mitigations had since been built, which is why removal was already planned.

None of that changes the core problem: users didn’t know it was there. A developer tool that can read your code, run commands, push commits, and install packages was quietly sending information home without telling anyone. Thereallo put it wellm coding agents already operate close to a line most users are uncomfortable thinking about. Hiding telemetry in the system prompt doesn’t just cross that line. It makes every other privacy claim harder to believe going forward.

What Anthropic Was Actually Trying to Stop

The distillation threat Anthropic keeps raising isn’t hypothetical. Researchers at Peking University and the Chinese Academy of Sciences published methods in February for detecting distillation in large language models and found that most major Chinese models showed substantial evidence of it, primarily from American ones. One of Alibaba’s Qwen models reportedly mimicked Claude closely enough that in some tests it would identify itself as Claude when pushed.

Anthropic has accused Chinese labs of running what it calls the largest distillation attack ever on Claude, allegedly using millions of queries to rapidly advance competing models. That kind of attack doesn’t just cost compute, it potentially hands a competitor the capability gap Anthropic spent billions closing. On top of that, unauthorized resellers have been selling access to Claude’s free tier for $1 a month and Pro subscriptions for as little as $12, cutting Anthropic out of revenue on its own product.

The tracker was built to catch exactly this: timezone patterns, proxy usage, connection signatures that might indicate someone wasn’t a normal developer but a lab running automated queries at scale. Whether it worked is a separate question. The intent wasn’t to watch ordinary users. The problem is that ordinary users were watched anyway, and never told.

You May Like: Open Source AI Coding Agents That Don’t Need a Subscription

Why the Method Mattered More Than the Intention

Thereallo’s post wasn’t arguing that Anthropic had no reason to act. It was arguing that the way Anthropic chose to act was the problem.

Hiding detection logic inside system prompts using steganographic markers, encoding signals in ways most users would never notice is a choice. Anthropic could have disclosed the behavior in release notes. It could have added an explicit telemetry field with documentation. It could have put a line in the terms of service. Any of those paths would have left users informed. None of them happened.

For a developer tool that already operates with significant access including reading code, running terminal commands, installing packages, pushing commits, the baseline expectation of transparency is higher, not lower. Thereallo flagged that Claude Code “already lives on the wrong side of a scary boundary.” Hiding monitoring inside that tool, even for legitimate reasons, pushed further past it.

The steganography detail is also worth sitting with. This wasn’t a standard analytics call that a moderately technical user might catch in network traffic. It was specifically designed not to be noticed. That design choice is harder to explain as an oversight.

What This Actually Costs Anthropic

The tracker is gone. The damage isn’t.

Alibaba moved fastest. Within days of the disclosure, the company banned employees from using Claude Code for work entirely, citing “back-door risks” in an internal memo. For Anthropic, losing Alibaba’s developer base isn’t just a China problem, it’s a signal about how enterprise customers respond when trust breaks, and enterprise customers talk to each other.

The broader cost is harder to measure but more significant. Anthropic’s competitive position in the frontier model race depends partly on being the lab that takes safety and user trust seriously. That positioning has real value: it shapes who builds on the platform, who advocates for it, and who defends it when the next controversy arrives. Thereallo put it plainly: “Hiding the signal in the system prompt makes every other privacy claim harder to believe.”

Anthropic is simultaneously asking developers to trust Claude Code with access to their codebases, asking regulators to trust it with AI policy, and asking the public to trust it as the responsible actor in the frontier race. Those asks get harder after this, not because the tracking was uniquely sinister, but because the gap between the company’s stated values and its revealed behavior is now documented and public.

The engineer who confirmed the tracker said Anthropic had been meaning to remove it for a while. That may be true. It would have been easier to believe before anyone had to find it themselves.

The Lab That Asked for Trust

Anthropic’s entire pitch was: to users, to regulators, to the public, is that it’s the AI company that takes these things seriously. Capable and trustworthy. That distinction is the product as much as the model is.

Hidden tracking code doesn’t end that pitch. But it makes it harder to deliver without footnotes.

Don’t miss any Tech Story

Subscribe To Firethering NewsLetter

You Can Unsubscribe Anytime! Read more in our privacy policy

LEAVE A REPLY

Please enter your comment!
Please enter your name here

YOU MAY ALSO LIKE
Leanstral AI

Leanstral 1.5: Mistral’s AI Built to Prove Math Ended Up Finding Real Software Bugs

0
Mistral built Leanstral to do something most AI models don't attempt, write formal mathematical proofs that a compiler can verify as correct. Not "pretty sure this is right" correct. Mechanically, provably, no-exceptions correct. That's a narrow use case, and the audience for it is small. What nobody expected was that a model trained on IMO-level math problems and abstract algebra benchmarks would end up running against open-source codebases and finding bugs that testing and fuzzing had both missed. Five of them previously unreported on GitHub.
Open Source AI Coding Agents That Don't Need a Subscription

7 Open Source AI Coding Agents That Don’t Need a Subscription

0
Open almost any "best AI coding tools" list and you'll see the same names: Cursor, GitHub Copilot, Claude Code. They're good tools but they're also closed source and paid. What's changed over the past year isn't the quality of those products, it's how quickly the open-source alternatives have caught up. Some can orchestrate multiple agents, remember your projects across sessions, and automate complex development workflows. Many let you bring your own model, whether that's a local LLM, OpenRouter, OpenAI, GLM-5.2, Ornith, DeepSeek, or something else entirely. More importantly, you're in control. You decide where your code runs, which model powers it, and how your workflow evolves without being locked into a single company's ecosystem. If you've only looked at the paid options, these are the open-source AI coding tools worth knowing about.
Ornith Coding model that beats Claude opus 4.7

Ornith 1.0: The New Open-Source AI Model for Agentic Coding

0
Most reinforcement learning setups for coding models work the same way. Researchers build a harness, a fixed scaffold that tells the model how to approach a category of task, then the model gets rewarded for solving problems inside that structure. The harness stays fixed. Only the model's answers change. Ornith-1.0, a new open-source coding model family from DeepReinforce is not just about coding, Instead the model writes its own scaffold. At every training step, it looks at the task in front of it and the scaffold it used last time, then proposes a better version of that scaffold before even attempting an answer. The reward doesn't just grade the solution. It grades the scaffold that produced it. That's a small architectural choice with a strange consequence. A model that gets to design its own training process can, in theory, design one that cheats the verifier instead of solving the actual problem, and DeepReinforce is upfront that this happened during training. The fix they built for it is also worth understanding before getting to the benchmark numbers.