Anthropic removed a hidden tracking system from its developer product Claude Code after the mechanism was discovered in June by a security researcher known as Thereallo. The tracker embedded signals in Claude Code’s system prompts to flag users the company believed were bypassing content restrictions or attempting to extract model capabilities. The feature had been introduced earlier as an experiment intended to stop account abuse by unauthorized resellers and to protect Claude from distillation attacks.
The hidden tracking system was implemented by embedding signals within Claude Code’s system prompts, where those markers were intended to identify specific user activity. Documented signal types included a custom ANTHROPIC_BASE_URL that pointed at a known reseller domain and hostnames containing the strings ‘deepseek’ or ‘zhipu’. Those embedded indicators were used to flag users Anthropic believed were bypassing content restrictions or attempting to extract model capabilities. The description of the signals does not include further technical mechanisms beyond their presence in system prompts.
Anthropic introduced the feature in March as an experimental measure. The stated goals of the experiment were to stop account abuse by unauthorized resellers and to protect Claude from distillation attacks. A team member, Thariq Shihipar, said the feature would be rolled back in tomorrow’s release, stating that the corresponding code change had been merged. The team described the upcoming change as a reversal of the experimental measure.
After the tracker’s discovery, reported security concerns included a ban by Alibaba on employee use of Claude Code. Alibaba described Claude Code as “high-risk” software over security concerns. The reported corporate ban was part of the coverage following disclosure of the embedded tracker.
In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses to train competing models. The accusation named those three developers by name. The reported allegation described the activity as using fraudulent accounts to obtain large volumes of Claude output for training purposes.
In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction. Amodei alleged that Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts. The June statement presented those figures in the context of calls for stronger policy protections.
The paragraphs above summarize reported corporate and public responses tied to the tracker’s disclosure. Coverage cited a corporate ban, public accusations of large-scale extraction, and a policy appeal to lawmakers.
Anthropic removed the hidden tracking system from Claude Code after the mechanism was discovered in June by a security researcher. A team member, Thariq Shihipar, said the experimental feature would be rolled back in an upcoming release, and Anthropic did not immediately respond to Decrypt’s request for comment on the situation.


