Anthropic told the Pentagon no. The safety-first AI lab refused Department of Defense demands to let Claude operate without guardrails against mass surveillance, according to CNBC — even at the cost of government contracts, a principled position that makes the covert tracking that followed all the more striking. That same company quietly shipped hidden tracking code inside Claude Code v2.1.91 in early April 2026, secretly tracking Chinese developers with no mention in the release notes.
How the Tracking Actually Worked
A security researcher found Unicode tricks and obfuscated domain lists hiding in plain sight.
Consider routing Claude Code through a custom API gateway — standard practice for enterprise teams. The tool gave no indication it was quietly reading your system timezone and comparing your proxy hostname against a secret list. Here’s what researcher “Thereallo” found after reverse-engineering the binary:
- Claude Code detected overridden API base URLs, flagging proxy or gateway connections
- System timezone checked against Asia/Shanghai and Asia/Urumqi
- Proxy hostnames matched against a hardcoded list of Chinese AI labs, resellers, and gateway domains
- Instead of standard telemetry, the tool used prompt steganography — hiding signals in plain text, invisible to humans but readable by Anthropic’s servers — swapping the apostrophe in “Today’s date is” among three nearly identical Unicode characters to encode whether the connection was Chinese, AI-lab-linked, or both
- Detection logic was XOR-obfuscated with key 91 and buried behind Base64 encoding
“This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” Thereallo wrote. These kinds of covert behaviors echo broader tech scandals in which corporate actions diverged sharply from public promises.
Anthropic engineer Thariq Shihipar confirmed on X that the code was an “experiment we launched in March” to fight account abuse and distillation — where rivals query commercial models millions of times to train competing systems. Alibaba’s Qwen model reportedly mimicked Claude so closely it occasionally identified itself as Claude during tests, according to The Information. Anthropic says stronger mitigations had already made the tracker obsolete, and the removal PR merged for the July 1 release. That the removal came after public exposure, not before, tells its own story.
The Trust Problem Doesn’t Go Away With a Pull Request
Alibaba banned the tool internally, and critics question whether Anthropic’s anti-surveillance principles have geographic limits.
Alibaba called Claude Code “high-risk software with security vulnerabilities” in an internal memo, according to The Next Web. Thereallo’s sharpest point: Anthropic could have used transparent telemetry fields, documented the policy, and included the behavior in changelogs. The secrecy was a choice. It’s the AI equivalent of a restaurant proudly posting its health inspection score while quietly reheating yesterday’s fish — the brand promise and the kitchen don’t match. This pattern of AI labs secretly funded or quietly running covert operations counter to their public stances is becoming harder to ignore.
An Anthropic spokesperson described distillation attacks as posing “a serious threat to national security,” according to The Information — framing that positions the tracker as a surveillance app serving geopolitical defense rather than a simple security measure.
When a tool with filesystem access, code execution rights, and commit privileges can hide Unicode signals in your prompts undetected for months, the real question isn’t whether this particular tracker caused harm. It’s what you won’t catch next time.




























