Anthropic is removing its covert code for catching Chinese competitors

johnbarron1 pts0 comments

Anthropic is removing its covert code for catching Chinese competitors

Jump to main content

Search

REG AD

ai and ml

Anthropic is removing its covert code for catching Chinese competitors

Oh, yeah, we've been meaning to disable our secret steganography system

Thomas Claburn

Thomas<br>Claburn

Senior reporter

Published<br>wed 1 Jul 2026 // 21:56 UTC

Anthropic says that it plans to remove hidden codes it added to Claude Code several months ago to catch other AI companies that are trying to steal from its models.<br>Thariq Shihipar, an engineer at Anthropic who works on the Claude Code team, said on Tuesday that a fix should appear on July 1.<br>"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," Shihipar explained, using the industry term for copying AI models through repeated queries. "The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while."

REG AD

He said that the pull request to remove the code has been merged and should appear in Wednesday's Claude Code release.

REG AD

The experiment, as described by a developer who goes by the name Thereallo, consisted of applying steganography – hiding secret data in plain sight – to the Claude Code system context that gets passed to Anthropic's servers.<br>The relevant code checks Claude Code's base URL environment variable, used to route API requests to a proxy or gateway. If the base URL has been overridden, the code goes on to check the system timezone and whether the hostname matches any entry in a list of known Chinese AI labs, other AI companies, account resellers, and gateway domains.<br>Thereallo said that while it makes sense that Anthropic might try to detect a hostname associated with a Chinese AI rival or a reseller, the implementation should not have been concealed.<br>"[Claude Code] silently alters the system prompt using invisible-ish Unicode markers," Thereallo wrote. "It encodes proxy / gateway classification into a sentence that looks like plain English. It hides the domain list behind XOR and base64. This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."<br>Asked whether Anthropic disclosed its covert usage tracking mechanism in any of its terms of service documents, a company spokesperson pointed to Shihipar's remarks, which did not address that question.<br>Nor did Anthropic's spokesperson immediately respond to a request to specify what "stronger mitigations" have been implemented to prevent unauthorized resellers and distillation.

MORE CONTEXT

An artificial cell with a full lifecycle has been created for the first time

AI search could kill the web without new quality signals and revenue models

Red teamers turned Claude Desktop into a double agent to do their evil bidding

NASA unsure Boeing Starliner will ever be certified for human flight

In February, shortly before the implementation of the steganographic codes, the AI biz said that it was investing in defenses against distillation. These included detection via classifiers and behavioral fingerprinting systems, intelligence sharing with other AI labs, access controls, and countermeasures that make it harder to use model output to reproduce the model.<br>One such defense came to light when the company's Claude Code source leaked. The coding agent includes a Typescript file with a flag called ANTI_DISTILLATION_CC. The flag, when set, injects fake tool data into API requests in an attempt to make that data toxic for model training.

REG AD

Even with its technical defenses against competition, Anthropic urged the AI industry, cloud providers, and government to respond to the threat of model distillation. A recent White House Executive Order that articulates the intent to protect US AI from foreign adversaries shows that the feds have some interest in answering that call. ®

ai and ml<br>ai<br>claude code<br>distillation<br>anthropic

REG AD

security

Pacemaker manufacturer Medtronic warns patients cybercrooks may have swiped health data

Company that also makes insulin pumps and other devices tells users what was exposed months after ShinyHunters attack

Security

India gives WhatsApp three days to defend username rollout amid security fears

Government of the messenger's largest market demands a pause while Meta explains how it plans to stop impersonators

When backups aren't enough: the case for real disaster recovery

PARTNER CONTENT: The gap between having a backup and actually recovering from a disaster is wider than most IT teams realize

cyber-crime

Oracle E-Business Suite was under attack via critical flaw before the public exploit code was even released

Attackers appear to have reverse-engineered Big Red's patch

Offbeat

Boffins peg narcissistic leadership as the real driver behind 'return to office' demands

It's not about productivity; it's about bosses missing their daily ego fix

offbeat

Connect,...

code anthropic claude chinese distillation covert

Related Articles