简而言之 在研究人员发现用于识别某些中国用户的代码后,Anthropic 从 Claude Code 中删除了隐藏的跟踪标记。 该公司表示,该实验的目的是防止账户滥用并检测可能的人工智能模型蒸馏。 这一发现出现之际,Anthropic 敦促立法者打击未经授权复制前沿人工智能模型的行为。 在一名安全研究人员发现 AI 编码助手使用未公开的标记来识别某些用户的位置、代理使用以及与中国 AI 实验室的可能链接后,Anthropic 从 Claude Code 中删除了隐藏的跟踪系统。 该功能由开发者“Thereallo”于 6 月发现,它在 Claude Code 的系统提示中嵌入了信号,可以标记 Anthropic 认为正在绕过限制或试图提取模型功能的用户。 “Anthropic 可能想要检测 API 经销商、未经授权的 Claude Code 网关以及‘蒸馏攻击’管道模型,”Thereallo 写道。 “指向已知经销商域的自定义 ANTHROPIC_BASE_URL 是一个有用的信号。包含 deepseek 或 zhipu 的主机名也是一个有用的信号。”
Thereallo 表示,Anthropic 尝试检测经销商、未经授权的 Claude Code 网关和潜在的蒸馏攻击是有道理的,但批评了其做法,指出 Claude Code 使用 Unicode 标记和编码域列表在系统提示中隐藏跟踪信号,而不是通过文档或发行说明披露系统。 Thereallo 写道:“这不是恶意功能,但对于需要信任的开发人员工具来说,这是一个奇怪的选择。” 该跟踪器在网上曝光后,Anthropic 工程师 Thariq Shihipar 在 X 上表示,该跟踪器于 3 月份推出,作为一项“实验”,旨在阻止未经授权的经销商滥用账户并保护 Claude 免受蒸馏攻击。 Shihipar 上周写道:“从那时起,该团队已经采取了更强有力的缓解措施,实际上我们已经打算将其取消一段时间了。” “我们合并了[拉取请求],这应该会在明天的版本中完全回滚。”
这一消息发布之际,Anthropic 加大了对人工智能模型蒸馏的警告力度,即一个系统的输出用于训练另一个模型。虽然这种做法在人工智能研究中很常见,但当涉及到地缘政治时,蒸馏就成为国家安全问题。本月早些时候,出于安全考虑,阿里巴巴禁止员工使用 Claude Code,称该工具为“高风险”软件。 今年 2 月,Anthropic 指控中国人工智能开发商 DeepSeek、Moonshot AI 和 MiniMax 使用欺诈账户提取数百万个 Claude 响应来训练竞争模型。这些说法遭到了批评者的反对,他们质疑这种做法与整个人工智能行业使用的方法有何不同。 今年 4 月,埃隆·马斯克 (Elon Musk) 作证称,xAI 在训练 Grok 时“部分”使用了 OpenAI 模型,并称蒸馏是一种更广泛的行业实践。今年 6 月,Anthropic 首席执行官达里奥·阿莫迪 (Dario Amodei) 指控阿里巴巴相关运营商使用近 25,000 个欺诈账户生成了 2880 万个 Claude 交易,敦促国会加强对外国人工智能提取的保护。 Anthropic 没有立即回应 Decrypt 的置评请求。 每日简报时事通讯
以及原创专题、播客、视频等开始。
In brief
Anthropic removed hidden tracking markers from Claude Code after researchers discovered code used to identify some Chinese users.
The company said the experiment was intended to prevent account abuse and detect possible AI model distillation.
The discovery comes as Anthropic pushes lawmakers to crack down on unauthorized copying of frontier AI models.
Anthropic has removed a hidden tracking system from Claude Code after a security researcher discovered the AI coding assistant was using undisclosed markers to identify some users’ location, proxy use, and possible links to Chinese AI labs.
The feature, discovered in June by developer “Thereallo,” embedded signals in Claude Code’s system prompts that could flag users Anthropic believed were bypassing restrictions or attempting to extract model capabilities.
“Anthropic probably wants to detect API resellers, unauthorized Claude Code gateways, and model 'distillation attack' pipelines,” Thereallo wrote. “A custom ANTHROPIC_BASE_URL pointing at a known reseller domain is a useful signal. A hostname containing deepseek or zhipu is also a useful signal.”
Thereallo said Anthropic’s attempt to detect resellers, unauthorized Claude Code gateways, and potential distillation attacks made sense, but criticized how it was done, noting that Claude Code hid tracking signals inside system prompts using Unicode markers and encoded domain lists rather than disclosing the system through documentation or release notes.
“This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” Thereallo wrote.
After the tracker was revealed online, Anthropic engineer Thariq Shihipar said on X that it was introduced in March as an “experiment” to stop account abuse by unauthorized resellers and protect Claude from distillation attacks.
“The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while,” Shihipar wrote last week. “We merged the [pull request] and this should be fully rolled back in tomorrow’s release.”
The news comes as Anthropic has stepped up warnings about AI model distillation, where one system’s outputs are used to train another model. While the practice is common in AI research, when it comes to geopolitics, distillation becomes a national security concern. Earlier this month, Alibaba banned employees from using Claude Code, calling the tool “high-risk” software over security concerns.
In February, Anthropic accused Chinese AI developers DeepSeek, Moonshot AI, and MiniMax of using fraudulent accounts to extract millions of Claude responses to train competing models. The claims drew pushback from critics who questioned how the practice differs from methods used across the AI industry.
In April, Elon Musk testified that xAI had “partly” used OpenAI models while training Grok, calling distillation a broader industry practice. In June, Anthropic CEO Dario Amodei urged Congress to strengthen protections against foreign AI extraction after alleging Alibaba-linked operators generated 28.8 million Claude exchanges using nearly 25,000 fraudulent accounts.
Anthropic did not immediately respond to a request for comment by Decrypt.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.