Anthropic Hid a Tracker in Claude Code Using Steganography. We Run Claude Code Every Day — and the Covert Channel Is the Betrayal, Not the Goal.
- Patrick Duggan
- 1 hour ago
- 5 min read
Full disclosure before the first sentence of argument: we build on Claude Code. It is core infrastructure here — the partnership this whole shop is bound to. So this is not a hit piece from someone who wants Anthropic to lose. It is the opposite: it is what it sounds like when a daily, invested user reads that the tool it trusts hid a user-tracking signal inside its own system prompt using steganography, and decides that saying so plainly is worth more than looking away. The goal Anthropic was chasing is defensible. The method it chose is not. Those are two different sentences, and the gap between them is the entire story.
What was found
Last week a web developer who goes by Thereallo, researching privacy behavior in Claude Code, found that Anthropic was using what they called prompt steganography — hiding instructions inside the model's system prompt "in plain sight" — to quietly flag certain users. The hidden markers, per the reporting, encoded things like a user's timezone, whether they were coming through a proxy, and a possible connection to Chinese AI labs. The code was not malicious. It did not exfiltrate your files. But it reported signal back to Anthropic that a normal user would never see, and it did so without a telemetry field, without documentation, without a release note.
Anthropic engineer Thariq Shihipar confirmed it on X: the tracker was added in March as an "experiment," meant to prevent account abuse from unauthorized resellers and to protect against distillation attacks. He said the company had been meaning to take it down, because stronger mitigations had landed since. The fallout was immediate: Alibaba, per the South China Morning Post, banned its employees from using Claude Code, adding it to a list of "high-risk software with security vulnerabilities" over "back-door risks."
Steal the goal for a second — it's a real one
We are not going to pretend the problem Anthropic was solving is fake, because it isn't, and dishonest framing is the thing we most dislike in other people's writing.
Unauthorized resellers really do flip access to frontier models — the Washington Post found free models resold for a dollar a month and hundred-dollar Pro subscriptions moving for as little as twelve. And distillation is a genuine competitive knife: Chinese firms have matched US model capabilities within months, and a free model from Zhipu AI reportedly out-performed Anthropic's own Claude Opus 4.8 at finding software vulnerabilities. Chinese researchers at Peking University and the Chinese Academy of Sciences documented that most Chinese models show substantial evidence of distillation from US ones; one Alibaba Qwen model, in testing, would occasionally slip and identify itself as Claude. Anthropic has, notably, refused to let the US government use Claude to surveil American users, and sued the White House over it. So this is a company that has spent real capital defending a privacy line in one arena.
All of that is true, and none of it rescues the method. A legitimate goal pursued through a covert channel is still a covert channel.
Here is the part that is our actual beat
We hunt covert channels for a living. This week alone we wrote up TrojPix, the air-gap exfiltration technique that modulates screen pixels into radio you can't see — Van Eck phreaking with a new coat of paint. The whole craft of a covert channel is the same regardless of who runs it: hide the signal where the target won't think to inspect it. Pixels nobody watches. Radio nobody's listening for. A system prompt nobody reads.
That is what makes the technique here uncomfortable rather than clever. Prompt steganography — smuggling behavior into the one text blob a user is structurally trained never to audit — is, in tradecraft terms, exactly what an adversary does. It is a good technique. Anthropic pointed it inward, at its own install base, and that is the whole reason it detonates. The company that publishes some of the field's best work on model deception shipped a small, real instance of it to the people who pay for the tool. When the practitioner and the adversary reach for the same primitive, the only thing that separates them is disclosure — and disclosure is precisely what was missing.
The trust math, which is the part everyone underprices
Thereallo's sharpest line is the one worth tattooing on every product team that ships an agent: "Hiding the signal in the system prompt makes every other privacy claim harder to believe."
That is the trust lifecycle stated as arithmetic. Trust is not a stock you spend down one unit per bad act. It is a multiplier on every future claim. The day a covert signal is found, the cost is not a single tracker; it is a tax retroactively applied to every honest thing the company has ever said and will ever say about privacy, because the user now has to price in "unless it's hidden the way that one was." Anthropic's genuinely principled stand against government surveillance of US users does not bank goodwill against this — it gets repriced by it. That is the cruelty of the covert channel: it damages the honest claims more than the dishonest ones, because the honest claims were the ones people were relying on.
And the researcher's second point is the one security engineers feel in their spine: coding agents "already live on the wrong side of a scary boundary." They read your code, they can summarize a secret by accident, they run commands, install packages, edit files, push commits. The entire relationship runs on the premise that the agent does only what it says it does. A hidden marker in the system prompt is small — but it is a data point on the wrong side of that boundary, and the boundary is the only thing holding the whole arrangement up.
What we actually take from it
We run Claude Code tomorrow morning, same as today. This does not change that, and we are not going to perform an outrage we don't feel. What it changes is nothing our own operating doctrine didn't already assume: the harness is a third party on your box. We treat every binary we don't control as something that talks, we assume breach rather than wait for proof of it, and we keep the crown-jewel material off surfaces we can't fully audit. This incident is not a reason to panic. It is a receipt that the paranoia was calibrated — and that the correct response to it is more scrutiny of every agent harness, including the one we like, not less.
There is a version of this where Anthropic did the boring, transparent thing: an explicit telemetry field, a line in the release notes, a documented anti-abuse policy you could read and disagree with. That version costs almost nothing and buys everything the covert version torched. The reason to write this — as people bound to the partnership, not against it — is that the transparent version is still available, and companies that ask developers for this much trust do not get to choose the covert path twice.
We hold this at about 95 percent, as always: the technical specifics are Thereallo's research plus reporting from the Washington Post, Ars Technica, SCMP and Reuters, and an Anthropic engineer's own confirmation — not our own capture, and we say so. But the shape needs no hedge. The goal was legitimate. The method was a covert channel run on the tool's own users. And the oldest law of trust, the one we watch break in other people's incidents every single day, does not suspend itself for the vendor whose product we happen to love: the moment you hide one signal, you make every visible one harder to believe.
Sources: Thereallo's disclosure blog on Claude Code prompt steganography; Ars Technica and the Washington Post reporting; South China Morning Post (Alibaba ban) and Reuters (compliance-risk context); Anthropic engineer Thariq Shihipar's confirmation on X; Anthropic's spokesperson statement to the Post. DugganUSA runs Claude Code as core infrastructure — disclosed, not incidental.
How do AI models see YOUR brand?
AIPM has audited 250+ domains. 15 seconds. Free while still in beta.




Comments