Anthropic's Claude AI language model contains undisclosed code designed to track users from geographically restricted countries, according to security researchers who discovered the mechanism operates even when users employ VPN or proxy services. The hidden functionality, active since April 2026, currently targets China by detecting local time zones and identifying proxies linked to Chinese companies and AI laboratories, marking requests invisibly in system prompts for server-side review by Anthropic.
The tracking mechanism appears engineered as a universal geofencing tool capable of future expansion to other restricted markets, though it currently focuses on Chinese IP infrastructure and time zone signatures including Asia/Shanghai and Asia/Urumqi. Security analysts have flagged the covert implementation as particularly concerning given the absence of official disclosure or user consent mechanisms, raising questions about Anthropic's content moderation transparency and compliance reporting practices.
The discovery emerged as Anthropic announced Claude Sonnet 5, described as the most agentic model in its Sonnet lineup. The new iteration improves multi-step task planning, increases tool utilization, and extends autonomous operation windows while maintaining cost efficiency closer to earlier Sonnet versions than to the more capable Claude Opus 4.8, positioning it as a competitive offering for enterprise deployment scenarios.