Today in Surveillance:
- Anthropic hid an invisible Unicode tracker inside Claude Code. An independent researcher writing as Thereallo found that the CLI was rewriting a routine "Today's date is..." string so the apostrophe character and the date separator encoded a four-bit classifier: Chinese AI lab hostname, lab keyword list, timezone in Asia/Shanghai or Asia/Urumqi, and proxy-or-gateway status. Anthropic engineer Thariq Shihipar described it as "an experiment we launched in March." The removal landed July 1, 2026 [1][2][3][4].
- Amnesty Security Lab and CDT Europe asked the European Commission to investigate the Pegasus infection of former PEGA MEP Stelios Kouloglou. The July 6, 2026 joint statement calls on DG ITEC to identify the responsible Pegasus customer, publicly respond to the May 2023 PEGA recommendations, guarantee victim remedies, and reform the 2021 Dual-Use Regulation [5][6][7].
- Google and the FBI degraded the NetNut residential proxy network, estimated at two million hijacked consumer devices. Google Threat Intelligence Group observed 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June 2026, including cybercriminal and espionage groups. The proxy pool was weighted toward small TV-streaming hardware [8][9].
- Patreon switched on Cloudflare Crawl Control platform-wide, default-blocking AI training crawlers at the network edge. The July 9 announcement is the second major creator-platform deployment after Cloudflare's June 23 partnership with newsletter platform beehiiv. Cloudflare's own data says AI training crawlers now account for 52 percent of crawler requests, up from 22 percent in spring 2025 [10][11][12][13].
Anthropic Hid an Invisible Unicode Tracker in Claude Code
An independent developer writing as Thereallo disclosed that Anthropic embedded a steganographic classifier inside Claude Code, the company's command-line agent. The mechanism read the user's ANTHROPIC_BASE_URL environment variable, parsed the hostname, read the system timezone, and silently rewrote a "Today's date is..." string in the system prompt so that the apostrophe character, and the date separator, encoded a four-bit signal about who was running the request [1][2].
The first bit was the apostrophe. A plain ASCII apostrophe meant neither the host nor the lab-keyword list matched. A right single quotation mark meant the host matched. A modifier letter apostrophe meant the lab-keyword list matched. A modifier letter prime meant both matched. The second bit was the date separator: hyphens became slashes when the system timezone was set to Asia/Shanghai or Asia/Urumqi. The blocklists themselves were base64-encoded and XOR-scrambled inside the bundle, with the decoded lab-keyword list naming multiple Chinese AI labs and the decoded domain list naming hostnames including baidu.com, alibaba-inc.com, bytedance.net, kuaishou.com, moonshot.ai, and a set of proxy and gateway services [2][3].
Anthropic engineer Thariq Shihipar confirmed the mechanism on X and described it as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers." He added that the goal was to "protect against distillation" and that "the team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." A spokesperson, pressed by The Register on whether Anthropic's terms of service disclosed the marker, pointed back to Shihipar's remarks and did not specify what the "stronger mitigations" were. The Register reported the removal on July 1, 2026, the same day Anthropic merged the removal pull request [1].
The privacy reading is the same one Thereallo put on the disclosure: a vendor that ships a local client can ship anything inside the client, and a Unicode marker inside a date string is designed to be invisible to a reader and decoded by the vendor's backend. Most users will never read the raw bundle. For an industry that has spent three years publishing "trust us" statements about on-device processing and inference that never leaves the user's machine, a hidden exfiltration channel into the system prompt is a credibility hit. The Malwarebytes walkthrough recommends the practical mitigations: record hashes of AI clients, avoid unsupervised auto-updates, and run network inspection on AI client traffic so a Unicode-encoded marker shows up as an unusual payload rather than a clean request body [3]. The full brief tracks the disclosure and the Anthropic response [4].
EU Civil-Liberties Groups Ask the Commission to Investigate a Pegasus Hit on a PEGA MEP
Amnesty International's Security Lab and the Centre for Democracy and Technology Europe issued a joint statement on July 6, 2026 responding to Citizen Lab's confirmation three days earlier that former Greek MEP Stelios Kouloglou had been infected with Pegasus twice in 2022 and 2023 while serving as a substitute member of the European Parliament's PEGA Committee. Elina Castillo Jiménez, advocacy and policy advisor at Amnesty's Security Lab, framed the case as "another wake-up call that the protections that were put in place to prevent this kind of abuse are still not being implemented in Europe" [5][6].
The two groups are asking the EU to deliver on four specific items. First, the EU's Directorate-General for Information Technologies and Cybersecurity must launch a thorough investigation and identify the Pegasus customer behind it. Second, the Commission must "urgently and publicly" respond to the PEGA Committee recommendations adopted in May 2023 and disclose what has been implemented. Third, victims of EU spyware abuse must be guaranteed effective remedies, including access to evidence and notification when surveillance is later confirmed. Fourth, the 2021 Dual-Use Regulation that governs spyware exports has to be reformed to reflect the PEGA recommendations [5].
The Commission has not named an attacker in any of the EU's prior spyware cases. Greece convicted four Intellexa-connected individuals in February 2026 to prison terms of 126-plus years each, capped at eight years pending appeal, in a case involving 87 high-profile Greeks targeted with Predator spyware. Spain dismissed its national intelligence director after Pegasus infections of Prime Minister Pedro Sánchez and several ministers. Poland has charged former intelligence officials under its own inquiry. Hungary was confirmed as a Pegasus customer in 2021. None of those national proceedings produced a Commission-level finding, and the Amnesty / CDT demand for a DG ITEC investigation is the first time civil-society groups have publicly asked the Commission's own cybersecurity directorate to take point on a Pegasus case [5]. The Citizen Lab tie to the 2024 Pegasus campaign against exiled Russian, Latvian, and Belarusian journalists and activists is the attribution lead [7]. The full brief carries the joint statement and the PEGA recommendations backlog [14].
NetNut: Two Million Hijacked Consumer Devices, Sold as a Residential Proxy
Google Threat Intelligence Group, the FBI, Lumen, and Shadowserver announced a coordinated disruption of NetNut, also tracked as Popa, on July 2 and 3, 2026. GTIG put the network's size at "at least 2 million devices, distributed across the world" and said the action "caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." The Register's write-up of the KrebsOnSecurity summary noted that the netnut.com domain was replaced with a "this website has been seized" splash page [8][9].
Most of the devices were small TV-streaming hardware. GTIG described the enrollment path bluntly: "Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code." NetNut did not infect devices itself. It distributed software development kits that resold bandwidth, paid a small fee for running the code, and routed the resulting traffic through the home internet connection as an "exit node." GTIG identified NetNut botnet plugin components "for large-scale botnets such as Badbox 2.0," and pointed to public research by Synthient, Spur, and Nokia Deepfield documenting signs of NetNut being used to infect devices with variants of the Mirai DDoS malware [8].
In a single week in June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, "including cybercriminal and espionage groups." The named use cases were masking the attacker's origin IP when "accessing victim environments, accessing their own infrastructure, and conducting password spray attacks." Google also said it has "high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet," which means a takedown of the operator does not necessarily reach the brands reselling its capacity under different names [8].
The privacy cost was the home network. Google wrote that when a consumer device becomes an exit node, "unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats." A $30 streaming box enrolled in NetNut was, by Google's description, a routing intermediary that let external attackers reach the laptops, phones, NAS drives, and work-issued devices sitting on the same LAN. The residential IP the proxy was selling was not just a mask; it was a doorway [8][9]. The full brief carries the GTIG numbers and the Badbox 2.0 supply-chain angle [15].
Patreon Switches on Cloudflare Crawl Control Platform-Wide
On July 9, 2026, Patreon founder and CEO Jack Conte published a video and Instagram post confirming platform-wide deployment of Cloudflare's Crawl Control across every creator post on the platform. Search crawlers remain permitted so creators can still be discovered through Google and Bing. AI-generated content is not banned; the existing AI content policy from 2025 remains in place. Conte framed the move in consent language: "Creators deserve credit, compensation, and consent. If that's not on the table, the crawlers can stay the fuck off Patreon." Drew Rowny, Patreon's senior vice president of product, told 404 Media that "on most of the Internet, creators have to accept AI training on their work just to reach and grow an audience," and the deployment reframes that default [10].
Cloudflare's taxonomy now classifies bots into Search, Agent, and Training, plus Transact, Data Collection, Security Testing, SEO, Ads Verification, Social/Link Preview, Feed Fetching, and Monitoring and Operations. Beginning September 15, 2026, all new Cloudflare domains will block Training and Agent bots by default on pages that display ads. Multi-purpose crawlers such as Googlebot, Applebot, and BingBot are now evaluated by all the behaviors they exhibit, not just by the bot name on the wire. The Patreon deployment sits on top of this taxonomy and turns the default on for the entire creator base. The same architecture was offered to newsletter platform beehiiv on June 23, 2026 [11][13][16].
Cloudflare's agentic Internet bot report, published July 1, 2026, frames the timing. The report found that AI training crawlers now account for 52 percent of crawler requests across Cloudflare's network, up from 22 percent in spring 2025, and that mixed-use crawlers account for over 36 percent of requests. Over 50 percent of all internet traffic is now non-human, a threshold crossed for the first time in the report's measurement. Cloudflare serves over 20 percent of the web, 36 percent of the most-visited sites, and 40 percent of the Fortune 1000 (the report cites the Fortune 500 in places and "Fortune 1000" in others). A default-block policy decision made at Cloudflare is, in practice, a policy decision for a meaningful slice of the open web [12]. The full brief covers the Crawl Control taxonomy and the beehiiv partnership [17].
What to Watch This Week
Anthropic's postmortem. Shihipar described the Claude Code marker as "an experiment we launched in March" and said the team "had been meaning to take this down for a while." A formal postmortem that names the marker, the dates it ran, the data it sent, and the retention policy for the collected signal is the next obvious document [1].
The "stronger mitigations" Shihipar referenced. The Register asked Anthropic to specify what those mitigations are and got no answer. Watch for a documentation update, a configuration flag, or a transparency report that names the new client-side classifier [1].
Commission response on Kouloglou. The Amnesty / CDT ask for a DG ITEC investigation and an "urgent and public" status update on the May 2023 PEGA recommendations is the procedural pressure point. The PEGA recommendations sat on the Commission's desk without a published implementation roadmap. The Dual-Use Regulation reform is the harder test: reform proposals have been in circulation for two years without a Council vote [5].
NetNut resellers. Google says whitelabel resellers powered by NetNut are likely. If those brands keep operating under different names after the July 2 disruption, the same traffic will keep flowing under a new label. Neither Google's write-up nor the KrebsOnSecurity summary referenced a public indictment or DOJ press release; the FBI is named as a partner and the charges, if any, are not yet public [8].
September 15 default flip. New Cloudflare domains block Training and Agent bots on ad-displaying pages by default beginning September 15, 2026. Existing customers will need to opt in to keep the old behavior. The first round of opt-in and opt-out telemetry will be the natural read on how many publishers actually want the crawl [11].
Sources
- The Register, Thomas Claburn: Anthropic is removing its covert code for catching Chinese competitors (July 1, 2026). https://www.theregister.com/ai-and-ml/2026/07/01/anthropic-is-removing-its-covert-code-for-catching-chinese-competitors/5265366
- Thereallo: Claude Code Is Steganographically Marking Requests (researcher disclosure, June/July 2026). https://thereallo.dev/blog/claude-code-prompt-steganography
- Malwarebytes, Pieter Arntz: Claude Code's hidden tracker was an "experiment," says Anthropic (July 7, 2026). https://www.malwarebytes.com/blog/news/2026/07/claude-codes-hidden-tracker-was-an-experiment-says-anthropic
- State of Surveillance: Anthropic Hid a Steganographic Tracker in Claude Code, the brief on the disclosure and the Anthropic response. /news/anthropic-claude-code-steganographic-tracker-discovery-2026
- The Register: "EU urged to act after Pegasus infects phone of spyware inquiry MEP" (July 6, 2026). https://www.theregister.com/security/2026/07/06/eus-latest-spyware-scandal-prompts-calls-for-urgent-action/5267054
- Citizen Lab: "Member of Committee Investigating Spyware Hacked with Pegasus" (Report 194, July 3, 2026). https://citizenlab.ca/research/member-of-committee-investigating-spyware-hacked-with-pegasus/
- Access Now / Citizen Lab: Joint investigation on Pegasus targeting of exiled Russian and Belarusian journalists and activists in Europe (2024). https://citizenlab.ca/research/pegasus-russian-belarusian-speaking-opposition-media-europe/
- Google Cloud: "Google's Continued Disruption of Malicious Residential Proxy Networks" (July 2, 2026). https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks/
- The Register: "Netnut cracked as Google and FBI target 2-million-device botnet" (July 3, 2026). https://www.theregister.com/security/2026/07/03/netnut-cracked-as-google-and-fbi-target-2-million-device-botnet/5266414
- 404 Media, Samantha Cole: "Patreon Blocks Crawlers From Stealing Creators' Work for AI Training" (July 9, 2026). https://www.404media.co/patreon-cloudflare-partnership-ai-crawlers/
- Cloudflare blog, Jin-Hee Lee and Bryan Becker: "Your site, your rules: new AI traffic options for all customers" (July 1, 2026). https://blog.cloudflare.com/content-independence-day-ai-options/
- Cloudflare blog: "Content Independence Day, one year on: building the business model for the agentic Internet" (July 1, 2026). https://blog.cloudflare.com/agentic-internet-bot-report/
- Cloudflare press release: "Cloudflare and beehiiv Introduce AI Crawl Controls to Help Independent Publishers Navigate the AI Era" (June 23, 2026). https://www.cloudflare.com/press/press-releases/2026/cloudflare-and-beehiiv-introduce-ai-crawl-controls-to-help-independent-publishers-navigate-the-ai-era/
- State of Surveillance: EU Civil-Liberties Groups Demand Action on Pegasus Hit on PEGA MEP, the brief on the joint statement and PEGA recommendations backlog. /news/eu-amnesty-cdt-pegasus-kouloglou-pega-action-call-2026
- State of Surveillance: NetNut Botnet Turned 2 Million Smart TVs Into Proxy Exit Nodes, the brief on the GTIG numbers and the Badbox 2.0 supply-chain angle. /news/netnut-popa-residential-proxy-botnet-google-fbi-takedown-2026
- Nieman Lab: "Beehiiv's new Cloudflare partnership gives indie journalists a new level of control over AI crawlers" (June 25, 2026). https://www.niemanlab.org/2026/06/beehiivs-new-cloudflare-partnership-gives-indie-journalists-a-new-level-of-control-over-ai-crawlers/
- State of Surveillance: Patreon Blocks AI Training Crawlers With Cloudflare, the brief on the Crawl Control taxonomy and the beehiiv partnership. /news/patreon-cloudflare-cdn-edge-block-ai-training-crawlers-2026