The astonishing truth about Claude has been exposed by a professor: its thinking process is encrypted and inaccessible even if you pay.
Initially, when Anthropic launched extended thinking, they presented it as a transparency benchmark that allows users to "see the thinking process". However, the truth is that what you see is only what they allow you to see. What lies within the encrypted, compressed, and globally key - locked content?
At the beginning of the year, Anthropic quietly changed the default settings of Claude Code, including adaptive thinking, redact - thinking, and a downgrade of the default effort.
This led to an approximately 67% decrease in the depth of thinking. The most direct feeling for Claude Code users is that the AI seems less intelligent.
Anthropic remained silent about this until someone proved the situation and then started to come up with excuses.
A few weeks later, Anthropic finally explained the reason.
Recently, when checking the local session logs of Claude Code, developer Patrick McCanna discovered a key anomaly: the content of the "Extended Thinking" block in the model was empty, leaving only an encrypted signature of about 600 characters.
At this moment, the "thought process" of the AI has closed its door to humans.
So, he carefully read the Claude documentation, but Anthropic's wording was incredibly vague!
If you don't have a couple of cups of coffee to stay awake, you're likely to miss this crucial truth:
The so - called return of "extended thinking" is actually Claude secretly compressing the complete thinking process into a summary version.
In short, Anthropic has directly hidden the most core question of "what exactly is Claude thinking".
In essence, "abstracting the thinking" is a cognitive dimensionality reduction attack.
This is a long - planned technological concealment, and also a "silent deprivation" of users' right to know by AI giant Anthropic on the path to Artificial Superintelligence (ASI).
The "blank book" in the logs
The castrated thinking chain
Imagine that you hire a top - notch architect to design a building for you. You ask to see his design sketches, but he only gives you a beautiful 3D rendering and locks all the structural calculation books in a safe that only he can open.
This is the truth that Patrick McCanna uncovered:
You think you're seeing the "thinking hard" process of Claude 4 on the interface, but in fact, it's just a carefully prepared "reading comprehension summary" after the model has completed its reasoning.
The real Chain of Thought (CoT) has long been heavily encrypted.
How is this actually done?
The so - called "thinking" or "reasoning" is sent to the client in JSON format.
Each segment contains a chunk of Base64 - encoded content.
There are slight differences in the content of these data blocks among different manufacturers, but the core part of each block is a certified ciphertext.
You don't have to be Sherlock Holmes to notice this.
First, it gets longer or shorter depending on how "deeply" the model is thinking. Second, if you tamper with any seemingly ciphertext data and send it back, it will trigger an identifiable API error.
Here's what OpenAI's reasoning block looks like:
Here's Anthropic's incredibly complex corresponding implementation:
Although it's called a "signature", there doesn't seem to be a real cryptographic signature here.
OpenAI makes it clear: this pile of data contains an "opaque reasoning process", and you shouldn't look at it. All you need to do is send it back to the server intact in the next round of conversation.
The key is in Anthropic's hands, and you're only allowed to see what they want you to see.
A cryptography professor conducts a reverse analysis
In May, someone got really interested in this signature.
Matt Green, a cryptography professor at Johns Hopkins University, spent a weekend wrestling with these "encrypted reasoning blocks".
But first, let's pour some cold water on it. He repeatedly emphasized that this was just a weekend hobby project with little to do with real cryptography. "It's basically a disappointing experiment," and don't expect to get a large - scale bug bounty from it.
But he did find two interesting points.
One is that these encrypted reasoning blocks can be replayed.
The same encrypted thinking can be put back into a different session or even a different account, and the model will accept it without error.
From this, he inferred that both OpenAI and Anthropic are likely using a global key to encrypt everyone's reasoning data.
Both are suspect, not just Anthropic. Cross - model replay is actually smoother on OpenAI's side, while Claude is more picky.
The other is that the length of the reasoning block can tell a story.
He designed an experiment: let the model perform calculations of different difficulty levels based on a secret bit in the hidden thinking, and then restore this bit one by one based on the length of the thinking block.
This is the so - called side - channel.
Sounds impressive? Hold on.
Green made it clear: what he could uncover were the test data he set up and the existing application - layer key.
He failed to uncover the "secrets in the model's system prompt" that he really wanted, because in API mode, the model doesn't have that system prompt to extract. He only dared to mark it as a "maybe".
More importantly, he reported both findings to Anthropic's bug bounty program.
Anthropic's response was that they didn't see any security impact from replay and side - channel attacks, but they could consider updating the developer documentation to remind users. Green thought this was a reasonable handling.
The transparency paradox of the "most transparent" company
The most eye - catching thing about this incident is not the technical vulnerability itself.
What has been Anthropic's brand narrative? "Responsible AI", "Safety first", and "The most transparent in the industry".
They specifically launched the extended thinking function to allow users to "see" the model's reasoning process, which was promoted as a benchmark for transparency.
The current fact is that the thinking block you see is not the real thinking chain, but a summary.
The real reasoning is encrypted, and the key is in Anthropic's hands. Moreover, this encryption scheme has exploitable security flaws.
A company that claims to be transparent has chosen encryption in the area where transparency is most needed, and the encryption scheme itself is not secure enough.
This is a structural trust issue.
If users can't even see what the model is thinking, on what basis can we talk about "interpretability" and "auditability"?
If the encryption scheme has a global key and side - channel vulnerabilities, does this mechanism protect the users' security or Anthropic's own secrets?
Green directly wrote in his analysis report that the primary purpose of this design doesn't seem to be to protect users, but to prevent users from seeing what Anthropic doesn't want them to see.
The trust foundation in the ASI finals is shaking
Let's view this incident in a broader context.
Claude and GPT are accelerating in the final straight of the ASI finals.
As the model's capabilities become stronger and its deployment scope becomes wider, the question of "what exactly is this AI thinking" is changing from an academic topic to a fundamental issue for business infrastructure.
Companies write their core business logic into the system prompt and then let the model execute it.
If the model's reasoning process is not auditable and the encryption scheme has vulnerabilities, there will be an unnoticed crack in the entire trust chain.
McCanna's discovery is like a needle, and Green's reverse analysis is like a scalpel.
What they cut open is not just a piece of code, but the increasingly blurred boundary between "transparency" and "control" in the AI industry.
When you think you're seeing the AI think, you're only seeing what it allows you to see.
What's hidden in the parts you can't see? The answer to this question is still locked in Anthropic's global key.
Reference materials:
https://patrickmccanna.net/the-text-in-claude-codes-extended-thinking-output-is-not-authentic/
https://blog.cryptographyengineering.com/2026/05/29/fooling-around-with-encrypted-reasoning-blobs/
This article is from the WeChat official account "New Intelligence Yuan". Author: ASI Revelation. Editor: David. Republished by 36Kr with authorization.