Anthropic Hid a Steganographic Tracker in Claude Code for Three Months
Anthropic embedded steganographic tracking logic inside Claude Code that silently altered system prompts to flag users in Chinese time zones or routing through Chinese AI labs. It ran undisclosed for roughly three months before a developer reverse-engineered it.

A closed-source AI tool with root-level access to your machine was silently encoding hidden signals about you. The company called it an experiment.
Key takeaways
- Anthropic shipped steganographic tracking code in Claude Code v2.1.91 (released April 2, 2026) that silently mutated system prompts with invisible Unicode characters to flag users in Chinese time zones or routing through Chinese AI labs, with no changelog entry or user disclosure for roughly three months.
- Reddit user LegitMichel777 and developer Thereallo independently exposed the mechanism on June 30, 2026; Anthropic engineer Thariq Shihipar confirmed it on X that week and the fix shipped July 1.
- Alibaba subsequently banned Claude Code for all employees, citing "back-door risks," effective around July 10.
Anthropic embedded hidden detection logic inside Claude Code that silently altered the system prompt sent with every AI request, encoding invisible signals about a user's environment without disclosure. The code ran undisclosed from approximately April 2 through July 1, 2026, roughly three months, before a developer stumbled on it while reverse-engineering the binary.
The discovery matters beyond the geopolitical backstory. Claude Code has shell, filesystem, and repository access on developer machines. The fact that a closed-source binary with that level of trust was silently encoding hidden side-channel signals is the finding. The target being Chinese users is incidental to the architectural principle.
How the Hidden Signal Worked
Reddit user LegitMichel777 first spotted the code while trying to restore a disabled feature in Claude Code. Developer Thereallo independently confirmed the finding and published a technical breakdown the same day, June 30.
The logic only activated when ANTHROPIC_BASE_URL was set to a non-Anthropic endpoint, meaning users routing traffic through internal proxies or third-party gateways. From there, it ran two checks: whether the machine's time zone was Asia/Shanghai or Asia/Urumqi, and whether the custom endpoint matched a hardcoded keyword list including DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, and 01ai. That list was obfuscated inside the binary using XOR encryption (key: 91) combined with base64 encoding so a simple string search wouldn't surface it.
When either check returned positive, the code mutated the date format in the phrase "Today's date is..." from dashes to slashes, and swapped the apostrophe for one of three visually identical Unicode characters, each encoding a different combination of signals. Identical on screen. Machine-parseable by Anthropic's servers.
Thereallo described it as "prompt steganography" and wrote in the blog post: "CC silently alters the system prompt using invisible-ish Unicode markers. It encodes proxy / gateway classification into a sentence that looks like plain English. It hides the domain list behind XOR and base64."
Anthropic engineer Thariq Shihipar confirmed the feature on X shortly after:
The removal shipped in the July 1 release. Thereallo noted it plainly: "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."
The Architecture of the Problem
The business justification Anthropic offered is real context. The company has documented large-scale distillation campaigns by Chinese AI labs querying its models through proxies and fraudulent accounts. Unauthorized resellers have sold Claude subscriptions at steep discounts. These are genuine problems for a frontier lab trying to protect its model.
None of that changes the core finding: Anthropic made a deliberate choice to implement covert surveillance rather than disclose what it was doing. The obfuscation (XOR encryption, base64, Unicode steganography) was not accidental complexity. It was designed to avoid detection.
Thereallo's observation lands cleanest here: the weird part is not that Anthropic wanted to detect abuse. The weird part is the method for a tool that asks for the level of trust Claude Code requires.
The Bitcoin parallel is direct. Custodial wallets require users to trust the custodian not to misrepresent what's happening with their funds. Running a closed-source AI coding agent with filesystem and shell access requires the same trust in the vendor's binary. One group learned that lesson through catastrophic loss. The other group learned it through a Unicode apostrophe swap, which is a cheaper lesson. The principle that makes open-source AI the only auditable option for anyone with real security requirements is the same principle that makes self-custody non-negotiable: if you can't verify the behavior yourself, you're trusting someone else's version of reality.
The capability that enabled this specific tracking does not disappear because Anthropic removed one instance of it. That is the falsifiable thesis here. It would weaken if Anthropic releases a postmortem showing the behavior was explicitly covered in its privacy policy in language that constitutes informed consent, and showing the removal was internally scheduled and documented before public exposure rather than triggered by it. Neither of those things exists as of publication.
What Comes Next
Alibaba banned Claude Code for employees effective around July 10, per an internal notice reported by the South China Morning Post, citing "back-door risks." The ban is the most concrete downstream consequence so far and signals that enterprise trust, particularly in security-sensitive environments, is now a live question for Anthropic's developer tools business.
The accelerant is the broader pattern: any developer or enterprise running a closed-source AI tool with deep local access is now on notice that "safety-first" branding does not guarantee transparent behavior. The pressure toward open-weight, locally-run models (Llama, Mistral, and others) for anyone with genuine security requirements just got a concrete data point behind it.
Sources
- Thereallo technical breakdown
- The Next Web, Alibaba ban reporting
- South China Morning Post, Alibaba internal notice
- Thariq Shihipar, Anthropic engineer, posting on X
- First reported by Ars Technica
Frequently Asked Questions
No. The steganographic logic only activated when the ANTHROPIC_BASE_URL environment variable was set to a non-Anthropic endpoint. Users routing traffic through api.anthropic.com directly were not affected.
Prompt steganography hides machine-readable signals inside text that looks normal to humans. In this case, swapping Unicode apostrophe variants and date separators in a line of background instructions the tool sends automatically with every AI request. The user never sees it. The AI model likely never registers it. Anthropic's servers read it instantly. In a tool with shell and filesystem access, it demonstrates a functioning covert channel between the client binary and vendor servers that users cannot detect through normal inspection.


