On June 30, 2026, a security researcher publishing under the handle "Thereallo" posted reverse-engineering findings showing that Anthropic's Claude Code CLI tool had been silently embedding hidden signals into its AI system prompts for at least three months — covertly identifying users whose requests were routed through Chinese-linked API proxies and rival AI lab infrastructure.
The technique used is steganography: hiding information inside content that appears normal to human readers. The mechanism had been active in Claude Code since at least version 2.1.91, released on April 2, 2026.
Key Highlights
- Claude Code embedded steganographic markers in AI system prompts for approximately three months starting March 2026
- Two mechanisms: Unicode apostrophe rotation and date separator flipping, triggered by timezone and proxy hostname
- Domain lists targeting Chinese AI labs were obfuscated with XOR encryption and base64 encoding
- Anthropic confirmed the code, calling it "an experiment to prevent account abuse and protect against distillation"
- Removed in Claude Code v2.1.197 on July 2, 2026 — with no mention in the official changelog
- Background: part of a broader escalation following 29 million illicit exchanges allegedly conducted by Alibaba-affiliated entities
How the Hidden Code Worked
The detection system operated through two parallel encoding channels built into Claude Code's system prompt generation.
Date formatting as a signal: The standard date separator in the system timestamp flipped from a dash ("2026-06-30") to a slash ("2026/06/30") when the user's operating system timezone was set to Asia/Shanghai or Asia/Urumqi.
Unicode apostrophe substitution: The apostrophe character in the phrase "Today's" rotated between four visually identical Unicode variants — the standard ASCII apostrophe (U+0027), right single quotation mark (U+2019), modifier letter apostrophe (U+02BC), and modifier letter prime (U+02B9) — encoding whether the proxy hostname matched a known domain list, a Chinese AI-lab keyword list, both, or neither.
The domain classification lists themselves were hidden inside the Claude Code binary using XOR encryption followed by base64 encoding, targeting hostnames linked to Chinese AI labs, rival AI companies, unauthorized API resellers, and commercial gateway providers.
Anthropic's Response
Thariq Shihipar, an engineer on the Claude Code team, acknowledged the code publicly after the discovery surfaced on Reddit and GitHub. "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," he wrote.
Anthropic stated it had developed "stronger mitigations" since March and moved quickly to remove the steganographic mechanism. Claude Code version 2.1.197 was published early on July 2, 2026. The official changelog contained no mention of the removal. The company also declined to confirm whether the tracking behavior had ever been disclosed in its terms of service or privacy policy.
Why the Mechanism Fails Its Own Goal
Security researchers pointed out a fundamental problem: any sophisticated adversary can bypass the detection trivially — by changing the proxy hostname, adjusting the system timezone, patching the binary, or wrapping the process in a clean environment.
The population reliably caught by this system is not Chinese AI labs conducting large-scale distillation. It is legitimate developers using corporate API gateways, local model routers, third-party cost-management proxies, or research infrastructure — many of whom are not based in China at all. The covert nature of the code meant these developers had no way to know they were being flagged, and no recourse.
Background: The Distillation War
The steganographic code existed within a broader and intensifying conflict between Anthropic and Chinese AI companies over unauthorized model distillation — the practice of using a frontier model's outputs to train a competing model.
In research published in early 2026, Anthropic revealed that DeepSeek, Moonshot AI (the company behind Kimi K2), and MiniMax had conducted large-scale extraction campaigns against Claude:
- DeepSeek: more than 150,000 exchanges targeting reasoning capabilities and reward model grading
- Moonshot AI: more than 3.4 million exchanges focusing on agentic reasoning, tool use, coding, and computer vision
- MiniMax: more than 13 million exchanges concentrated on agentic coding and tool orchestration
Total: more than 16 million illicit exchanges across approximately 24,000 fraudulent accounts.
On June 10, 2026, Anthropic escalated further, accusing Alibaba-affiliated entities of a still larger campaign: 29 million exchanges through 25,000 fraudulent accounts between April and June 2026. In November 2025, Anthropic had already disclosed that Chinese state-sponsored actors misused Claude Code for cyber espionage targeting approximately 30 entities globally.
What's Next
The removal of the steganographic code closes one chapter, but the underlying tension remains. Anthropic says it is developing product- and model-level safeguards that reduce output quality for distillation use cases, sharing technical indicators with peer laboratories and cloud providers, and tightening account verification for research and educational access.
The company acknowledges that "no company can solve this alone" and calls for a coordinated industry-wide response.
For developers in MENA and globally, the incident carries a practical lesson: closed-source AI tooling distributed as compiled binaries can embed covert classification logic without changelog disclosure. Any routing through corporate API proxies, regional gateways, or cost-optimization layers may have resulted in silent flagging — a reminder that developer trust must be earned through transparency, not assumed.
Source: The Register