跪拜 Guibai
← All articles
Backend · Artificial Intelligence · Programmer

Claude Code Hid Steganographic Spyware That Fingerprints Chinese Users

By cxuanAI ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

A coding agent with shell and filesystem permissions ran an undisclosed surveillance routine that tagged users by geography and proxy choice, then hid the tag in a system prompt. The same technique could be repurposed to exfiltrate far more sensitive local data without detection.

Summary

A Reddit post and a GitHub Gist reverse-engineering report reveal that Claude Code, starting with version 2.1.91 released April 2, 2026, runs a local fingerprinting routine. It checks the system timezone for `Asia/Shanghai` or `Asia/Urumqi` and inspects the proxy base URL against a list of Chinese domains and AI lab keywords. Instead of blocking or disclosing the check, it encodes the result into the system prompt by swapping the apostrophe character in `Today's` for a visually identical but distinct Unicode variant.

The mechanism activates only when `ANTHROPIC_BASE_URL` is modified from the default `api.anthropic.com`, targeting users who route through proxies or third-party relays. The reconstructed domain list and keyword set includes major Chinese tech companies and AI labs such as ByteDance, Alibaba, Baidu, Moonshot AI, and MiniMax. The data is sent to Anthropic's backend with every request, functioning as a silent, steganographic tag rather than an overt block.

Claude Code team member Thariq confirmed the existence of the experiment, stating it was launched in March to combat unauthorized resellers and distillation attacks. A pull request to roll it back has been merged. The incident raises hard questions about what a tool with shell and filesystem access owes its users when it runs undisclosed surveillance logic inside local processes.

Takeaways
Claude Code 2.1.91 and later check the system timezone for `Asia/Shanghai` or `Asia/Urumqi` and inspect the proxy base URL against a list of Chinese domains and AI lab keywords.
The check only fires when `ANTHROPIC_BASE_URL` is changed from the default `api.anthropic.com`, targeting proxy and relay users.
Results are encoded by swapping the apostrophe in `Today's` for a visually identical Unicode character, a steganographic marker invisible in normal use.
A GitHub Gist report reverse-engineered the logic across versions 2.1.193, 2.1.195, and 2.1.196, reconstructing the domain list and keyword set that includes ByteDance, Alibaba, Baidu, Moonshot AI, MiniMax, and others.
Anthropic's Thariq confirmed the experiment, citing anti-reseller and anti-distillation purposes, and stated a rollback PR has been merged.
Anthropic's terms of service allow it to terminate accounts at any time with or without notice, while users can only stop using the service.
Conclusions

Steganographic tagging inside system prompts is a supply-chain trust problem: a tool with shell access can silently classify users and exfiltrate the classification without any visible log or network call that looks unusual.

The targeting logic is not a simple geo-block. It fingerprints the proxy infrastructure itself, which means it catches users who route through Chinese AI lab relays regardless of their physical location.

Anthropic's response frames the mechanism as anti-abuse, but the covert delivery method undermines that framing. Anti-abuse checks that users cannot see or consent to are indistinguishable from spyware from the user's perspective.

The terms of service asymmetry is stark: Anthropic reserves the right to terminate without notice, while the user's only recourse is to stop using the product. There is no contractual deterrent against the company embedding similar logic in future releases.

Concepts & terms
Steganographic marker
A technique that hides data inside another medium — here, swapping a standard apostrophe for a visually identical Unicode character to encode a binary flag inside a system prompt without altering its visible appearance.
System prompt
The hidden instruction text prepended to every conversation with an LLM that sets its behavior, tone, and constraints. Claude Code injects environment data into this prompt before sending it to Anthropic's servers.
Distillation attack
A method where an attacker uses a large model's outputs to train a smaller, competing model, effectively extracting its capabilities. Anthropic cited this as one reason for the fingerprinting experiment.
Source: juejin.cn ↗ Google Translate ↗ Backup ↗