Claude Code Hid Steganographic Spyware That Fingerprints Chinese Users
I've noticed that Company A can't seem to go a day without stirring up some drama.
Yesterday, I just finished writing about Company A's mass account bans, and today, something even more explosive came up. Someone on Reddit revealed that Claude Code locally and secretly checks your proxy, timezone, and whether your proxy is related to a Chinese AI Lab, then hides the result inside the system prompt.
This is no longer just a simple account ban issue; this is a complete violation of user privacy.
If it dares to do this now, the next step could be using its file system and shell permissions to directly steal everyone's user data.
The story originates from a Reddit post. Let me show you a screenshot.
The title is Anthropic embedded spyware in Claude Code.

The core claim of the post is:
Starting from Claude Code version 2.1.91, which was released on April 2, 2026, if you use a proxy, Claude Code checks two things.
First, whether your system timezone is Asia/Shanghai or Asia/Urumqi.
Second, whether your proxy URL is a Chinese domain, matches a specific domain list, or contains prominent features of a Chinese AI Lab.
And here's the key point.
It didn't choose to disclose this information but instead hid the result inside the system prompt.
For example, normally it might be:
Today's date is 2026-06-30
If it hits a Chinese timezone, the date format changes to:
2026/06/30
A more subtle marker is hidden in the apostrophe character in Today's. To the naked eye, it looks almost the same, but the Unicode character is different.

This is what people are calling poisoning.
Strictly speaking, it's more like a steganographic marker.
Using a character that an ordinary user would hardly notice, it stuffs the information about the request's origin environment into the system prompt, which is then sent to the backend along with the request.
Up to this point, it's just the Reddit leak.
What's even more explosive is the independent verification report by AdnaneKhan on GitHub Gist that followed.
It's not an official Anthropic report, nor an official GitHub conclusion, just a third-party reverse-engineering verification material.
It reverse-engineered the version numbers, function names, environment variables, and character mappings, making it clear to everyone what happened.

Image source: Screenshot of code excerpts from the GitHub Gist technical report by TechStartups.
The author checked Claude Code versions 2.1.193, 2.1.195, and 2.1.196, and the conclusion holds.
The logic it reconstructed goes roughly like this:
Claude Code first reads ANTHROPIC_BASE_URL.
If you are using the official default service api.anthropic.com, it skips the check.
But if you changed the base URL, meaning you are accessing the API through some kind of proxy or relay service, it extracts the host of this base URL and then checks the system timezone.
For the timezone, the report points to Asia/Shanghai and Asia/Urumqi.
For the host, the report divides the judgment into two categories: one is a known domain list, and the other is AI Lab keywords.
The domain list in the image below proves that the report reconstructed a batch of matched hosts.

Image source: Screenshot of the host/domain list reconstructed by the GitHub Gist technical report.
The report also mentions another category of AI Lab keywords, including Meituan, NetEase, Baidu, Ctrip, Xiaohongshu, Alibaba, Ant Group, ByteDance, JD.com, Bilibili, Moonshot AI, MiniMax, Stepfun, and more.
Finally, depending on the hit status, it selects a different apostrophe character.
The most disgusting part of this mechanism is that it doesn't block you. It's like a social engineering expert silently watching what you're doing from a corner, then taking action at the right time. Every time you sense something is wrong, your information has already been completely stripped bare.
This is truly terrifying.
Later, Thariq from the Claude Code team came out to respond.

He said: This was an experiment launched in March to prevent unauthorized resellers from abusing accounts and to guard against distillation attacks.
The team has since implemented stronger mitigation measures and was already planning to withdraw this experiment.
He also said the PR has been merged and a full rollback is expected in a subsequent version.
This response confirms three things: the Claude Code team admits the existence of a related experiment, the officially stated purposes include anti-reselling and anti-distillation, and the team was already preparing to remove it.
(I feel this statement is completely Thariq being forced to respond under pressure, playing the role of scapegoat for Claude Code.)

When a developer gives a tool shell permissions and project file access, this kind of behavior should not be opaque. You can anti-distill, you can state it in the user agreement, but you cannot leave a backdoor.
Developers trust you, giving you shell permissions and file system access, not for you to pull these little tricks.
This reminds me of Claude Code's statement during the account bans, saying everyone violated its user agreement, so they banned everyone's accounts.

So now, what should happen when it violates its own agreement as a vendor?
I flipped through Company A's terms of service and found that the platform has reserved enormous operational leeway for itself. The terms clearly state:
"Unless otherwise specifically agreed with you, we may terminate these Terms at any time by notifying you, and these Terms will automatically terminate without further notice if you violate any provision of these Terms."
This means Company A has immense freedom in terminating services; it can terminate at any time, and even send a fatal notice without any warning when a user violates the terms.
As for what users can do, the terms only give one option: "You may terminate these Terms at any time for any reason simply by ceasing to access and use the Services."
Full of irony.
Sources:
- Reddit: https://www.reddit.com/r/ClaudeAI/comments/1ujila1/anthropic_embedded_spyware_in_claude_code_and/
- GitHub Gist Verification Report: https://gist.github.com/AdnaneKhan/0a0edb5620d5214282ef4027caad8950
- TechStartups coverage and code excerpts of the GitHub report: https://techstartups.com/2026/06/30/anthropics-claude-code-accused-of-hiding-proxy-fingerprints-inside-system-prompts-to-identify-china-linked-users/
- GitHub Issue: https://github.com/anthropics/claude-code/issues/72518
- Claude Code changelog: https://code.claude.com/docs/en/changelog
- Thariq X Response: https://x.com/trq212/status/2072079729331777817
- Anthropic Anti-Distillation Article: https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks
- Anthropic Regional Restrictions Explanation: https://www.anthropic.com/news/updating-restrictions-of-sales-to-unsupported-regions
- WSJ report on Alibaba distillation allegations: https://www.wsj.com/tech/ai/anthropic-claims-alibaba-ran-brazen-campaign-to-access-its-claude-ai-model-69d7a392