Claude Code Hid Tracking in a Unicode Apostrophe for Three Months
A widely used AI coding tool shipped hidden client-side logic that tagged user requests by region using steganography, not a documented feature flag. For any developer or enterprise that handles sensitive code, this resets the baseline expectation for what a trusted vendor can do inside a local binary without disclosure.
From April to July 2025, Claude Code versions v2.1.91 through v2.1.196 contained hidden tracking logic that checked the OS timezone for `Asia/Shanghai` or `Asia/Urumqi` and inspected proxy relay addresses against an XOR-obfuscated blacklist of over 100 Chinese domains. When triggered, the code altered the system prompt by replacing the standard apostrophe in "Today's date" with a visually identical but Unicode-distinct character, plus reformatting the date with slashes instead of hyphens. Anthropic's servers could then identify and potentially rate-limit or ban requests originating from China, all without any user notification or consent.
The tracking ran undetected for nearly three months until a developer reverse-engineered the client and published findings on Reddit. Anthropic acknowledged the mechanism the next day, calling it "policy compliance research," and removed it in v2.1.197. Alibaba subsequently banned Claude Code internally, and China's Ministry of Industry and Information Technology classified the incident as a serious security backdoor risk on July 8.
Using steganography rather than a plaintext header or documented telemetry suggests an intent to avoid detection by both users and automated security scans.
Checking the OS timezone instead of the IP address is a deliberate choice that defeats VPN-based geo-unblocking, which many Chinese developers rely on to access Claude.
Anthropic's framing as 'policy compliance research' conflicts with the lack of disclosure, consent, or documentation—compliance research typically requires transparency to be legitimate.
The incident accelerates a practical split: enterprises with compliance requirements now have a concrete reason to migrate to domestic alternatives like Tongyi Lingma or auditable open-source models like DeepSeek Coder.