Claude Code Hid Tracking in a Unicode Apostrophe for Three Months
Yesterday (July 8), the Ministry of Industry and Information Technology officially classified the Claude Code steganographic tracking incident as 'seriously harmful.' If you are using or have used Claude Code, this article is worth five minutes of your time—what exactly was done, how to check yourself, and what tools you should switch to now.
The Full Picture: From April to July
Let's first lay out the timeline:
| Date | Event |
|---|---|
| April 2 | Anthropic implanted tracking code in Claude Code v2.1.91 |
| April – June 30 | The tracking code ran silently for nearly 3 months, undetected |
| June 30 | Developer AdnaneKhan publicly disclosed it after a reverse-engineering review; the Reddit post got millions of views |
| July 1 | Anthropic publicly admitted it, calling it 'policy compliance research' |
| July 2 | Version v2.1.197 removed the tracking code |
| July 3 | Alibaba internally banned Claude Code, recommending migration to Tongyi Lingma |
| July 8 | MIIT's NVDB classified it as 'posing a security backdoor risk, seriously harmful' |
An AI programming tool, without the user's knowledge, implanted tracking markers for users in specific regions—this is not a sci-fi movie; it really happened for three months.
Sources: Reported by Guancha.cn, Sina Finance, The Next Web, Yahoo Tech, CybersecurityNews, and Hacker News. The MIIT risk alert was released today (7/8).
Technical Breakdown: How Exactly It Tracked You
The core goal of the tracking mechanism: Quietly mark the system prompts you send to the Anthropic API so that Anthropic's servers know 'this request comes from a Chinese user.'
No pop-ups, no prompts, and absolutely no mention in the update logs or documentation.
Step 1: Determine if you are a Chinese user
Claude Code reads the operating system's timezone setting. If it detects Asia/Shanghai or Asia/Urumqi, it triggers the marking logic.
Key point: This checks the OS timezone, not the IP address—a VPN cannot change the timezone setting.
Step 2: Check the proxy relay address
Many Chinese developers use relay stations (proxies) to access Claude Code, changing ANTHROPIC_BASE_URL to a relay address.
Claude Code has a built-in blacklist of over 100 domain names, stored with XOR obfuscation encryption (to prevent discovery via simple string search). The list includes major domestic code hosting, cloud service, and package mirror domains. When the relay address you set hits the blacklist, the tracking module activates.
Step 3: Steganography—Marking the System Prompt
Every time Claude Code makes a request, it sends a system prompt starting with "Today's date is 2026-07-08". The tracking module does two things:
- Date format alteration: Changes
2026-07-08(hyphens) to2026/07/08(slashes) - Apostrophe replacement: Replaces the standard apostrophe in
Today's(', U+0027) with a visually identical but Unicode-different character
According to CybersecurityNews, there are three visually identical but technically distinct Unicode variants for the replacement character. The naked eye cannot see any difference, but Anthropic's servers can determine: this request comes from a Chinese user or a Chinese relay station.
This is what is known as steganography—hiding information inside seemingly normal content.
What does this mean?
- Anthropic can accurately identify on the server side which requests come from China
- It can execute regional strategies like rate limiting or account bans based on this
- The entire process is completely imperceptible to the user, with no consent option whatsoever
Self-Check: Were You Tracked?
Step 1: Check your version
claude --version
Affected versions: v2.1.91 to v2.1.196. v2.1.197 and above have removed the tracking code.
If you used a version of Claude Code within this range between April 2 and July 2, your requests were very likely marked.
Step 2: Check your relay address
If you configured ANTHROPIC_BASE_URL to point to a domestic relay station, the tracking was most likely triggered.
echo $ANTHROPIC_BASE_URL
Step 3: Use community tools for detection/removal
An open-source project called clawgod already exists on GitHub, specifically designed to detect and neutralize the tracking code in Claude Code, including the XOR-obfuscated domain blacklist and the Unicode apostrophe replacement logic.
What to Use Now: A Quick Reference for Alternatives
| Tool | Type | Strengths | Weaknesses | Best For |
|---|---|---|---|---|
| Cursor | IDE | Experience closest to Claude Code, low migration cost | Paid, not open source | Individual developers accustomed to AI assistance |
| Tongyi Lingma | IDE Plugin | Alibaba ecosystem, guaranteed data compliance | Model capability weaker than Claude | Enterprise users, compliance-first teams |
| DeepSeek Coder | Multi-form | Open source and auditable, V4 performance close to Claude | Requires self-deployment or API calls | Technically strong teams |
| TRAE | IDE | ByteDance ecosystem, good Chinese support | Ecosystem still in early stages | Teams already within the ByteDance ecosystem |
| Codex CLI | Terminal | OpenAI product, experience similar to Claude Code | Depends on GPT-4, relatively slow response | Heavy terminal users |
Migration advice: Individual developers should choose Cursor for the least friction; enterprise environments should choose Tongyi Lingma, where the compliance advantage is non-negligible; for those wanting full control, the DeepSeek open-source solution is worth serious evaluation.
Final Words
This incident is a wake-up call for everyone: The tools you use might be doing things you don't know about, in places you can't see.
Claude Code's capabilities are indeed strong, and using it feels great. But no matter how good a tool is, if it secretly marks your requests—that foundation of trust is gone.
Anthropic claims this was 'policy compliance research,' but compliance research does not require steganographic tracking without the user's knowledge. This is not a technical issue; it is an issue of attitude.
In an era where you can't even trust an apostrophe, the only thing a developer can trust is auditable code.
What version of Claude Code are you on? Did you configure a relay address? Drop a comment below 👇