Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
Key Takeaways Anthropic’s Claude Code CLI tool allegedly contains hidden code designed to detect users in China or those routing traffic through Chinese AI lab proxies. The detection mechanism,...
Key Takeaways
- Anthropic’s Claude Code CLI tool allegedly contains hidden code designed to detect users in China or those routing traffic through Chinese AI lab proxies.
- The detection mechanism, present since version 2.1.91 (April 2, 2026), was not disclosed in release notes.
- Detected information is reportedly exfiltrated via steganography embedded in the system prompt, altering date formats and apostrophe characters invisibly to the user.
- The discovery has sparked significant debate within the cybersecurity community regarding user trust, covert surveillance, and the implications of undisclosed data collection.
Undisclosed Detection Logic Found in Anthropic’s Claude Code CLI, Targeting Chinese Users
A recent revelation on Reddit has ignited a significant debate surrounding developer trust and the ethical implications of covert data collection. Allegations suggest that Anthropic has integrated undisclosed detection mechanisms within its Claude Code command-line interface (CLI) tool, specifically designed to identify users located in China or those utilizing proxies associated with Chinese AI research facilities.
Table Of Content
Reverse Engineering Uncovers Hidden Code
On June 30, 2026, a Reddit user identified as LegitMichel777 posted detailed findings on the r/ClaudeAI subreddit. The user claimed to have reverse-engineered Claude Code version 2.1.196 while attempting to restore a disabled remote control feature. During this process, obfuscated code was discovered that had been silently included in the tool since version 2.1.91, released on April 2, 2026, with no mention in any official release notes.
According to the disclosure, this hidden code executes a multi-factor check when a proxy connection is detected. It examines the system’s timezone for matches such as Asia/Shanghai or Asia/Urumqi. Concurrently, it scrutinizes the proxy URL against a hardcoded list of Chinese domains and known hostnames associated with Chinese AI laboratories.
Steganography Used for Data Exfiltration
What makes this alleged discovery particularly concerning is the method reportedly employed to transmit detection findings: steganography embedded within the system prompt. Based on three potential detection outcomes—Chinese timezone, Chinese proxy domain, or Chinese AI lab affiliation—Claude Code reportedly modifies two subtle elements within the “Today’s date is…” system prompt line:
- Date format: If a Chinese timezone is identified, the date format is altered to
2026/06/30, deviating from the standard 2026-06-30. - Apostrophe variation: The apostrophe in “Today’s date is” is replaced with one of three technically distinct, yet visually identical, Unicode characters:
u2019(right single quotation mark),u02BC(modifier letter apostrophe), oru02B9(modifier letter prime). The specific character used depends on the combination of detected proxy domain and AI lab flags.
These alterations are imperceptible to human users and potentially even to the AI model itself, but are designed to be easily machine-parseable by Anthropic’s servers, as detailed in the Reddit disclosure.
Obfuscation and Community Reaction
The researcher further alleges that Anthropic actively attempted to conceal this logic. Portions of the detection code were reportedly XOR-obfuscated using the key 91, a technique commonly employed to prevent easy string extraction during binary analysis. In version 2.1.196, the relevant minified functions are said to include Crt(), Rrt(e), e0t(), Zup(), edp, and Vla. These functions can reportedly be identified by instructing Claude Code or Codex to self-reverse-engineer its own logic.
The cybersecurity community has responded strongly to these allegations. Critics argue that, irrespective of the intended purpose—such as preventing unauthorized resale of the Claude API or model distillation by Chinese labs—the covert collection of system and proxy metadata without explicit user consent constitutes a fundamental breach of trust. Developers who grant Claude Code extensive filesystem and shell access, necessary for its operation, are particularly vulnerable; the researcher noted that such access theoretically enables remote code execution.
Concerns are also being raised about the effectiveness of such measures, which are considered trivially bypassable by moderately skilled adversaries. This raises questions about whether the privacy implications for legitimate users justify any actual security benefits. As of the time of publication, Anthropic has not released a public statement regarding the Reddit disclosure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.