On June 30, a developer reverse-engineering Claude Code’s binary found something that shouldn’t have been there: a block of obfuscated code that inspects every system prompt before it leaves the machine and silently alters two characters depending on who’s asking. The apostrophe in “Today’s date is” cycles through four distinct Unicode code points — standard ASCII apostrophe (U+0027), right single quotation mark (U+2019), modifier letter apostrophe (U+02BC), modifier letter prime (U+02B9) — encoding whether your API proxy URL matches a hardcoded list of Chinese domains, a list of AI-lab keywords, both, or neither. If your system timezone is Asia/Shanghai or Asia/Urumqi, the date separator in that same line switches from a hyphen to a slash: 2026-06-30 becomes 2026/06/30. Anthropic acknowledged the code and released a fix, version 2.1.197, the following morning. The changelog contains no mention of what was removed.
What the Marker Was Doing
The encoding is technically precise. Four discrete states, two bits of information, carried entirely in characters that look identical to human readers but are machine-parseable by any system that knows to look. U+0027 for unclassified traffic. U+2019 if your proxy hostname matches Anthropic’s domain blocklist. U+02BC if it matches the AI-lab keyword list — entries like “deepseek,” “moonshot,” “zhipu,” and “baichuan.” U+02B9 if it matches both. The lists are not stored in plaintext: they’re base64-encoded and XOR-decoded at runtime with key 91. That obfuscation detail is significant. It eliminates the possibility that this behavior was undocumented by oversight. Building a runtime decoder into production tooling means someone designed it to resist inspection.
As the technical breakdown at AIMadeTools put it: Claude Code “silently alters the system prompt using nearly invisible Unicode characters, hides its classification lists behind XOR and base64, and discloses none of it.” The marker is baked into the system prompt itself, not a separate metadata header or telemetry channel. That means it travels with the request to Anthropic’s backend, to any intermediary API router, and to any third-party service that processes the prompt downstream. Every hop in the chain receives the two-bit signal, whether or not it was intended to.

The timezone check is the coarser mechanism. Any developer whose system clock is set to Asia/Shanghai or Asia/Urumqi gets a marked request: the date in the system prompt reads as “2026/06/30” instead of “2026-06-30,” encoding the machine’s geographic locale in what looks like an ordinary date string. This applies regardless of whether the developer is running a distillation campaign or building a production application in Hangzhou. There’s no behavioral threshold, no account history review, no signal beyond geography. CyberSecurityNews confirmed the code had been present for at least three months before the finding surfaced on Hacker News with 2,200 upvotes and 637 comments.
Why Anthropic Built It
The context is real and documented. On February 24, 2026, Anthropic publicly disclosed coordinated model distillation attacks from three Chinese AI laboratories. MiniMax ran 13 million exchanges with Claude. Moonshot AI ran 3.4 million. DeepSeek ran 150,000. Across approximately 24,000 fraudulent accounts engineered to blend distillation traffic with legitimate requests, the three labs extracted Claude’s reasoning, agentic behavior, and tool-use capabilities to train their own competing models. Anthropic called the operations “hydra cluster architectures” and stated clearly: “No company can solve this alone.”
That disclosure was appropriate. What came next was not transparent about what it actually was.
Four months after the February disclosure, Anthropic told Congress that Alibaba’s Qwen lab had run a larger campaign still: 25,000 fraudulent accounts, 28.8 million exchanges over six weeks between April 22 and June 5, 2026, specifically targeting Claude’s advanced software engineering and multi-step agentic reasoning capabilities. Forbes coverage noted that the alleged theft dwarfed every prior campaign on record. The steganographic detection code was live for that entire period — every one of those 28.8 million exchanges happened while Anthropic’s fingerprinting mechanism was running.
Alibaba ran the campaign anyway. That is the only data point you need to evaluate the countermeasure’s effectiveness.

Two Ways to Fail
Security researchers who analyzed the mechanism describe it as “trivially bypassable by any moderately skilled adversary.” Changing a system timezone or using a proxy URL not present on a hardcoded list is a ten-second configuration change. The adversaries running structured, multi-month campaigns with 25,000 accounts and hydra-cluster architectures are not going to be stopped by a two-bit Unicode marker that a single developer found by reverse-engineering the binary in an afternoon. The marker is calibrated for a threat model that described 2024: a naive distillation operation using the default Claude Code configuration with no attempt to hide geographic origin and no inspection of the binary it’s running.
By the time Anthropic deployed this code, its own February disclosure had established that the actual threat had evolved. Sophisticated, obfuscated account networks that mix distillation traffic with legitimate requests are specifically designed to look like the baseline. Building a geographic and domain-based filter for a 2024 threat while documenting 2026-scale campaigns in public filings suggests either the countermeasure was not being evaluated against current adversaries, or it was known to be ineffective and kept deployed regardless.
The cost to legitimate users was not theoretical. Developers working in Chinese timezones — building production applications, running enterprise deployments, doing personal projects — had every Claude Code request marked with their geographic locale for at least three months. They did not know. Their terms of service did not mention it. Their privacy policy did not address it. Every system prompt from every Claude Code session in Asia/Shanghai or Asia/Urumqi carried a covert signal identifying the machine’s geographic locale, readable by every router in the chain.
The strongest counter-argument in the Hacker News thread is worth quoting directly. One commenter argued that “the intent of this steg is excruciatingly clear” and that it’s “unclear on how this ‘punishes normal developers’ in any shape or form.” The argument is that if you’re not routing through a Chinese AI-lab proxy and your timezone isn’t set to Asia/Shanghai, you were never marked. That’s correct as far as it goes. But it holds only if you believe Anthropic’s threat model and your threat model are identical — that every developer working in a Chinese-region timezone deserves a covert geographic signal embedded in their requests, and that being located near the distillation threat is sufficient justification for the marking. An enterprise with offices in Shanghai did not agree to that when they subscribed to Claude Code.
The technical approach also has a category problem. The research on detectability-aware anti-distillation that has emerged in 2026 — methods like TraceGuard that selectively perturb reasoning traces to poison what student models learn — addresses the actual content being extracted. Anthropic’s implementation didn’t interfere with distillation at all. It marked which traffic to look at. That’s a monitoring mechanism, not a countermeasure. And a monitoring mechanism that the target can trivially defeat is monitoring with all the privacy cost and none of the security benefit.
The Shape of the Fix
There’s a defensible version of this tool. A system that identifies suspected distillation traffic and rate-limits it, logs it, or routes it to human review — transparently disclosed in the terms of service and documented in the changelog when it changes — would have been both more honest and more effective. The disclosure would let affected developers understand what signals were being tracked. The transparency would create a deterrent effect that covert implementation cannot: if adversaries know that Chinese-region traffic is being flagged and reviewed, that changes their calculus. Hidden detection that adversaries can trivially bypass provides no deterrent.
Instead, Anthropic built a covert fingerprinting mechanism, optimized it against adversaries who would never be stopped by it, marked developers who had no connection to the threat, and removed it via a version bump with no changelog entry. The same week’s official communications positioned Anthropic as the transparency-forward lab proposing industry-wide jailbreak severity frameworks and expanded government testing protocols. The gap between that posture and a silent changelog entry is not a minor inconsistency.
The January 2026 lockdown — when Anthropic silently restricted Claude Opus access to Claude Code only, blocking users of Cursor, Windsurf, and OpenCode with no advance notice — was a different kind of change, but the same pattern: alter the product, let users discover it. The developer reaction then was significant enough that DHH called it “very customer hostile.” The steganography finding follows the same template and runs deeper: not a product restriction but an undisclosed behavior in every session for three months.
Anthropic is not a bad actor. The distillation campaigns it disclosed were real, the scale was alarming, and designing countermeasures is a legitimate response. But the specific countermeasure it chose — covert, geolocation-based, embedded in the content layer, fixed without explanation — fails the test the company markets itself on. The reason developers choose Claude Code over alternatives is not primarily benchmark performance. It’s the expectation that the tool does what it says it does, that changes are documented, that the company building it treats the developer relationship as a trust relationship rather than an information advantage. That expectation is now in question. And a silent removal with no changelog entry does not restore it — it confirms that the behavior warranted concealment twice: once when it was introduced and once when it was removed.

AI-generated editorial illustration · TemperatureZero · July 2, 2026
Keep reading the signal
Get the Daily Signal — a concise briefing on what actually matters in AI and the systems around it.
Subscribe FreeContinue the archive