Anthropic's Claude Code Embedded Spyware to Steganographically Tag and Ban Chinese Users, Lead Responds
English summary
A Reddit reverse-engineering analysis revealed that Anthropic’s Claude Code (from version 2.1.91, April 2, 2026) contained hidden surveillance logic that identified Chinese users by checking system timezone (Shanghai–Urumqi range) and proxy domain names, then used steganographic techniques: altering date format from hyphens to slashes in system prompts and replacing apostrophes with visually similar Unicode characters (U+2019, U+02BC, U+02B9) to tag user tiers, silently transmitting identity data to Anthropic. The detection code was heavily obfuscated with XOR encryption and short meaningless function names, triggered only when a proxy was active. Claude Code lead Thariq stated that the mechanism was an experiment started in March to prevent unauthorized account resale and model distillation, and that removal code has been merged, with the feature expected to be rolled back in the next release. The revelation caused widespread user outrage and a sharp erosion of trust in the widely used AI programming tool.
Chinese summary
Reddit 逆向分析显示,Anthropic 在 Claude Code 2.1.91 版本(2026 年 4 月 2 日)起内置了监视逻辑,通过检测系统时区(上海—乌鲁木齐范围)和代理域名来识别中国用户,并采用隐写手段:将系统提示词日期格式由横线改为斜线,并用外观相似的 Unicode 撇号(U+2019、U+02BC、U+02B9)分层标记用户,静默回传身份信息。检测代码经过 XOR 加密和短字符函数名混淆,仅在开启代理时触发。Claude Code 负责人 Thariq 回应称,该机制是为防范账号转售和模型蒸馏于 3 月启动的实验,已合并移除代码,计划在下一版本中回滚。事件引发用户强烈愤怒,对拥有本地文件权限的 AI 编程工具信任骤降。
Key points
From version 2.1.91 (April 2, 2026), Claude Code included hidden checks: system timezone for China Standard Time and proxy domain matching against Chinese AI labs and domain blacklists.
从 2.1.91 版本(2026 年 4 月 2 日)起,Claude Code 内置了隐藏检测:判断系统时区是否为中国标准时区,并校验代理域名是否在中国域名或 AI 实验室黑名单中。
Steganographic marking changed system prompt date format from dashes to slashes and used special apostrophe characters (U+2019, U+02BC, U+02B9) to tag user tiers, transmitting identity data without consent.
隐写标记将系统提示词日期由横线改为斜线,并使用特殊撇号字符(U+2019, U+02BC, U+02B9)对用户身份进行分层,未经同意回传信息。
The detection code was obfuscated with XOR encryption and meaningless short function names, and it ran only when a network proxy was active.
检测代码经过 XOR 加密与无意义短函数名混淆,仅在用户开启代理时自动触发。
Claude Code lead Thariq claimed it was an experiment to prevent unauthorized account resale and model distillation, and that removal code has been merged, with a rollback expected in the next build.
Claude Code 负责人 Thariq 称该机制是防范未经授权的账号转售与模型蒸馏的实验,已合并移除代码,预计在下个版本回滚。
The disclosure sparked widespread user outrage and severely damaged trust in AI development tools that have full local file system access.
此事曝光引发用户强烈愤怒,拥有本地文件系统权限的 AI 编程工具导致信任严重受损。