Anthropic Strips Hidden Code That Detected Chinese Competitor Traffic
Anthropic confirmed that its Claude Code client contained a covert, Unicode‑based detection module that silently flagged traffic from Chinese AI firms and proxy services, and announced that the hidden logic will be completely removed in the upcoming software update.
On July 1, Anthropic announced that the next software update for its Claude Code client will delete a long‑standing hidden detection module designed to identify traffic originating from Chinese competitors and related proxy services.
Security researcher Adnane Khan, building on a binary extraction by Reddit user LegitMichel777, reverse‑engineered the full JavaScript source for versions v2.1.193 through v2.1.196. The analysis revealed a multi‑layered, silent detection mechanism that never appears in changelogs or documentation.
The trigger is the environment variable ANTHROPIC_BASE_URL set to a non‑official proxy address. When this condition is met, the client performs two checks: (1) it compares the system timezone against Asia/Shanghai or Asia/Urumqi; (2) it matches the current proxy domain against a hard‑coded blacklist of 147 entries, which is XOR‑91 encrypted and then Base64‑encoded. The blacklist includes domains of Chinese AI companies such as Baidu, Alibaba, Ant Group, ByteDance, Moon Shadow, MiniMax, and many Claude API relay services.
If the timezone test succeeds, the date string in the request prompt—normally "Today's date is 2026-06-30"—is altered without user awareness: the hyphens become slashes ( 2026/06/30) and the apostrophe in "Today's" is replaced by one of four visually indistinguishable Unicode characters, each encoding a different risk‑assessment state. This Unicode steganography exploits the fact that, in monospaced fonts, humans cannot easily spot the subtle character changes, while Anthropic's backend can reliably detect them.
In addition to the steganographic marker, the leaked source contains a TypeScript flag named ANTI_DISTILLATION_CC. When enabled, the client injects fabricated tool‑call data into API requests, poisoning any downstream model‑distillation attempts by degrading the quality of the harvested training data.
Anthropic’s engineering lead, Tariq Shihpar, explained that the hidden module was created in March 2026 as a short‑term risk‑control experiment after the company accused DeepSeek, Moon Shadow, and MiniMax of using 24 000 fake accounts to make over 16 million API calls for large‑scale model distillation, violating service terms and regional access restrictions.
Community backlash focused on two main criticisms: (1) the mechanism was completely opaque, violating users' right to know what code runs on their machines and leading to accidental account bans for legitimate developers; (2) the detection criteria were overly broad, causing many compliant users—especially those using corporate proxies for cross‑border development—to be mistakenly flagged.
Anthropic confirmed that the removal pull request has been merged and the July 1 release will purge all related detection and marking code. The company pledged to replace the covert system with a transparent risk‑management approach, publishing all traffic‑identification logic in product update notes and privacy documentation, simplifying the criteria by dropping timezone and blanket domain checks, and establishing a fast‑track appeal channel for mistakenly blocked accounts.
Industry analysts warned that any high‑privilege development tool that silently monitors user behavior can trigger privacy and trust crises, emphasizing the need for verifiable and user‑visible security controls even when protecting intellectual property.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
21CTO
21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
