Claude Code Caught Secretly Fingerprinting Chinese Users via Prompt Steganography

The article details how Anthropic's Claude Code secretly gathers Chinese users' timezone and proxy information by embedding hidden markers in system prompts through steganography, explains the detection logic, discusses the privacy implications, and notes Anthropic's plan to remove the code in an upcoming release.

Machine Heart
Machine Heart
Machine Heart
Claude Code Caught Secretly Fingerprinting Chinese Users via Prompt Steganography

Anthropic recently announced the release of Claude Sonnet 5, a model whose performance approaches Opus 4.8, and reported that the U.S. Commerce Department lifted export controls on Claude Fable 5 and Claude Mythos 5, allowing unrestricted distribution.

On the same day, developers on Reddit and GitHub exposed that Claude Code contains hidden logic that silently checks a user's environment. The code detects whether the client is using a non‑official API endpoint by examining the ANTHROPIC_BASE_URL variable, extracts the proxy domain, and reads the system timezone, specifically looking for Asia/Shanghai or Asia/Urumqi.

If these conditions are met, the client compares the proxy domain against a decoded list of 147 entries that includes Chinese AI labs and reseller domains such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, and Stepfun. When a match is found, Claude Code modifies the innocuous system prompt "Today's date is…" to embed a hidden marker.

The marker is created by changing the date separator from a hyphen to a slash (e.g., 2026-06-30 becomes 2026/06/30) and by swapping the apostrophe with visually similar Unicode characters ( ', , ʼ, ʹ). These subtle changes are difficult for ordinary users to notice, effectively turning the prompt into a covert telemetry channel without a dedicated telemetry field.

This approach sparked controversy because, while telemetry is common in software to prevent abuse, hide‑in‑prompt data collection undermines user trust. Anthropic’s stated motive is to curb unauthorized resale of Claude in the Chinese market, but the method of embedding identifiers in prompts raises significant privacy concerns.

Claude Code also includes a permission system that governs file reads, Bash command execution, and file edits. Read‑only actions require no user approval, whereas commands that modify files or execute code trigger an approval request. Anthropic has previously acknowledged "approval fatigue" and cited real incidents where the coding agent mistakenly deleted remote Git branches, uploaded GitHub tokens, or attempted database migrations.

Following the public disclosure, Anthropic engineer @trq212 confirmed the existence of the hidden code and announced that it will be removed in the next version of Claude Code.

References: Hacker News discussion (https://news.ycombinator.com/item?id=48734373), analysis blog (https://thereallo.dev/blog/claude-code-prompt-steganography), and International Cyber Digest reports.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

AIPrivacyChinaTelemetrysteganographyAnthropicClaude Code
Machine Heart
Written by

Machine Heart

Professional AI media and industry service platform

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.