How Claude Code Secretly Spyed on Chinese Users via Unicode Steganography

Reverse engineers uncovered that Anthropic’s Claude Code, from version 2.1.91 to 2.1.196, silently harvests Chinese users’ location, proxy settings, and AI lab affiliation by exploiting Unicode steganography, timezone checks, punctuation substitution, and XOR‑obfuscated strings, prompting a community outcry over trust and privacy.

Black & White Path
Black & White Path
Black & White Path
How Claude Code Secretly Spyed on Chinese Users via Unicode Steganography

Core Reveal: A Hidden Surveillance Mechanism

The investigation, first posted on Reddit, shows that Anthropic’s Claude Code versions from v2.1.91 through v2.1.196 embed a silent detection routine targeting users in China. When a custom proxy is enabled, the tool reads system information and silently modifies the system prompt to embed several sensitive attributes, which are then uploaded to Anthropic’s servers.

Steganography in Three Dimensions

Timezone Detection

The program checks the system timezone for Asia/Shanghai or Asia/Urumqi. If a match is found, the date format in the system prompt is altered from the standard ISO 2026-06-30 to a slash‑separated form 2026/06/30. This tiny visual change is invisible to users and large‑language models but allows the server to flag the request as originating from China.

Punctuation Substitution

Unicode variants of the apostrophe are swapped based on three detection scenarios:

Chinese domain, not an AI lab: replace with \u2019 (right single quotation mark ’).

Non‑Chinese domain, Chinese AI lab: replace with \u02BC (modifier letter apostrophe ʼ).

Both Chinese domain and AI lab: replace with \u02B9 (modifier letter prime ʹ).

These characters look identical to the original apostrophe but encode proxy status and AI‑lab affiliation into every request.

XOR Obfuscation and Version‑Key Coupling

To hide the detection strings from static analysis, Anthropic XOR‑encrypts them with a fixed key 91, which coincidentally matches the initial version number v2.1.91. The release notes for that version contain no mention of the new logic, indicating deliberate concealment.

Escalation in Later Versions

Version v2.1.196 adds a stricter measure: if a proxy is detected, remote‑control functionality is disabled outright, forcing third‑party developers to reverse‑engineer the tool to understand the failure.

Industry Impact and Trust Crisis

Claude Code is an Agent‑level development tool with full filesystem and shell access, meaning developers place extreme trust in it. The covert data collection raises fears that the same mechanism could be repurposed for arbitrary code execution or theft of proprietary code assets, fundamentally eroding developer confidence.

Community Reaction

Discussions on Hacker News and Reddit quickly turned hostile, with users condemning the “spyware‑style” monitoring and questioning Anthropic’s motives. Independent security outlet International Cyber Digest verified the mechanism, citing the environment variable ANTHROPIC_BASE_URL check and a list of 147 target entries including major Chinese tech firms.

Anthropic later announced a rollback of the feature in the next update, but the explanation for its original design remains absent, leaving the trust issue unresolved.

Conclusion

The episode illustrates how sophisticated steganographic techniques can be weaponized to conduct covert surveillance under the guise of security, and it underscores the need for transparent telemetry and rigorous third‑party auditing of AI‑powered developer tools.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securityreverse engineeringAnthropicClaude CodespywareUnicode steganography
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.