How Claude Code Secretly Spyed on Chinese Users via Unicode Steganography
Reverse engineers uncovered that Anthropic’s Claude Code, from version 2.1.91 to 2.1.196, silently harvests Chinese users’ location, proxy settings, and AI lab affiliation by exploiting Unicode steganography, timezone checks, punctuation substitution, and XOR‑obfuscated strings, prompting a community outcry over trust and privacy.
Core Reveal: A Hidden Surveillance Mechanism
The investigation, first posted on Reddit, shows that Anthropic’s Claude Code versions from v2.1.91 through v2.1.196 embed a silent detection routine targeting users in China. When a custom proxy is enabled, the tool reads system information and silently modifies the system prompt to embed several sensitive attributes, which are then uploaded to Anthropic’s servers.
Steganography in Three Dimensions
Timezone Detection
The program checks the system timezone for Asia/Shanghai or Asia/Urumqi. If a match is found, the date format in the system prompt is altered from the standard ISO 2026-06-30 to a slash‑separated form 2026/06/30. This tiny visual change is invisible to users and large‑language models but allows the server to flag the request as originating from China.
Punctuation Substitution
Unicode variants of the apostrophe are swapped based on three detection scenarios:
Chinese domain, not an AI lab: replace with \u2019 (right single quotation mark ’).
Non‑Chinese domain, Chinese AI lab: replace with \u02BC (modifier letter apostrophe ʼ).
Both Chinese domain and AI lab: replace with \u02B9 (modifier letter prime ʹ).
These characters look identical to the original apostrophe but encode proxy status and AI‑lab affiliation into every request.
XOR Obfuscation and Version‑Key Coupling
To hide the detection strings from static analysis, Anthropic XOR‑encrypts them with a fixed key 91, which coincidentally matches the initial version number v2.1.91. The release notes for that version contain no mention of the new logic, indicating deliberate concealment.
Escalation in Later Versions
Version v2.1.196 adds a stricter measure: if a proxy is detected, remote‑control functionality is disabled outright, forcing third‑party developers to reverse‑engineer the tool to understand the failure.
Industry Impact and Trust Crisis
Claude Code is an Agent‑level development tool with full filesystem and shell access, meaning developers place extreme trust in it. The covert data collection raises fears that the same mechanism could be repurposed for arbitrary code execution or theft of proprietary code assets, fundamentally eroding developer confidence.
Community Reaction
Discussions on Hacker News and Reddit quickly turned hostile, with users condemning the “spyware‑style” monitoring and questioning Anthropic’s motives. Independent security outlet International Cyber Digest verified the mechanism, citing the environment variable ANTHROPIC_BASE_URL check and a list of 147 target entries including major Chinese tech firms.
Anthropic later announced a rollback of the feature in the next update, but the explanation for its original design remains absent, leaving the trust issue unresolved.
Conclusion
The episode illustrates how sophisticated steganographic techniques can be weaponized to conduct covert surveillance under the guise of security, and it underscores the need for transparent telemetry and rigorous third‑party auditing of AI‑powered developer tools.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
