Anthropic has confirmed and is rolling back a hidden mechanism in Claude Code that used system-prompt steganography to flag requests routed through China-linked proxies and timezones. A security researcher publishing as Thereallo disclosed it on June 30, 2026, and Alibaba responded by adding the tool to its high-risk software list.
Key takeaways
- The mechanism only ran with a custom
ANTHROPIC_BASE_URL— the official api.anthropic.com endpoint never triggered it - The marker was encoded as invisible apostrophe variants and a date-separator swap in the phrase "Today's date is"
- Triggers: the Asia/Shanghai or Asia/Urumqi timezone plus a hostname on a list of Chinese domains and AI-lab keywords
- Anthropic engineer Thariq Shihipar called it a March "experiment" aimed at unauthorized resellers and distillation
- Alibaba bans Claude Code for staff from July 10, 2026, classifying it as high-risk software
What exactly was found
The researcher inspected a local Claude Code install (version 2.1.196) and found a function that alters the date string injected into the system prompt. Instead of a plain "Today's date is 2026-06-30." the tool could quietly change the apostrophe character and swap the date separator from a hyphen to a slash. The sentence looks identical to a human and to the model, yet the raw request carries a marker that Anthropic's backend can read instantly.
This is prompt steganography, a technique for hiding data in plain sight. Four apostrophe variants (normal, U+2019, U+02BC, U+02B9) encode four states: no match, a known domain, an AI-lab keyword, and both at once. A slash separator signaled a Chinese timezone. The domain and keyword lists were stored as base64 and XOR-decoded with key 91, so they did not show up in a simple text dump. The keyword list included deepseek, moonshot, minimax, zhipu, and baichuan.
| Apostrophe variant | Encoded state |
|---|---|
| Plain apostrophe | No match |
| U+2019 | A known Chinese domain |
| U+02BC | An AI-lab keyword |
| U+02B9 | Both domain and keyword |
When the mechanism actually activated
This is the key distinction between fact and interpretation. The code did not run for most users. If ANTHROPIC_BASE_URL was empty or pointed at the official api.anthropic.com, the function returned early. It only activated when someone routed Claude Code through a custom base URL — an internal gateway, a local proxy, a model router, or a reseller domain. The tool did not mass-"scan" Chinese citizens. It classified requests passing through unusual endpoints. The discoverer stressed that this is "not a malicious feature," but "a weird choice for a developer tool that asks for trust."
Anthropic's explanation
Thariq Shihipar, an engineer on the Claude Code team, confirmed on X that the marker was added in March as an experiment "meant to prevent account abuse from unauthorized resellers and protect against distillation." He said the team had already shipped stronger protections and had meant to remove the old code. The relevant pull request was merged, with the full rollback due in the next release.
The backdrop is concrete. Anthropic does not offer its models in China, and its terms ban access for companies from China and other "adversarial nations." As the Washington Post reported, unauthorized resellers offer free models for a dollar a month, and $100-a-month pro subscriptions sell for as little as $12. In June, Anthropic accused Alibaba of the "largest known distillation attack" on Claude.
How others handle it
Regional access blocking is not unusual in itself. OpenAI also restricts access from China and, alongside Anthropic, is pushing to treat distillation as intellectual-property theft. The difference lies in the method. The conventional approach is explicit telemetry, a clear clause in the terms, or an entry in the release notes. Here, the signal was hidden in system-prompt punctuation and the domain list was encrypted. The contrast is sharper because Anthropic built its image on privacy — it previously refused to let the US administration use Claude to surveil American users and sued the White House over that clash.
Alibaba's response
The market reaction was fast. As CNBC confirmed, Alibaba is banning staff from using Anthropic tools for work as of July 10, 2026, and has added Claude Code to a high-risk software list. Employees must uninstall Anthropic products and use the company's own assistant, Qoder. According to the South China Morning Post, an internal memo said the tool "carries back-door risks." A company deemed to breach Anthropic's terms faces real legal and compliance exposure — unlike an individual bypassing blocks with a cheap VPN.
Why it matters
The case exposes a tension that will only grow. Agentic tools have access to the filesystem, the shell, and repositories, so any hidden channel in such a client undermines trust. The problem is not terms enforcement — companies have a right to detect abuse. The problem is the method. When a provider hides user classification inside invisible punctuation and encrypts the target list, every other privacy claim becomes harder to verify. For Anthropic this is especially costly, because it built its brand on resisting surveillance. The incident also shows how AI geopolitics reaches into the code layer: the race for an edge over China becomes concrete fingerprinting inside an ordinary developer tool. Where user loyalty rests on a cold calculation of cost against capability, losing trust may prove more expensive than any distillation attack the marker was meant to prevent.
What's next
- The full rollback of the marker was announced for the next Claude Code release — an Anthropic engineer confirmed the reverting pull request was merged
- Alibaba's ban takes effect on July 10, 2026, with staff moving to the internal Qoder assistant
- Anthropic and OpenAI are lobbying the US Senate to classify distillation as intellectual-property theft — any resulting export rules will define future access
Sources
- Thereallo — Claude Code Is Steganographically Marking Requests
- Ars Technica — Secret Claude tracker shocks users after Anthropic's anti-surveillance stance
- The Decoder — Hidden code in Claude Code secretly flagged Chinese users
- CNBC — China's Alibaba bans Anthropic AI for employees after 'distillation attack' accusation





