{"slug": "hidden-code-in-claude-code-secretly-flagged-chinese-users", "title": "Hidden code in Claude Code secretly flagged Chinese users", "summary": "Anthropic has removed a hidden monitoring feature from its Claude Code tool that secretly checked users' connections to China and AI labs there, transmitting data through encrypted steganography in the system prompt. The company called it an experiment to combat account abuse and model cloning, and said it had been planning to disable the feature before the discovery sparked public outrage.", "body_md": "# Hidden code in Claude Code secretly flagged Chinese users\n\n## Key Points\n\n- Anthropic has removed a hidden monitoring feature from its Claude Code tool that secretly checked users' connections to China and to AI labs there.\n- The data transfer was undocumented and encrypted through minimal text changes in the system prompt that were invisible to the user.\n- According to Anthropic, the feature was an experiment designed to combat account abuse and model cloning. The company emphasized that it now has stronger countermeasures in place and had been planning to disable the feature for some time anyway.\n\n**Anthropic is rolling back a covert surveillance feature in its coding tool Claude Code after it sparked outrage on social media.**\n\nA [Reddit post](https://www.reddit.com/r/ClaudeAI/comments/1ujila1/anthropic_embedded_spyware_in_claude_code_and/) by user LegitMichel777 first exposed the feature. According to the post, Claude Code has been secretly checking since version 2.1.91, released April 2, 2026, whether users with an active proxy are located in China, routing through a Chinese URL, or connected to a Chinese AI lab.\n\n## Hidden signals buried in the system prompt\n\nThe data gets transmitted through barely perceptible changes to the system prompt, a form of steganography. Claude Code compares the system timezone against \"Asia/Shanghai\" or \"Asia/Urumqi\" and scans the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaks the date format and swaps in a subtly different apostrophe character in the phrase \"Today's date is.\" Users can't see the difference. Anthropic can read it instantly.\n\nAccording to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check.\n\nThe discoverer called the covert transmission of system and proxy data without user knowledge \"a fundamental violation of user trust.\" Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question.\n\n## Anthropic calls it an experiment\n\nAnthropic employee Thariq Shihipar, who works on the Claude Code team, [described the feature on X](https://x.com/trq212/status/2072079729331777817?s=20) as \"an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.\" The team had since shipped stronger protections: \"The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while.\" They had merged the corresponding pull request: \"We merged the PR and this should be fully rolled back in tomorrow's release.\"\n\nAnthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of [using Claude model outputs without permission to train their own language models](https://the-decoder.com/openai-anthropic-and-google-team-up-against-unauthorized-chinese-model-copying/).\n\n```\nAI News Without the Hype – Curated by Humans\n\n\t\t\t\t\tSubscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive \"AI Radar\" frontier report six times a year, full archive access, and access to our comment section.\t\t\t\t\n\n\t\t\t\t\tSubscribe now\n```\n\n[The Information](https://www.theinformation.com/briefings/anthropic-backtracks-spyware-targeting-chinese-users-controversy)", "url": "https://wpnews.pro/news/hidden-code-in-claude-code-secretly-flagged-chinese-users", "canonical_source": "https://the-decoder.com/hidden-code-in-claude-code-secretly-flagged-chinese-users/", "published_at": "2026-07-01 11:27:06+00:00", "updated_at": "2026-07-01 11:28:08.600062+00:00", "lang": "en", "topics": ["ai-safety", "ai-ethics", "ai-policy", "ai-tools"], "entities": ["Anthropic", "Claude Code", "DeepSeek", "Moonshot AI", "MiniMax", "Alibaba", "Thariq Shihipar", "LegitMichel777"], "alternates": {"html": "https://wpnews.pro/news/hidden-code-in-claude-code-secretly-flagged-chinese-users", "markdown": "https://wpnews.pro/news/hidden-code-in-claude-code-secretly-flagged-chinese-users.md", "text": "https://wpnews.pro/news/hidden-code-in-claude-code-secretly-flagged-chinese-users.txt", "jsonld": "https://wpnews.pro/news/hidden-code-in-claude-code-secretly-flagged-chinese-users.jsonld"}}