A close-up of a circuit board with gold traces and microchips, the physical layer beneath the invisible Unicode markers Anthropic embedded in Claude Code
Photo via Unsplash

TL;DR: An independent developer writing as Thereallo found that Anthropic had embedded a steganographic classifier inside Claude Code, the company's command-line agent. The code inspected the user's ANTHROPIC_BASE_URL environment variable, parsed the hostname, read the system timezone, and silently rewrote a routine "Today's date is..." string in the system prompt so that the apostrophe character, and the date separator, encoded a four-bit signal: whether the hostname matched a known Chinese AI lab, whether it matched a known proxy or gateway, whether the timezone was Asia/Shanghai or Asia/Urumqi, and whether the lab keyword list matched [1][2]. Anthropic engineer Thariq Shihipar confirmed the mechanism on X and described it as "an experiment we launched in March" to prevent "account abuse from unauthorized resellers" and "distillation" [1]. The removal pull request was merged by July 1, 2026 [1].

What the Code Actually Did

The marker ran inside the minified JavaScript bundle shipped with Claude Code version 2.1.196, a release whose binary carried a signing timestamp of June 29, 2026 [2]. Thereallo's analysis, posted on the researcher's blog at thereallo.dev, showed that the function constructs an otherwise ordinary line of system context that begins "Today's date is 2026-06-30." and encodes a four-way classifier inside that string [2][3].

There are four bits. The first is the apostrophe. A plain ASCII apostrophe (') means neither the host nor the lab-keyword list matched. A right single quotation mark (U+2019, ’) means the host matched. A modifier letter apostrophe (U+02BC, ’) means the lab-keyword list matched. A modifier letter prime (U+02B9, ’) means both matched [2]. The second bit is the date separator. If the system timezone was Asia/Shanghai or Asia/Urumqi, the hyphens in the date were replaced with slashes, so "2026-06-30" became "2026/06/30" [2][3]. The mechanism was visible only to someone reading raw Unicode or to Anthropic's own backend, which saw the four bits, looked up the host and timezone, and added the result to whatever internal record it keeps about the request.

The blocklists were hidden too. The list of hostnames and the list of lab keywords were base64-encoded and XOR-scrambled with the key 91, then split on commas inside the bundle [2]. Thereallo's decoded lab-keyword list, pulled from the binary, included deepseek, moonshot, minimax, zhipu, bigmodel, baichuan, stepfun, 01ai, dashscope, and volces [2]. The decoded domain list was not fully reproduced in the blog post, but a partial sample included baidu.com, alibaba-inc.com, alipay.com, antgroup-inc.cn, bytedance.net, kuaishou.com, xiaohongshu.com, jd.com, bilibili.co, iflytek.com, stepfun-inc.com, moonshot.ai, and a set of proxy and gateway services such as anyrouter.top, claude-code-hub.app, claude-opus.top, openclaude.me, proxyai.com, yunwu.ai, and zenmux.ai [2].

Thereallo described the design plainly: the marker "silently alters the system prompt using invisible-ish Unicode markers" and "encodes proxy / gateway classification into a sentence that looks like plain English" [2]. The list, the researcher wrote, is "hidden behind XOR and base64. This is not a malicious feature, but it is a weird choice" [2].

How Thereallo Found It

The disclosure came from an independent developer who had been reading the Claude Code bundle for unrelated reasons. The author of the blog post writes under the handle Thereallo and runs thereallo.dev [2]. A separate GitHub repository, posted by user alex000kim, had previously surfaced a leaked Claude Code source tree, including a TypeScript file named src/services/api/claude.ts with an ANTI_DISTILLATION_CC flag at lines L301 through L313 [1].

The Register's Thomas Claburn wrote up the disclosure on July 1, 2026, the same day Anthropic merged the removal [1]. Malwarebytes researcher Pieter Arntz followed up on July 7, 2026 with a technical walkthrough that included the sample text "Today's date is 2026‑06‑30." and the precise set of time zones that triggered the marker [3]. Malwarebytes also confirmed the bundle under inspection was Claude Code version 2.1.196, with binary SHA256 6fc6e61ab7582c2bf241225ff90d9f79e91d69380cb9589fc9dedd3a30070f5a [3].

Thereallo's blog post did not name Anthropic as the source of the marker. The Register matched the markers to Anthropic's ANTHROPIC_BASE_URL environment variable, the official documentation at code.claude.com/docs/en/env-vars, and a comment on X from Thariq Shihipar, an engineer on the Claude Code team [1].

Anthropic's Response: "An Experiment We Launched in March"

Thariq Shihipar, an engineer on Anthropic's Claude Code team, addressed the disclosure on X on July 1, 2026 [1]. His characterization: "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers." He added that the goal was to "protect against distillation" and that "the team has landed stronger mitigations since then and we've actually been meaning to take this down for a while" [1].

The Register pressed a spokesperson on whether Anthropic's terms of service disclosed the marker. The spokesperson "only pointed back to Shihipar's remarks" and did not specify what the "stronger mitigations" entailed [1]. Anthropic's existing terms of service reserve the right to monitor usage for abuse but do not, on the public record, authorize the embedding of hidden telemetry into user-visible system prompts.

Shihipar's framing of the marker as a temporary experiment, paired with the choice to bury it in a Unicode trick most users will never read, is the part that bothers the privacy case the most. A defender can argue that running a counter-distillation classifier is normal. A privacy critic can argue that running it inside an invisible character encoding in a string the user thinks is just today's date is not [1][2]. Both can be true.

Why China: The Distillation Backdrop

The tracker is not Anthropic's only anti-distillation move. On February 23, 2026, Anthropic published a blog post titled "Detecting and Preventing Distillation Attacks," naming three Chinese AI labs it accused of running large-scale extraction campaigns against Claude [4]. Anthropic's account: DeepSeek ran more than 150,000 exchanges targeting reasoning capabilities; Moonshot AI ran more than 3.4 million exchanges targeting agentic reasoning, coding, and computer-use agent development; and Minimax ran more than 13 million exchanges targeting agentic coding and tool use [4]. Across the three campaigns, Anthropic said the labs used roughly 24,000 fraudulent accounts to generate more than 16 million exchanges [4].

Anthropic's distillation-detection stack already includes IP correlation, request metadata, infrastructure indicators, behavioral fingerprinting, classifiers for chain-of-thought elicitation, and detection tools for coordinated activity [4]. The Claude Code marker is a new layer inside the client itself. Rather than wait for a request to reach Anthropic's servers and run the request through the server-side classifiers, the client can pre-classify the user and pass the result along in the request payload. That is more efficient and harder for an intermediary to strip. It is also, by Thereallo's read, hidden behind XOR and Unicode [2].

The political frame is the same one the existing Anthropic-Alibaba distillation vessel covers: a White House Executive Order on protecting U.S. AI from foreign adversaries issued in June 2026, and a Senate amendment to must-pass defense legislation from Senators Bill Hagerty (R-TN) and Andy Kim (D-NJ) that would let the executive branch blacklist or sanction Chinese firms found improperly accessing U.S. AI model outputs [1][4]. The marker is, in effect, the client-side piece of a much larger architecture that pairs server-side classifiers with federal policy pressure on Chinese AI labs.

Why This Matters Beyond One Vendor

The Anthropic case is one example of a pattern that is spreading across the agent-tool ecosystem. A vendor that ships a local client can ship anything inside the client. The bundling norm already includes license-check telemetry, crash reporting, and feature flagging. A Unicode marker inside a date string is a small step past that, because the marker is designed to be invisible to a reader, encoded into a layer the user thinks is theirs, and decoded by the vendor's backend. The disclosure here landed because Thereallo was reading the bundle. Most users will not.

For an industry that has spent the last three years publishing "trust us" statements about on-device processing, local-first agents, and inference that never leaves the user's machine, a hidden exfiltration channel into the system prompt is a credibility hit. The Anthropic-ID-verification consumer rollout on July 8, 2026, covered in our existing ID-verification consumer capabilities vessel, made the public commitment to user-facing identity controls. A steganographic marker in the build of the command-line agent runs the other direction, into the back end, on every request. The same company is doing both at once [3].

The lesson for users is the one Anthropic's terms of service already imply but never quite say: assume anything you run on your machine can phone home, and any string you think is text might be more than text. The practical mitigations are the ones Malwarebytes recommended: record hashes of AI clients, avoid unsupervised auto-updates, and run network inspection on AI client traffic so a Unicode-encoded marker shows up as an unusual payload rather than a clean request body [3]. For vendors, the lesson is that invisible telemetry, once found, is harder to defend than visible telemetry, and "an experiment" is not a long-term answer.

What to Watch

Anthropic's postmortem. Shihipar described the marker as "an experiment we launched in March" and said the team "had been meaning to take this down for a while." A formal postmortem that names the marker, the dates it ran, the data it sent, and the retention policy for the collected signal is the next obvious document [1].

The "stronger mitigations" Shihipar referenced. Shihipar said the team "landed stronger mitigations since then." The Register asked Anthropic to specify what those mitigations are and got no answer. Watch for a documentation update, a configuration flag, or a transparency report that names the new client-side classifier [1].

Whether other AI vendors ship the same trick. The Claude Code disclosure will be read by every other team building a CLI agent or an IDE plugin. A Unicode-encoded marker in a date string is a five-line function. Watch the open-source diffs and the issue trackers for similar patterns [2][3].

The Senate amendment on Chinese AI extraction. Senators Hagerty and Andy Kim are moving an amendment to must-pass defense legislation to let the executive branch blacklist or sanction Chinese firms found improperly accessing U.S. AI model outputs [1]. The marker story is one piece of evidence the bill's supporters can cite.

Sources

  1. The Register, Thomas Claburn: Anthropic is removing its covert code for catching Chinese competitors (July 1, 2026)
  2. Thereallo: Claude Code Is Steganographically Marking Requests (researcher disclosure, June/July 2026)
  3. Malwarebytes, Pieter Arntz: Claude Code's hidden tracker was an “experiment,” says Anthropic (July 7, 2026)
  4. Anthropic: Detecting and Preventing Distillation Attacks (Feb 23, 2026)