Claude Code Accused of Hiding China Proxy Fingerprints in System Prompts

icon MarsBit
Share
AI summary iconSummary

Today, Anthropic is celebrating double good news.

On one hand, Claude Sonnet 5, described as "the most agent-like Sonnet model to date," has been released, with performance approaching that of Opus 4.8.

On the other hand, it was publicly stated that the U.S. Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5. Anthropic will resume access starting tomorrow and will share the latest updates soon.

Claude Code

Pursuant to an agreement signed by U.S. Secretary of Commerce Howard Lutnick, Anthropic has worked closely with the U.S. government to address risks associated with Claude Mythos 5 and Claude Fable 5 since the issuance of related letters on June 12 and June 26.

Anthropic commits to proactively identifying and addressing potential security risks posed by these models; maintaining close collaboration with the U.S. government on protocols, standards, and release arrangements for Mythos, Fable, and future models; and notifying the U.S. government upon detecting malicious activity.

Based on the actions taken and commitments made by Anthropic, as well as the Bureau of Industry and Security of the U.S. Department of Commerce’s current assessment of the transfer risks associated with Claude Mythos 5 and Claude Fable 5, the U.S. Department of Commerce has decided to withdraw the export controls outlined in the June 12 letter.

This means that exports, reexports, and domestic transfers of Claude Mythos 5 and Claude Fable 5, including deemed exports and deemed reexports, will no longer require a license.

However, the U.S. Department of Commerce reserves the right to reassess this decision. If circumstances change or Anthropic fails to meet its commitments, the U.S. Department of Commerce may still reinstate licensing requirements.

Claude Code

However, for users in China, we cannot yet celebrate.

On the same day, another topic sparked intense discussion among the developer community: someone discovered that Claude Code collects local proxy and timezone information without users’ knowledge and hides this data within prompts sent to the cloud using steganography.

Claude Code exposed for using hidden code to mark Chinese users

Recently, someone exposed that Anthropic had secretly embedded a piece of code in Claude Code.

This code automatically detects whether the user is in the China time zone, the current network proxy status, and whether they are connected to an environment related to certain Chinese AI labs.

It then embeds this information steganographically into the system prompt sent to the AI.

Chinese users are completely unaware, but Anthropic can identify them through these invisible fingerprints.

A developer first raised questions on Reddit and later published a verification report on GitHub, stating that they had audited three versions of Claude Code—2.1.193, 2.1.195, and 2.1.196—and confirmed the presence of a hidden mechanism, identified as a covert information channel within the system prompt.

Detection logic

According to the report, Claude Code detects the environment variable ANTHROPIC_BASE_URL, which is typically enabled when users direct Claude Code to a custom API proxy instead of the official endpoint api.anthropic.com. When a non-official route is detected, the program extracts the proxy domain name and reads the user's system timezone, specifically checking whether it is Asia/Shanghai or Asia/Urumqi.

Claude Code

Analyze using GLM5.2

The report states that the domain will be compared against a decoded list containing 147 entries, which includes domains of Chinese tech companies and AI labs such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, and Stepfun, as well as numerous Claude resale or API mirror service addresses.

Method of information transmission

The core of the dispute lies in the path of information transmission.

The report notes that Claude Code does not have a dedicated telemetry field for data reporting. The carrier of anomalous information is the seemingly insignificant phrase "Today's date is..." in the system prompt.

When the system timezone is detected as China timezone, the date separator changes from a hyphen to a forward slash, for example, 2026-06-30 is displayed as 2026/06/30. The apostrophe in "Today's date" alternates among similar-looking Unicode characters such as ', ', ʼ, and ʹ to indicate whether this request matched a domain list, an AI lab keyword, or both. These symbols are visually indistinguishable in standard interfaces.

For average users, the symbols ',', ', ', ', and ' are nearly indistinguishable to the naked eye, which is why this mechanism has remained hidden for so long. If the analysis is accurate, each qualifying request carries this subtle, unnoticed marker upstream.

Points of contention

Telemetry data collection is common in the software industry. AI companies often have strong incentives to identify user behavior to prevent abuse, curb resale, avoid sanctions risks, and stop model distillation. From this perspective, Anthropic’s motivation to prevent unauthorized resale of Claude’s access in the Chinese market is easy to understand.

The issue lies in the implementation, not the purpose itself.

For publicly disclosed telemetry mechanisms, developers have full awareness and choice—they can review documentation, block specific endpoints, or decide for themselves whether to accept data collection. However, hiding metadata within nearly imperceptible character differences in prompts undermines the foundational trust between users and tools. For a coding assistant, crossing this boundary comes at a significant cost.

Permission context

Claude Code includes a built-in permission system that covers operations such as file reading, Bash command execution, and file editing. Read-only operations do not require user approval, while commands involving execution or file modification require explicit permission confirmation.

Anthropic has previously publicly discussed the potential for "approval fatigue" with Claude Code, acknowledging that most users tend to habitually approve permission requests, and completely disabling the permission approval mechanism is not secure in most scenarios.

The company’s own engineering blog has documented real cases of agentic misbehavior, including the accidental deletion of remote Git branches, unintended uploading of GitHub tokens, and even attempts to execute migrations on production databases.

The coding agent operates within the code repository, with access to source code, file structures, project details, and even accidentally exposed secrets, and is granted permissions to execute commands and modify files. For such a tool, trust is the very foundation of its existence.

If the client secretly encodes routing metadata into prompts, users naturally have reason to ask: What other information is being recorded in similar ways? Are there additional undisclosed detection logic mechanisms on the client side? Have any of these behaviors been documented anywhere?

After the incident was revealed, Anthropic's technical team member @trq212 responded regarding the reason for the code implementation and stated that this code would be removed in the next version to be released the following day.

Claude Code

Reference link:

https://news.ycombinator.com/item?id=48734373

https://thereallo.dev/blog/claude-code-prompt-steganography

https://x.com/IntCyberDigest/status/2071971609183678544?s=20

https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/

This article is from the WeChat public account "Machine Heart" (ID: almosthuman2014), authored by someone interested in AI.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.