Claude Code admitted to inserting 'spy codes' into Chinese users to prevent selling water and distillation, only removed after being exposed.

With "safety and alignment" as its招牌, Anthropic's Claude Code team engineer Thariq publicly responded to the recent explosive "spyware code" leak, admitting that the company embedded an experimental mechanism in its product in March. This mechanism detects whether the system timezone is Asia/Shanghai or Asia/Urumqi, and whether the proxy hostname matches China-related resellers, then uses special punctuation to stealthily inject marks into the system prompt via steganography—marks invisible to humans but parsable by the server. He said the purpose was "to prevent unauthorized resellers from abusing accounts and model distillation," and emphasized that it has been accelerated for removal, with a complete rollback in subsequent versions.

(Background: Claude Sonnet 5 launched: Anthropic claims multiple performance metrics approach Opus, at a lower price)
(Supplementary context: Fable 5, Mythos 5 coming back! Anthropic officially announces relaunch tomorrow)

Key highlights

  • Claude Code engineer Thariq admitted that in March, an experimental mechanism was embedded to detect China timezones and proxy hostnames, and used steganography to inject hidden markers into the system prompt.
  • Mechanism details: When the timezone is Asia/Shanghai or Asia/Urumqi, the date separator changes from "-" to "/", and the apostrophe in "Today's date" is replaced with visually identical Unicode characters with different encodings.
  • Thariq stated the goal was to prevent unauthorized reseller abuse and model distillation; the upcoming version (2.1.197) fully rolls back the mechanism. But the community criticized: "Only removed after being caught, no user notification," severely damaging trust.

Anthropic, known for "safety and alignment," admitted its anti-distillation approach. Claude Code team engineer Thariq publicly responded to the recent explosive "spy code" leak, acknowledging that the company embedded an experimental mechanism in its product in March, secretly fingerprinting the environment of China-related users without their knowledge.

According to Thariq's explanation and the leaked details, this mechanism detects three things: whether the system timezone is Asia/Shanghai or Asia/Urumqi, whether the network proxy hostname matches a list of China-related resellers, and whether certain AI lab keywords are hit. The result is not written explicitly but is stealthily injected into the system prompt via steganography using special punctuation marks.

Hidden identifiable codes

Steganography means hiding information within seemingly normal content. The clever (or insidious) part of this mechanism is that when it detects a China timezone, the date separator in the line "Today’s date is" quietly changes from a hyphen "-" to a slash "/", e.g., 2026-06-30 becomes 2026/06/30; at the same time, the apostrophe in "Today’s date" switches among three visually identical Unicode characters with different encodings, used to indicate whether the proxy matches a Chinese domain, whether a Chinese AI lab is referenced, or both.

Most critically, these changes are completely invisible to human users, and perhaps even to the AI model itself, but easily parsed by Anthropic’s servers. According to external reports, this behavior appeared in Claude Code versions 2.1.193 to 2.1.196, and similar logic can be traced back to version 2.1.91 in early April.

Anthropic says it's anti-distillation, the community says it's covert surveillance

Thariq gave a defensive reason. He stated the mechanism was designed "to prevent unauthorized resellers from abusing accounts and model distillation," and emphasized that the team has since implemented stronger protective measures and "always intended to take it offline." The relevant PR has been merged, and a full rollback is expected in tomorrow's version (2.1.197).

In February, Anthropic, OpenAI, and Google simultaneously disclosed industrial-scale model distillation attacks. Anthropic specifically accused DeepSeek, Moonshot AI, and MiniMax of using over 24,000 fraudulent accounts generating more than 16 million conversations to train competing models. For these AI giants, preventing distillation and theft is a real pain point.

The problem is that this leak was published by security account @IntCyberDigest on June 30, accompanied by two screenshots of code, directly confirming users were completely unaware. Although Thariq's response was an open admission, the timeline of "online in March, accelerated removal only after exposure" still sparked widespread community doubt.

The comment section was overwhelmingly critical of Anthropic, saying "only claim to remove it after being caught" and "secretly monitoring without notifying users." The company's long-standing reputation as "most focused on safety and ethics" suffered a severe trust blow.

Anti-distillation has become a major offensive and defensive theme in the AI camps between China and the US. Must the corresponding measures be fully disclosed? From a business logic perspective, it's impossible.

FAQs

What exactly did the "spy code" in Claude Code do?

According to the leak and engineer Thariq's admission, Claude Code embedded an experimental mechanism that detects whether the user's timezone is China (Asia/Shanghai, Asia/Urumqi) and whether the proxy hostname matches a Chinese reseller, then uses special Unicode punctuation to stealthily inject into the system prompt markers invisible to humans but parsable by the server.

Why did Anthropic do this? Has it been removed now?

Thariq said the purpose was to prevent unauthorized resellers from abusing accounts and model distillation. In February, Anthropic accused DeepSeek and other Chinese AI companies of using large numbers of fraudulent accounts to distill its models. He stated that the relevant PR has been merged, and the next version (2.1.197) will fully roll back the mechanism.

View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned