Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
CFD
U.S. stock CFD derivatives
US Stocks
Access real US stocks and ETFs
HK Stocks
Trade quality Hong Kong-listed stocks
Korean Stocks
SK Hynix
Real Korean stocks and top assets
Stock Futures
High leverage, 24/7 trading
Tokenized Stocks
Backed by real stock assets
IPO Access
Unlock full access to global stock IPOs
GUSD
Mint GUSD for Treasury RWA yields
Stocks Activities
Trade Popular Stocks and Unlock Generous Airdrops
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
IPO Access
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
Claude Code admitted to inserting 'spy codes' into Chinese users to prevent selling water and distillation, only removed after being exposed.
With "safety and alignment" as its招牌, Anthropic's Claude Code team engineer Thariq publicly responded to the recent explosive "spyware code" leak, admitting that the company embedded an experimental mechanism in its product in March. This mechanism detects whether the system timezone is Asia/Shanghai or Asia/Urumqi, and whether the proxy hostname matches China-related resellers, then uses special punctuation to stealthily inject marks into the system prompt via steganography—marks invisible to humans but parsable by the server. He said the purpose was "to prevent unauthorized resellers from abusing accounts and model distillation," and emphasized that it has been accelerated for removal, with a complete rollback in subsequent versions.
(Background: Claude Sonnet 5 launched: Anthropic claims multiple performance metrics approach Opus, at a lower price)
(Supplementary context: Fable 5, Mythos 5 coming back! Anthropic officially announces relaunch tomorrow)
Key highlights
Anthropic, known for "safety and alignment," admitted its anti-distillation approach. Claude Code team engineer Thariq publicly responded to the recent explosive "spy code" leak, acknowledging that the company embedded an experimental mechanism in its product in March, secretly fingerprinting the environment of China-related users without their knowledge.
According to Thariq's explanation and the leaked details, this mechanism detects three things: whether the system timezone is Asia/Shanghai or Asia/Urumqi, whether the network proxy hostname matches a list of China-related resellers, and whether certain AI lab keywords are hit. The result is not written explicitly but is stealthily injected into the system prompt via steganography using special punctuation marks.
Hidden identifiable codes
Steganography means hiding information within seemingly normal content. The clever (or insidious) part of this mechanism is that when it detects a China timezone, the date separator in the line "Today’s date is" quietly changes from a hyphen "-" to a slash "/", e.g., 2026-06-30 becomes 2026/06/30; at the same time, the apostrophe in "Today’s date" switches among three visually identical Unicode characters with different encodings, used to indicate whether the proxy matches a Chinese domain, whether a Chinese AI lab is referenced, or both.
Most critically, these changes are completely invisible to human users, and perhaps even to the AI model itself, but easily parsed by Anthropic’s servers. According to external reports, this behavior appeared in Claude Code versions 2.1.193 to 2.1.196, and similar logic can be traced back to version 2.1.91 in early April.
Anthropic says it's anti-distillation, the community says it's covert surveillance
Thariq gave a defensive reason. He stated the mechanism was designed "to prevent unauthorized resellers from abusing accounts and model distillation," and emphasized that the team has since implemented stronger protective measures and "always intended to take it offline." The relevant PR has been merged, and a full rollback is expected in tomorrow's version (2.1.197).
In February, Anthropic, OpenAI, and Google simultaneously disclosed industrial-scale model distillation attacks. Anthropic specifically accused DeepSeek, Moonshot AI, and MiniMax of using over 24,000 fraudulent accounts generating more than 16 million conversations to train competing models. For these AI giants, preventing distillation and theft is a real pain point.
The problem is that this leak was published by security account @IntCyberDigest on June 30, accompanied by two screenshots of code, directly confirming users were completely unaware. Although Thariq's response was an open admission, the timeline of "online in March, accelerated removal only after exposure" still sparked widespread community doubt.
Anti-distillation has become a major offensive and defensive theme in the AI camps between China and the US. Must the corresponding measures be fully disclosed? From a business logic perspective, it's impossible.
FAQs
What exactly did the "spy code" in Claude Code do?
According to the leak and engineer Thariq's admission, Claude Code embedded an experimental mechanism that detects whether the user's timezone is China (Asia/Shanghai, Asia/Urumqi) and whether the proxy hostname matches a Chinese reseller, then uses special Unicode punctuation to stealthily inject into the system prompt markers invisible to humans but parsable by the server.
Why did Anthropic do this? Has it been removed now?
Thariq said the purpose was to prevent unauthorized resellers from abusing accounts and model distillation. In February, Anthropic accused DeepSeek and other Chinese AI companies of using large numbers of fraudulent accounts to distill its models. He stated that the relevant PR has been merged, and the next version (2.1.197) will fully roll back the mechanism.