Confirmed: Claude Code Secretly Inspects Users, Time Zone and Chinese AI Labs Are Key Factors

marsbitPublished on 2026-07-01Last updated on 2026-07-01

Abstract

Today was a significant day for Anthropic. The company announced the launch of Claude Sonnet 5, described as its most agentic model yet, and separately confirmed that the U.S. Department of Commerce has lifted export controls on its Claude Fable 5 and Mythos 5 models, allowing their distribution to resume. However, a separate controversy has emerged regarding its coding assistant, Claude Code. Developers have exposed that certain versions of the tool allegedly contain hidden code designed to detect specific user data. This code reportedly checks for the use of Chinese time zones (like Asia/Shanghai), the presence of custom API proxy URLs, and connections to domains associated with Chinese tech companies and AI labs. If triggered, this information is said to be encoded into the system prompt sent to the AI cloud, using subtle, nearly indistinguishable variations in characters (like different Unicode apostrophes in the "Today's date" line) as a form of steganography. The core issue is the covert nature of this data collection. While telemetry for security and abuse prevention is common, implementing it through hidden channels within the prompt—without user awareness or documented disclosure—fundamentally breaches trust. This is particularly sensitive for a coding assistant that operates with access to source code and system commands. Following the exposure, an Anthropic engineer acknowledged the code's existence and stated it would be removed in an upcoming release. The incid...

Today, Anthropic had a "double celebration."

On one hand, it released Claude Sonnet 5, "the most Agent-like model to date," with performance close to Opus 4.8.

On the other hand, it announced that the U.S. Department of Commerce has lifted export controls on its Claude Fable 5 and Mythos 5. Anthropic will restore access starting tomorrow and will soon share the latest updates.

According to an agreement signed by U.S. Secretary of Commerce Howard Lutnick, since the issuance of related letters on June 12 and June 26, Anthropic has worked closely with the U.S. government to take measures addressing the risks associated with Claude Mythos 5 and Claude Fable 5.

Anthropic has committed to proactively identifying and addressing security risks that may arise from these models; closely collaborating with the U.S. government on agreements, standards, and release arrangements for Mythos, Fable, and future models; and notifying the U.S. government upon detecting malicious activity.

Based on the actions taken and commitments made by Anthropic, as well as the U.S. Department of Commerce's Bureau of Industry and Security's assessment of the current transfer risks associated with Claude Mythos 5 and Claude Fable 5, the U.S. Department of Commerce has decided to withdraw the control measures outlined in the June 12 letter.

This means that exports, re-exports, domestic transfers, including deemed exports and deemed re-exports, of Claude Mythos 5 and Claude Fable 5 will no longer require a license.

However, the U.S. Department of Commerce reserves the right to reevaluate this decision. If circumstances change, or if Anthropic fails to fulfill its commitments, the Department may reinstate license requirements.

However, for Chinese users, there is little cause for immediate celebration.

On the very same day, the developer community was heatedly discussing another topic: some have discovered that Claude Code collects local proxy and time zone information without user knowledge and embeds this information into the prompts sent to the cloud using "Steganography."

Claude Code Exposed for Using Invisible Code to Tag Chinese Users

Recently, it was exposed that Anthropic secretly embedded a piece of code within Claude Code.

This code automatically detects whether the user is using China's time zone, current network proxy settings, and whether they are connected to environments related to certain Chinese AI labs.

It then embeds this information into the system prompts sent to the AI using steganography.

Chinese users are completely unaware, but Anthropic can use these invisible fingerprints for identification.

A developer first raised questions on Reddit, later publishing a verification report on GitHub claiming to have examined versions 2.1.193, 2.1.195, and 2.1.196 of Claude Code's code, confirming the existence of a hidden mechanism. This mechanism was characterized as a concealed information channel within the system prompt.

Detection Logic

According to the report, Claude Code detects the environment variable ANTHROPIC_BASE_URL. This variable is typically activated when users direct Claude Code to a custom API proxy rather than the official endpoint api.anthropic.com. When a non-official route is detected, the program extracts the proxy domain and reads the user's system time zone, specifically checking if it is Asia/Shanghai or Asia/Urumqi.

Analysis using GLM5.2

The report states that this domain is compared against a decoded list containing 147 entries. The list includes domains of Chinese tech companies and AI labs such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, Stepfun, as well as numerous addresses for Claude resale or API mirror services.

Information Transmission Method

The core of the controversy lies in the path of information transmission.

The report points out that Claude Code does not set up separate telemetry fields to report data. The carrier of the abnormal information is the most inconspicuous phrase in the system prompt: "Today's date is...".

When the system time zone is identified as a Chinese time zone, the date separator changes from a hyphen to a forward slash, for example, 2026-06-30 appears as 2026/06/30. The apostrophe in "Today's date" simultaneously alternates between Unicode characters such as ', ', ʼ, ʹ, which look similar, to mark whether the current request matches entries in the domain list, AI lab keywords, or both. These symbols are difficult to distinguish with the naked eye in regular interfaces.

For ordinary users, the symbols ', ', ʼ, ʹ are almost indistinguishable by eye, which is how this mechanism remained hidden for so long. If the analysis is accurate, every qualifying request carries such an inconspicuous marker upstream.

Controversial Points

Telemetry data collection is common in the software industry. AI companies often have strong motivations to identify user behavior to prevent misuse, curb resale, mitigate sanction risks, and prevent model distillation. From this perspective, it's understandable that Anthropic wants to curb the unauthorized resale of Claude access in the Chinese market.

The controversy lies in the implementation method, not the purpose itself.

For publicly disclosed telemetry mechanisms, developers have full rights to information and choice—they can consult documentation, block specific endpoints, or decide whether to accept certain data collection. However, hiding marker information in the subtle character differences of prompts, which is almost impossible to detect, changes the foundational premise of trust between the user and the tool. For a coding assistant, once such a boundary is crossed, the cost is significant.

Permission Context

Claude Code has a built-in permission system covering operations like file reading, Bash command execution, and file editing. Read-only operations do not require user approval, while operations involving command execution and file modification require permission confirmation.

Anthropic has previously publicly discussed the potential "approval fatigue" issue with Claude Code, acknowledging that most users habitually approve permission requests, and completely disabling permission approval mechanisms is unsafe in most scenarios.

The company's own engineering blog has documented real cases of "agentic misbehavior," including accidental deletion of remote git branches, unintended upload of GitHub tokens, and even attempts to execute migration operations on production databases.

A coding agent operates within a code repository, accessing source code, file structures, project details, and even inadvertently exposed user key information, and is granted permissions to execute commands and modify files. For such a tool, trust is its very foundation.

If the client-side secretly encodes routing metadata into prompts, users naturally have reason to ask: What other information is being recorded in similar ways? Are there other undisclosed detection logics on the client-side? Have any of these behaviors been documented anywhere?

After the exposure, Anthropic technical team member @trq212 responded to the reasons for the code implementation, stating that this code would be removed in a new version released the following day.

Reference Links:

https://news.ycombinator.com/item?id=48734373

https://thereallo.dev/blog/claude-code-prompt-steganography

https://x.com/IntCyberDigest/status/2071971609183678544?s=20

https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/

This article is from the WeChat public account "Machine Heart" (ID: almosthuman2014), author: Focus on AI

Trending Cryptos

Related Questions

QWhat is the main controversy surrounding Claude Code according to the article?

AThe article states that Claude Code was found to secretly collect user information, such as local proxy settings and time zone (specifically targeting Chinese time zones like Asia/Shanghai), and embed this data via steganography into system prompts sent to the cloud, without user knowledge or consent.

QWhat action did the U.S. Department of Commerce take regarding Anthropic's models mentioned in the article?

AThe U.S. Department of Commerce, based on an agreement with Anthropic, decided to withdraw the export control restrictions previously placed on the Claude Mythos 5 and Claude Fable 5 models, meaning these models no longer require a license for export or transfer.

QHow did Claude Code allegedly embed the collected user information into the system prompts?

AIt reportedly embedded the information by altering the punctuation in the system prompt 'Today's date is...'. For instance, the date separator changed from a hyphen to a slash for Chinese time zones, and different, visually similar Unicode characters for the apostrophe (like ', ʼ, ʹ) were used to encode whether the request matched a domain list or AI lab keywords.

QWhat was Anthropic's response to the allegations about Claude Code's hidden data collection?

AAn Anthropic technical team member (@trq212) responded to the reason for the code's implementation and stated that this code would be removed in a new version scheduled for release the following day.

QWhy is the method of data collection in Claude Code considered particularly controversial?

AIt is controversial because the method used steganography to hide the data within seemingly normal system prompts, making it undetectable to users. This breaches trust, as users have no knowledge, choice, or ability to opt-out, unlike with standard, disclosed telemetry practices.

Related Reads

Circle CEO Responds to the OUSD Challenge: Stablecoin is a Winner-Takes-All Business, and We Won't Slow Down

In response to questions about the OUSD stablecoin initiative, Circle CEO Jeremy Allaire argues that the stablecoin market is a "winner-take-most" platform business driven by powerful network effects, and Circle has no plans to slow down. He outlines three key drivers behind USDC's dominant position: 1. **Protocol/Software Layer Network Effects**: The value of a stablecoin network grows as more developers and services integrate it, creating compounding utility and user preference. Circle has spent nearly a decade building this ecosystem with USDC, now accelerated by mainstream adoption and enhanced by software stacks like CCTP and Gateway for interoperability. 2. **Liquidity Network Effects**: Liquidity begets more liquidity. USDC has achieved top-tier global liquidity—ranking among the top three digital assets alongside BTC and USDT—through nearly a decade of building deep primary and secondary market access across regions and venues. 3. **Regulatory and Policy Integration**: Establishing a global stablecoin requires deep regulatory engagement, licensing, and compliance across key markets—a significant, long-term investment where Circle is a leader. Allaire cites Artemis data showing USDC facilitated 80% of all dollar stablecoin on-chain transaction volume in Q1 2026, with USDT at 20% and all others negligible. He addresses OUSD's purported advantages: "free" minting/burning is often not sustainable in practice; redistributing all revenue can starve essential infrastructure investment; and large consortium models historically struggle with inefficiency and slow execution, unlike focused strategic partnerships. He reaffirms Circle's strong ongoing partnership with Coinbase on USDC and notes Circle collaborates with dozens of other stablecoin issuers through its expanding platform (Arc, CCTP, CPN, etc.). While welcoming OUSD to the ecosystem, Allaire asserts that Circle's vast, trusted network and continued investment make USDC the foundational digital dollar infrastructure for the world.

链捕手1m ago

Circle CEO Responds to the OUSD Challenge: Stablecoin is a Winner-Takes-All Business, and We Won't Slow Down

链捕手1m ago

Q2 Crypto Market Review: Did Bitcoin Rise for 'Nothing'? Did Money Flow to AI and On-Chain?

Q2 2026 Crypto Market Recap: Bitcoin's Gains Erased Amid Shift to AI and On-Chain Activity The second quarter of 2026 saw a significant reversal for the cryptocurrency market. Bitcoin gave back all its April gains, ending Q2 down approximately 11%, while major stock indices posted strong gains. This divergence was driven by a hawkish shift in Fed rate expectations, capital rotation into AI stocks, and weakening liquidity channels into crypto. Key demand pillars deteriorated simultaneously. Spot Bitcoin ETFs recorded net outflows of $4.08 billion for the quarter, with outflows dominating June. Crypto treasury entity Strategy's bitcoin accumulation slowed markedly, and the total stablecoin market cap contracted by ~$4.2 billion. This created a tighter liquidity environment. Exchange data reflected the downturn. Spot trading volumes fell 28% quarter-over-quarter. The market underwent significant deleveraging, with $8.35 billion in long liquidations for BTC and ETH, primarily in late May/early June. Open interest and order book liquidity also declined. Despite the bearish price action, structural developments point to an expanding on-chain ecosystem. These include the rise of tokenized stocks with full legal rights, the growth of RWA (real-world asset) perpetual contracts for trading stocks and commodities 24/7, and the use of crypto markets for price discovery ahead of major events like the SpaceX IPO. On-chain vaults are also emerging as a core layer for institutional capital allocation.

Foresight News20m ago

Q2 Crypto Market Review: Did Bitcoin Rise for 'Nothing'? Did Money Flow to AI and On-Chain?

Foresight News20m ago

Xing Bo Strikes Again: Last Time 'Critiquing' World Models, This Time It's Agents' Turn

Xing Bo, President of MBZUAI and professor at Carnegie Mellon University, along with co-authors Mingkai Deng and Jinyu Hou, has released a new paper, "Critique of Agent Model," critiquing the current state of artificial intelligence agents. The paper draws a crucial distinction between "agentic" systems, which rely on external toolchains, prompts, and workflows, and truly "agentive" systems capable of genuine autonomy driven by internal decision-making structures. To illustrate this, it references a real-world incident where an AI programming assistant, following an external prompt but lacking internalized judgment, caused a catastrophic data deletion. The authors propose a detailed analysis and a new framework, "Goal-Identity-Configurator" (GIC), for building truly autonomous agents. This framework systematically addresses five key dimensions where current "Agent" designs fall short: 1. **Goal:** Moving from step-by-step human instruction to a system capable of autonomously decomposing a single long-term goal and adapting sub-goals based on new information. 2. **Identity:** Evolving self-assessment updated by experience, rather than a static description in a system prompt. 3. **Decision Making:** Replacing textual Chain-of-Thought reasoning with "simulative reasoning" that uses a dedicated world model to predict real-world consequences before selecting actions. 4. **Cognitive Control:** Introducing a separate "System III" metacognitive module that dynamically decides when to deliberate, stick to a plan, or act quickly. 5. **Learning:** Enabling "continual autonomous learning," where the agent itself decides when to act, practice in simulation, or update its world model and self-perception. The GIC architecture integrates six components—a belief encoder, goal decomposer, identity evolver, configurator (System III), simulation-based planner (System II), and executor (System I)—to embody these principles. The paper argues that a growth path akin to pilot training (ground theory, simulator practice, real deployment) should be underpinned by a unified cognitive architecture, not separate workflows. On safety, the authors contend that the GIC framework's modular, explicit design enhances inspectability, allowing problematic behavior to be traced to specific components (e.g., flawed goal or poorly trained module) rather than emerging opaquely. However, they acknowledge that ultimate safety depends on correctly training these modules in the first place. In conclusion, the paper challenges the loose application of the term "Agent," asserting that task completion alone does not equal true autonomy. True autonomy requires goals, identity, and judgment to be genuinely internalized within the agent's architecture, not merely enforced by external scripts.

marsbit1h ago

Xing Bo Strikes Again: Last Time 'Critiquing' World Models, This Time It's Agents' Turn

marsbit1h ago

Trading

Spot

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of AI (AI) are presented below.

活动图片