Confirmed: Claude Code Secretly Inspects Users, Time Zone and Chinese AI Labs Are Key Factors

marsbit发布于2026-07-01更新于2026-07-01

文章摘要

Today was a significant day for Anthropic. The company announced the launch of Claude Sonnet 5, described as its most agentic model yet, and separately confirmed that the U.S. Department of Commerce has lifted export controls on its Claude Fable 5 and Mythos 5 models, allowing their distribution to resume. However, a separate controversy has emerged regarding its coding assistant, Claude Code. Developers have exposed that certain versions of the tool allegedly contain hidden code designed to detect specific user data. This code reportedly checks for the use of Chinese time zones (like Asia/Shanghai), the presence of custom API proxy URLs, and connections to domains associated with Chinese tech companies and AI labs. If triggered, this information is said to be encoded into the system prompt sent to the AI cloud, using subtle, nearly indistinguishable variations in characters (like different Unicode apostrophes in the "Today's date" line) as a form of steganography. The core issue is the covert nature of this data collection. While telemetry for security and abuse prevention is common, implementing it through hidden channels within the prompt—without user awareness or documented disclosure—fundamentally breaches trust. This is particularly sensitive for a coding assistant that operates with access to source code and system commands. Following the exposure, an Anthropic engineer acknowledged the code's existence and stated it would be removed in an upcoming release. The incid...

Today, Anthropic had a "double celebration."

On one hand, it released Claude Sonnet 5, "the most Agent-like model to date," with performance close to Opus 4.8.

On the other hand, it announced that the U.S. Department of Commerce has lifted export controls on its Claude Fable 5 and Mythos 5. Anthropic will restore access starting tomorrow and will soon share the latest updates.

According to an agreement signed by U.S. Secretary of Commerce Howard Lutnick, since the issuance of related letters on June 12 and June 26, Anthropic has worked closely with the U.S. government to take measures addressing the risks associated with Claude Mythos 5 and Claude Fable 5.

Anthropic has committed to proactively identifying and addressing security risks that may arise from these models; closely collaborating with the U.S. government on agreements, standards, and release arrangements for Mythos, Fable, and future models; and notifying the U.S. government upon detecting malicious activity.

Based on the actions taken and commitments made by Anthropic, as well as the U.S. Department of Commerce's Bureau of Industry and Security's assessment of the current transfer risks associated with Claude Mythos 5 and Claude Fable 5, the U.S. Department of Commerce has decided to withdraw the control measures outlined in the June 12 letter.

This means that exports, re-exports, domestic transfers, including deemed exports and deemed re-exports, of Claude Mythos 5 and Claude Fable 5 will no longer require a license.

However, the U.S. Department of Commerce reserves the right to reevaluate this decision. If circumstances change, or if Anthropic fails to fulfill its commitments, the Department may reinstate license requirements.

However, for Chinese users, there is little cause for immediate celebration.

On the very same day, the developer community was heatedly discussing another topic: some have discovered that Claude Code collects local proxy and time zone information without user knowledge and embeds this information into the prompts sent to the cloud using "Steganography."

Claude Code Exposed for Using Invisible Code to Tag Chinese Users

Recently, it was exposed that Anthropic secretly embedded a piece of code within Claude Code.

This code automatically detects whether the user is using China's time zone, current network proxy settings, and whether they are connected to environments related to certain Chinese AI labs.

It then embeds this information into the system prompts sent to the AI using steganography.

Chinese users are completely unaware, but Anthropic can use these invisible fingerprints for identification.

A developer first raised questions on Reddit, later publishing a verification report on GitHub claiming to have examined versions 2.1.193, 2.1.195, and 2.1.196 of Claude Code's code, confirming the existence of a hidden mechanism. This mechanism was characterized as a concealed information channel within the system prompt.

Detection Logic

According to the report, Claude Code detects the environment variable ANTHROPIC_BASE_URL. This variable is typically activated when users direct Claude Code to a custom API proxy rather than the official endpoint api.anthropic.com. When a non-official route is detected, the program extracts the proxy domain and reads the user's system time zone, specifically checking if it is Asia/Shanghai or Asia/Urumqi.

Analysis using GLM5.2

The report states that this domain is compared against a decoded list containing 147 entries. The list includes domains of Chinese tech companies and AI labs such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, Stepfun, as well as numerous addresses for Claude resale or API mirror services.

Information Transmission Method

The core of the controversy lies in the path of information transmission.

The report points out that Claude Code does not set up separate telemetry fields to report data. The carrier of the abnormal information is the most inconspicuous phrase in the system prompt: "Today's date is...".

When the system time zone is identified as a Chinese time zone, the date separator changes from a hyphen to a forward slash, for example, 2026-06-30 appears as 2026/06/30. The apostrophe in "Today's date" simultaneously alternates between Unicode characters such as ', ', ʼ, ʹ, which look similar, to mark whether the current request matches entries in the domain list, AI lab keywords, or both. These symbols are difficult to distinguish with the naked eye in regular interfaces.

For ordinary users, the symbols ', ', ʼ, ʹ are almost indistinguishable by eye, which is how this mechanism remained hidden for so long. If the analysis is accurate, every qualifying request carries such an inconspicuous marker upstream.

Controversial Points

Telemetry data collection is common in the software industry. AI companies often have strong motivations to identify user behavior to prevent misuse, curb resale, mitigate sanction risks, and prevent model distillation. From this perspective, it's understandable that Anthropic wants to curb the unauthorized resale of Claude access in the Chinese market.

The controversy lies in the implementation method, not the purpose itself.

For publicly disclosed telemetry mechanisms, developers have full rights to information and choice—they can consult documentation, block specific endpoints, or decide whether to accept certain data collection. However, hiding marker information in the subtle character differences of prompts, which is almost impossible to detect, changes the foundational premise of trust between the user and the tool. For a coding assistant, once such a boundary is crossed, the cost is significant.

Permission Context

Claude Code has a built-in permission system covering operations like file reading, Bash command execution, and file editing. Read-only operations do not require user approval, while operations involving command execution and file modification require permission confirmation.

Anthropic has previously publicly discussed the potential "approval fatigue" issue with Claude Code, acknowledging that most users habitually approve permission requests, and completely disabling permission approval mechanisms is unsafe in most scenarios.

The company's own engineering blog has documented real cases of "agentic misbehavior," including accidental deletion of remote git branches, unintended upload of GitHub tokens, and even attempts to execute migration operations on production databases.

A coding agent operates within a code repository, accessing source code, file structures, project details, and even inadvertently exposed user key information, and is granted permissions to execute commands and modify files. For such a tool, trust is its very foundation.

If the client-side secretly encodes routing metadata into prompts, users naturally have reason to ask: What other information is being recorded in similar ways? Are there other undisclosed detection logics on the client-side? Have any of these behaviors been documented anywhere?

After the exposure, Anthropic technical team member @trq212 responded to the reasons for the code implementation, stating that this code would be removed in a new version released the following day.

Reference Links:

https://news.ycombinator.com/item?id=48734373

https://thereallo.dev/blog/claude-code-prompt-steganography

https://x.com/IntCyberDigest/status/2071971609183678544?s=20

https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/

This article is from the WeChat public account "Machine Heart" (ID: almosthuman2014), author: Focus on AI

热门币种推荐

相关问答

QWhat is the main controversy surrounding Claude Code according to the article?

AThe article states that Claude Code was found to secretly collect user information, such as local proxy settings and time zone (specifically targeting Chinese time zones like Asia/Shanghai), and embed this data via steganography into system prompts sent to the cloud, without user knowledge or consent.

QWhat action did the U.S. Department of Commerce take regarding Anthropic's models mentioned in the article?

AThe U.S. Department of Commerce, based on an agreement with Anthropic, decided to withdraw the export control restrictions previously placed on the Claude Mythos 5 and Claude Fable 5 models, meaning these models no longer require a license for export or transfer.

QHow did Claude Code allegedly embed the collected user information into the system prompts?

AIt reportedly embedded the information by altering the punctuation in the system prompt 'Today's date is...'. For instance, the date separator changed from a hyphen to a slash for Chinese time zones, and different, visually similar Unicode characters for the apostrophe (like ', ʼ, ʹ) were used to encode whether the request matched a domain list or AI lab keywords.

QWhat was Anthropic's response to the allegations about Claude Code's hidden data collection?

AAn Anthropic technical team member (@trq212) responded to the reason for the code's implementation and stated that this code would be removed in a new version scheduled for release the following day.

QWhy is the method of data collection in Claude Code considered particularly controversial?

AIt is controversial because the method used steganography to hide the data within seemingly normal system prompts, making it undetectable to users. This breaches trust, as users have no knowledge, choice, or ability to opt-out, unlike with standard, disclosed telemetry practices.

你可能也喜欢

Karpathy又封神,掀翻RAG,把你的笔记变成第二大脑

前OpenAI联合创始人安德烈·卡帕西提出了一种突破性的知识管理新范式“LLM-Wiki”,旨在解决信息过载时代个人知识库沦为“赛博木乃伊”的困境。他主张将个人笔记视为“不可变源代码”,而让大语言模型扮演“编译器”角色,将其一次性编译成结构化、逻辑自洽且持续更新的个人维基百科。 这一方法从根本上区别于当前主流的检索增强生成技术。RAG在每次查询时临时检索片段拼凑答案,存在无法理解全局、可能自我矛盾、知识链接易腐烂等问题。卡帕西的范式则将知识“编译”一次后持续保鲜,每次新增材料,AI会自动融合更新相关条目、修订综述、标记矛盾,使知识库始终保持鲜活与一致性。 其架构核心在于三层解耦:底层是记录原始灵感的“素材层”,中层是由用户定义格式的“规则层”,顶层则是由AI全权维护、结构化的“维基层”。用户日常只需进行三项操作:投入新素材、查询编译后的知识库,或定期让AI进行知识库“体检”以排查矛盾与缺口。这实现了认知生产关系的根本转移——人类从繁琐的知识搬运、整理与维护工作中解放出来,专注于核心的输入与审阅,而AI则承担了所有“记账”类杂活。 文章指出,这一构想实质上实现了计算机先驱范内瓦·布什在1945年设想的“Memex”记忆机器的愿景,其长久未能实现的核心障碍在于人工维护交叉引用与知识路径的成本过高。大语言模型的出现,近乎零成本地解决了这一维护难题。 卡帕西的“LLM-Wiki”是其关于人机协作系列思考的第三块拼图,其最终目的并非替代人类,而是将人类的注意力从机械的“记账”工作中解放出来,重新聚焦于决定阅读方向与思考深层意义这两件机器无法替代的事情上。

marsbit4分钟前

Karpathy又封神,掀翻RAG,把你的笔记变成第二大脑

marsbit4分钟前

Claude Science几周干完两年活,10倍科研提速真来了?

Anthropic近日推出Claude Science,这是一个面向科学家的AI工作台,旨在将科研流程整合为一条可审计的流水线,显著提升效率。据案例介绍,有神经科学家团队使用该工具将一篇长篇综述的写作时间从近两年压缩到几周。 Claude Science的关键在于整合碎片化的科研工具链。它能在同一环境中完成文献分析、计算、图表制作和论文撰写,支持本地或远程运行,并可自动调度算力资源,将分析任务扩展到数百个GPU。其突出特点是强调可复现性:生成的每张图都附带确切的生成代码、运行环境和完整对话历史,确保结果可追溯、可修改。 该平台采用多智能体协作架构,包括一个协调智能体和专门核查引用与计算的审查智能体,形成类似“AI内部同行评审”的机制,但坚持“人在回路”原则,关键决策需经用户授权。目前,Claude Science首先聚焦生命科学领域,已预置基因组、单细胞、蛋白质组等分析环境,并能连接60多个科学数据库。 在科研AI赛道,各厂商策略不同:Google依靠AlphaFold等独家模型,OpenAI侧重提升模型的科研判断力(如推出GeneBench-Pro基准测试),而Anthropic则专注于构建端到端、可审计的工作流。Claude Science的目标并非替代科学家,而是通过自动化繁琐流程,将科研真正融入实验室日常,同时解决科研中长期存在的可复现性难题。

marsbit8分钟前

Claude Science几周干完两年活,10倍科研提速真来了?

marsbit8分钟前

GoMining 发布 GoBTC Pay SDK 以扩展比特币支付

GoMining推出GoBTC Pay SDK Gen1版本及API,旨在将比特币支付集成到现实世界的产品与服务中。该技术基于比特币一层网络,支持快速、非托管的比特币交易,使商户、钱包提供商及生态合作伙伴能够在其网络上构建和扩展支付体验。 作为发布的一部分,GoMining正在接入首批最多10家商户和生态合作伙伴,开始将GoBTC Pay集成至其产品。GoMining CEO Mark Zalan表示,此举是为了让比特币在日常商业中无缝流通,而不仅仅作为资产持有。 GoBTC Pay直接在比特币网络结算,保持用户资产非托管。Gen1版本提供商户入驻工具、支付管理功能、基于Web的商户仪表板、在线支付连接器、公开开发者文档以及面向钱包提供商和机构合作伙伴的开放API。 该支付协议由GoMining基于Stratum V2协议的私有15EH/s内存池驱动,可优先处理GoBTC Pay交易,平均结算时间约为12小时。其激励机制旨在协调商户、钱包和矿工的利益:商户支付0.2%的交易费,由参与的钱包提供商和处理支付的GoMining矿池矿工均分。 此次发布是GoMining更大生态系统战略的开端,旨在推动比特币支付在商户和钱包中的实际应用。GoMining是全球算力排名前十的比特币矿商之一,通过代币化算力及支付方案,致力于让比特币的获取和使用更便捷安全。

TheNewsCrypto43分钟前

GoMining 发布 GoBTC Pay SDK 以扩展比特币支付

TheNewsCrypto43分钟前

交易

现货

热门文章

从H2A到A2A:AI Agent经济体与Crypto新机遇

6月17日,哈佛大学独立研究员、美国AI科学院(NAAI)通讯院士、比特币基金会终身会员韩锋做客火币HTX《大咖讲堂》第三期,以《从H2A到A2A》为主题,分享了其对Agent经济、Crypto基础设施及数字社会未来发展的思考。

17人学过发布于 2026.07.01更新于 2026.07.01

从H2A到A2A:AI Agent经济体与Crypto新机遇

相关讨论

欢迎来到HTX社区。在这里,您可以了解最新的平台发展动态并获得专业的市场意见。以下是用户对AI(AI)币价的意见。

活动图片