Anthropic Secretly Tracked Chinese Claude Code Users – Then Got Caught

Hidden in Claude Code v2.1.91, Unicode apostrophe swaps silently flagged Chinese developers to Anthropic servers for months before a researcher exposed it

Al Landes Avatar
Al Landes Avatar

By

Image: Gadget Review

Key Takeaways

Key Takeaways

  • Anthropic secretly embedded XOR-obfuscated tracking code in Claude Code v2.1.91 targeting Chinese developers.
  • Claude Code used prompt steganography, hiding Unicode signals to silently identify Chinese user connections.
  • Anthropic removed the tracker only after public exposure, undermining its safety-first brand principles.

Anthropic told the Pentagon no. The safety-first AI lab refused Department of Defense demands to let Claude operate without guardrails against mass surveillance, according to CNBC — even at the cost of government contracts, a principled position that makes the covert tracking that followed all the more striking. That same company quietly shipped hidden tracking code inside Claude Code v2.1.91 in early April 2026, secretly tracking Chinese developers with no mention in the release notes.

How the Tracking Actually Worked

A security researcher found Unicode tricks and obfuscated domain lists hiding in plain sight.

Consider routing Claude Code through a custom API gateway — standard practice for enterprise teams. The tool gave no indication it was quietly reading your system timezone and comparing your proxy hostname against a secret list. Here’s what researcher “Thereallo” found after reverse-engineering the binary:

  • Claude Code detected overridden API base URLs, flagging proxy or gateway connections
  • System timezone checked against Asia/Shanghai and Asia/Urumqi
  • Proxy hostnames matched against a hardcoded list of Chinese AI labs, resellers, and gateway domains
  • Instead of standard telemetry, the tool used prompt steganography — hiding signals in plain text, invisible to humans but readable by Anthropic’s servers — swapping the apostrophe in “Today’s date is” among three nearly identical Unicode characters to encode whether the connection was Chinese, AI-lab-linked, or both
  • Detection logic was XOR-obfuscated with key 91 and buried behind Base64 encoding

“This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust,” Thereallo wrote. These kinds of covert behaviors echo broader tech scandals in which corporate actions diverged sharply from public promises.

Anthropic engineer Thariq Shihipar confirmed on X that the code was an “experiment we launched in March” to fight account abuse and distillation — where rivals query commercial models millions of times to train competing systems. Alibaba’s Qwen model reportedly mimicked Claude so closely it occasionally identified itself as Claude during tests, according to The Information. Anthropic says stronger mitigations had already made the tracker obsolete, and the removal PR merged for the July 1 release. That the removal came after public exposure, not before, tells its own story.

The Trust Problem Doesn’t Go Away With a Pull Request

Alibaba banned the tool internally, and critics question whether Anthropic’s anti-surveillance principles have geographic limits.

Alibaba called Claude Code “high-risk software with security vulnerabilities” in an internal memo, according to The Next Web. Thereallo’s sharpest point: Anthropic could have used transparent telemetry fields, documented the policy, and included the behavior in changelogs. The secrecy was a choice. It’s the AI equivalent of a restaurant proudly posting its health inspection score while quietly reheating yesterday’s fish — the brand promise and the kitchen don’t match. This pattern of AI labs secretly funded or quietly running covert operations counter to their public stances is becoming harder to ignore.

An Anthropic spokesperson described distillation attacks as posing “a serious threat to national security,” according to The Information — framing that positions the tracker as a surveillance app serving geopolitical defense rather than a simple security measure.

When a tool with filesystem access, code execution rights, and commit privileges can hide Unicode signals in your prompts undetected for months, the real question isn’t whether this particular tracker caused harm. It’s what you won’t catch next time.

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →