Claude Code was hiding invisible Unicode markers in its system prompt — here's what triggered it
A researcher reverse-engineering the Claude Code binary found it silently encoded proxy-classification signals as look-alike Unicode characters in the 'Today's date is…' line — but only when ANTHROPIC_BASE_URL pointed at a non-Anthropic endpoint. Anthropic says it was an anti-distillation experiment and removed it in v2.1.197 on July 1, 2026.
On June 30, 2026, a researcher publishing at thereallo.dev reverse-engineered the signed Claude Code binary and found it had been silently writing hidden signals into its own system prompt for roughly three months. (Source: The Register, 2026-07-01) The signals were steganographic — encoded as invisible, look-alike Unicode characters that pass as ordinary English text.
Key facts:
- The marking lived in Claude Code, Anthropic’s terminal coding agent — not in the Claude models themselves.
- It only activated when
ANTHROPIC_BASE_URLpointed at a custom, non-Anthropic endpoint (a proxy, gateway, or reseller). - On activation it read the machine’s timezone and the endpoint hostname, then checked the host against ~147 Chinese corporate, cloud, and AI-lab domains plus keywords like “deepseek,” “moonshot,” and “minimax.” (Source: the-decoder, 2026-07-01)
- Those lists were stored XOR- and base64-obfuscated inside the binary.
- The match result was encoded into the
Today's date is…line of the system prompt. - Independent binary analysis confirmed the code in versions 2.1.193, 2.1.195, and 2.1.196, reportedly added in build 2.1.91 (April 2, 2026). (Source: cybersecuritynews.com, 2026-07-01)
- Anthropic removed it in v2.1.197, published July 1, 2026 — with no mention in the changelog.
How the marking worked
Two characters in one sentence carried the payload. The apostrophe in “Today’s” was swapped among look-alike code points (' ' ʼ ʹ), and the date separator flipped between a hyphen and a slash. Different combinations signaled whether the endpoint matched the domain list, an AI-lab keyword, or both:
Today's date is 2026-07-01 ← plain ASCII apostrophe + hyphen
Todayʼs date is 2026/07/01 ← look-alike apostrophe + slash = flagged endpoint
Nothing here is visible in a terminal, a normal log, or a copy-paste. To a downstream classifier watching Anthropic’s API traffic, the two versions are distinct.
Anthropic’s explanation
Thariq Shihipar, who works on Claude Code, addressed it on X: it was “an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.” He added the team had “landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.” (Source: The Register, 2026-07-01)
That framing lines up with Anthropic’s own February 2026 post on distillation, which describes “fingerprinting tools [that] identify patterns in API traffic” to catch coordinated scraping across accounts. (Source: Anthropic, “Detecting and preventing distillation attacks,” 2026-02-23)
What this means if you’re building with Claude Code
If you run Claude Code straight against anthropic.com, this never touched you — the marker only fired on a custom ANTHROPIC_BASE_URL.
If you route Claude Code through a proxy, gateway, or reseller (common in teams that centralize keys, log spend, or sit behind a corporate egress), then for ~3 months your requests may have carried an invisible classification tag you couldn’t see in any log. Two takeaways:
- Upgrade to 2.1.197 or later — it removes the code. Pin the version if your compliance posture requires knowing exactly what leaves your machine.
- Coding agents are opaque signed binaries. A steganographic side-channel in the system prompt is invisible to request logging and survives copy-paste. If you need auditability, diff binaries across releases and inspect the actual system prompt your agent ships, not just your own inputs.
New to running Claude Code day to day? See our 7-minute Claude Code daily-driver guide for the setup, config, and gotchas.
Sources
- The Register — Anthropic is removing its covert code for catching Chinese competitors (2026-07-01)
- The Decoder — Hidden code in Claude Code secretly flagged Chinese users (2026-07-01)
- CyberSecurityNews — Anthropic’s Claude Code reportedly uses hidden code to detect Chinese users (2026-07-01)
- thereallo.dev — Claude Code is steganographically marking requests (original writeup)
- Anthropic — Detecting and preventing distillation attacks (2026-02-23)
Source: The Register