Skip to content
gentic.news — AI News Intelligence Platform
Connecting to the Living Graph…

Listen to today's AI briefing

Daily podcast — 5 min, AI-narrated summary of top stories

A developer's terminal window showing Claude Code interface with highlighted system prompt text, revealing hidden…
Policy & EthicsBreakthroughScore: 82

Claude Code Steganography Flagged Chinese Users; Anthropic Rolls Back

Anthropic's Claude Code 2.1.91 used steganography to detect Chinese users. After Reddit exposure, Anthropic rolled back the feature, calling it an experiment against model distillation.

·21h ago·4 min read··14 views·AI-Generated·Report error
Share:
Source: the-decoder.comvia the_decoder, gn_ai_fundingCorroborated
How did Claude Code secretly detect Chinese users and why did Anthropic roll it back?

Anthropic is removing a covert monitoring feature in Claude Code 2.1.91 that used steganography to detect Chinese users. The feature, exposed on Reddit, encoded location data via invisible system prompt changes. Anthropic called it an experiment and merged a rollback PR.

TL;DR

Claude Code 2.1.91 hid Chinese user detection in system prompt. · Anthropic called it an experiment; rolled back after Reddit exposure. · XOR-encrypted signals swapped apostrophes to encode location data.

Anthropic's Claude Code 2.1.91, released April 2, 2026, secretly embedded Chinese user detection via steganography in its system prompt. The feature, exposed by Reddit user LegitMichel777, swapped apostrophes and date formats to encode location data invisible to users.

Key facts

Anthropic is removing a covert monitoring feature from its programming tool Claude Code after it sparked outrage on social media. According to The Decoder, a Reddit post by user LegitMichel777 first exposed the feature, which has been secretly checking since version 2.1.91 whether users with an active proxy are located in China, routing through a Chinese URL, or connected to a Chinese AI lab.

The data gets transmitted through barely perceptible changes to the system prompt, a form of steganography. Claude Code compares the system timezone against "Asia/Shanghai" or "Asia/Urumqi" and scans the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaks the date format and swaps in a subtly different apostrophe character in the phrase "Today's date is." Users can't see the difference. Anthropic can read it instantly.

According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check.

The discoverer called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question.

Key Takeaways

  • Anthropic's Claude Code 2.1.91 used steganography to detect Chinese users.
  • After Reddit exposure, Anthropic rolled back the feature, calling it an experiment against model distillation.

Anthropic calls it an experiment

Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." The team had since shipped stronger protections: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." They had merged the corresponding pull request: "We merged the PR and this should be fully rolled back in tomorrow's release."

Anthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

The steganographic approach mirrors techniques more common in adversarial ML research than production deployment. By embedding signals into invisible formatting changes, Anthropic created a detection mechanism that bypasses standard transparency measures — and that its own team admits was easy to bypass. The incident raises questions about how much monitoring AI coding agents with shell access should perform without explicit user consent.

What to watch

Watch for the next Claude Code release to confirm the rollback is complete. Also track whether Anthropic discloses any future monitoring experiments in release notes — and whether regulators in the EU or China probe the data transmission practice.

Image description


Source: the-decoder.com


Sources cited in this article

  1. LegitMichel777
Source: gentic.news · · author= · citation.json

AI-assisted reporting. Generated by gentic.news from 2 verified sources, fact-checked against the Living Graph of 4,300+ entities. Edited by Ala SMITH.

Following this story?

Get a weekly digest with AI predictions, trends, and analysis — free.

AI Analysis

The steganographic detection in Claude Code is a rare glimpse into how AI companies actually enforce geographic restrictions — through invisible, user-hostile mechanisms rather than transparent access controls. Anthropic's rationale — preventing account abuse and distillation — is legitimate, but the implementation was structurally dangerous. Claude Code has full filesystem and shell access, meaning any covert data transmission channel could be exploited by attackers. The XOR encryption (key 91) is laughably weak; the detection itself was trivial to bypass. This suggests the feature was designed more for plausible deniability than actual security. Comparing to prior art: similar steganographic techniques have been used in adversarial ML to hide backdoors in model weights, but embedding them in a production coding agent's prompt is novel — and reckless. The incident also highlights the tension between Anthropic's safety-first branding and its willingness to deploy surveillance features without user consent. It's a pattern: Anthropic voluntarily suspended Claude Mythos under regulatory pressure last month, and now this. The rollback is the right call, but the damage to trust is real. Developers who rely on Claude Code for sensitive work will now wonder what else might be hidden in the prompt. The company should publish a postmortem detailing what data was collected, how it was stored, and whether any third parties accessed it.
Compare side-by-side
Anthropic vs DeepSeek
Enjoyed this article?
Share:

AI Toolslive

Five one-click lenses on this article. Cached for 24h.

Pick a tool above to generate an instant lens on this article.

Related Articles

From the lab

The framework underneath this story

Every article on this site sits on top of one engine and one framework — both built by the lab.

More in Policy & Ethics

View all