the-decoder.com web signal

Anthropic to remove Claude Code marker that flagged China users

TL;DR

  • Reddit user LegitMichel777 found Claude Code v2.1.91, released April 2, hid steganographic markers that flagged users on Chinese proxies or timezones.
  • The mechanism tweaked date format and apostrophe characters, and XOR-obfuscated with key 91, was invisible to users but readable by Anthropic.
  • Anthropic's Thariq Shihipar called it a March experiment against unauthorized resellers and distillation, and said the rollback was already planned.

A Reddit user going by LegitMichel777 dug into Claude Code v2.1.91 and found something most developers do not expect from their coding assistant: hidden markers baked into the system prompt that quietly signaled whether the user was routing through a Chinese proxy. The Decoder reported the mechanism was steganographic, meaning the payload rode inside characters that look normal to a human reader but are distinct to a machine reading the prompt back.

The specifics are worth pausing on. The tool checked the local system timezone for Asia/Shanghai or Asia/Urumqi, and scanned any active proxy URL against a list of Chinese domains and known Chinese AI lab domains. If it got a hit, it altered the date format and swapped the apostrophe character in the phrase 'Today's date is' for a visually identical substitute. Portions of the detection code were XOR-obfuscated with the key 91, which is the kind of thing you do when you would rather the string not turn up in a plain text dump.

Anthropic did not deny the mechanism. Thariq Shihipar, who works on Claude Code, described it on X as 'an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.' He said stronger protections had shipped since, that the team had 'actually been meaning to take this down for a while,' and that removal was scheduled for the next release. Anthropic restricts Claude in China on national security grounds and has previously accused Chinese firms of training competitors on its outputs, so the framing is at least internally consistent with the company's stated posture.

The honest caveat is that the reporting so far leans on one researcher's analysis and Anthropic's own statement, and neither answers the questions a paranoid buyer will actually ask: how many users were flagged, what was done with the signal, and whether similar markers live in other Anthropic products. The more interesting angle for the rest of the market is that independent binary analysis of a closed source coding tool forced a fast public response. That is a new pressure point, and enterprise buyers who care about auditability now have a real story to point at.