On June 30, 2026, a developer going by the handle Thereallo did something programmers do all the time — he got suspicious about what a piece of software was really doing on his machine, so he cracked open its source code.
The software in question was Claude Code, Anthropic’s AI-powered coding assistant — an artificial-intelligence colleague that writes code, runs shell commands, and edits files on your behalf. It lives inside a developer’s machine with an unnerving amount of power: it can read your directories, execute terminal commands, and even control your browser.
Thereallo was combing through the source of Claude Code version 2.1.196. Partway through, his hands stopped.
Buried in the program was a feature: every time it sends a request to the AI, it secretly embeds a marker in the text — invisible to the human eye. In plain English: invisible ink. Slipped into a line of the system prompt, with no formal disclosure anywhere.
He wrote up his discovery in a blog post. Six hours later, that post hit 1,284 points and 362 comments on Hacker News, plus 31 votes on Lobsters. The entire tech community lit up.
How Does the Invisible Ink Work?
To understand why this set off alarm bells, you first need to understand how the “invisible ink” operates here.
Every time Claude Code starts working, it sends a line of context to the AI — something like “today’s date is 2026-06-30.” That’s normal. The AI needs to know what day it is to answer time-sensitive questions.
But Thereallo found that before sending that line, the program runs a set of “safety checks.” It first checks whether your machine’s timezone is set to “Shanghai” or “Urumqi.” If not, it then checks whether your network requests are going to a specific URL.
Based on the results, the program quietly alters two things in that date string:
First, it replaces the hyphens ’-’ with slashes ’/’. “2026-06-30” becomes “2026/06/30.”
Second, it swaps the single quotes in the English text for four different Unicode variants. On screen, these quote marks look identical — indistinguishable to the naked eye. But to a computer, they’re four distinct characters, like four different stamps.
Combining the timezone check, URL check, and keyword match results yields four distinct “invisible signatures.” When Anthropic’s servers receive the request, they can identify which channel it came from by reading those invisible characters.
What makes this even more suspicious: the target list is encrypted. The domain list and keyword list aren’t written plainly in the code — they’re hidden behind XOR encryption (a basic cipher) paired with Base64 encoding. After decrypting them, Thereallo found the list includes:
AI lab keywords: deepseek, moonshot, minimax, zhipu, bigmodel, baichuan, stepfun, 01ai, dashscope (Alibaba’s Bailian), volces (ByteDance’s Volcano Engine).
Domain list: even broader — beyond AI companies, it covers Baidu, Alibaba, Ant Group, ByteDance, Kuaishou, Xiaohongshu, JD.com, Bilibili, iFlytek, and numerous other Chinese enterprises, plus a collection of API-resale proxy sites.
In other words, this invisible watermarking system is overwhelmingly aimed at requests originating from China.
Why Would Anthropic Do This?
Before slapping a “sneaky” label on Anthropic, consider their motivation. It’s not mysterious.
Anthropic’s AI model Claude is not officially available in mainland China. The reality, however, is that a massive number of Chinese users access Claude indirectly — through proxies, jump servers, shared accounts, and API resellers. This has created a sprawling gray market. Media reports indicate that resold Claude API access on the Chinese market can go for as little as one-tenth of the official price.
What keeps Anthropic up at night is “model distillation.” The term sounds technical, but the concept is simple: use Claude’s vast trove of Q&A logs to train another AI model — effectively using a master’s portfolio as a textbook to teach an apprentice. In late June 2026, Anthropic publicly accused Alibaba of systematically distilling Claude’s models through 25,000 fake accounts and 28.8 million conversations.
From Anthropic’s perspective: my model is being used as training material by a competitor. My paid service is being undercut and resold by middlemen. Am I not allowed to detect this?
That’s the design intent behind this invisible-marker system — tag requests coming through unofficial channels with an “identifier code” so the backend can distinguish normal traffic from suspicious traffic.
”If We Disclosed It, It Wouldn’t Work” — Is That a Valid Excuse?
Here’s where the problem lies.
Anthropic’s logic chain goes like this: we need to detect abuse → but if we publicly say “we’re detecting abuse,” bad actors will find ways to circumvent detection → so we have to do it quietly.
Sounds reasonable. But one of the highest-voted comments on Hacker News, from user civet_java, drove straight into the weak spot of that logic:
“Just because the service provider has a business need to do this doesn’t mean they can skip transparent disclosure. If honest disclosure would break the scheme, that means the scheme itself is flawed — not the user’s fault.”
The comment drew widespread agreement. It surfaces a fundamental contradiction: an anti-abuse scheme that only works through deception is one whose effectiveness depends on the user not knowing about it. That’s like a supermarket installing hidden cameras in fitting rooms to catch shoplifters — catching shoplifters is legitimate, but the hidden camera itself is an erosion of trust.
An even sharper criticism came from user kiproping, whose slippery-slope warning stood out among the 300+ comments as another top-voted gem:
“First it’s ‘the China threat’ as the justification. Next it’ll be ‘jailbreak users,’ then ‘people who oppose Dario.’ The slope has already started tilting.”
Others immediately piled on:
- “You forgot ‘to protect the children.’”
- “Who’s going to protect China’s internet children?!” (sarcastic)
This chain of comments reads like banter, but it lands squarely on an anxiety many people felt but hadn’t articulated: once a company internalizes the logic that “a worthy goal justifies opaque methods,” that justification’s scope only expands — it never contracts on its own. Today it’s “Chinese competitors are distilling our model, so we hide monitoring code.” Tomorrow it’s “people are using jailbreak prompts to bypass our safety filters, so we hide more monitoring code.” What about the day after?
Who’s Right?
To be fair, Anthropic isn’t fighting a phantom.
I checked the public record: Anthropic is genuinely facing large-scale, systematic abuse. The Chinese API-resale chain is real. Model distillation has moved from theory to practice — it’s being deployed as a commercial competitive weapon. If you ran a store and discovered someone was sneaking goods out the back door every day to open a competing shop next door, the impulse to mark your merchandise would be understandable.
But a Lobsters user named bitshift offered a cooler perspective:
“I don’t think this is as trust-destroying as the original author makes it sound. If you’ve already accepted a closed-source program that runs commands on your machine… I don’t know what to tell you. Anthropic has reputational reasons not to go too far, but choosing Claude Code means you’ve already accepted that bargain.”
This argument has merit — when you hand your house keys to a closed-source program, your claim on “transparency” is already discounted. And Anthropic genuinely didn’t do anything malicious here — it’s just an “anti-abuse tag.” It didn’t steal your code, upload your files, or monitor your behavior.
But the rebuttal is equally strong: trust isn’t a blank check that reads “you already trusted me, so I can do whatever I want.” Precisely because users grant this tool sweeping permissions — read files, execute commands, modify code, access the network — it has an even greater obligation to be transparent with them. Trust is accumulated in the most mundane moments. It’s also lost in them.
The Bigger Question: Who Sets the Rules?
At its core, this controversy touches on a governance vacuum in the AI era:
When AI companies need to protect their commercial interests, how much opacity toward their users is acceptable? Who gets to draw that line?
Right now, the answer is: the AI companies themselves. Anthropic unilaterally decided that “detecting Chinese distribution channels” is a sufficiently important goal. It unilaterally decided that “invisible markers won’t harm users.” It unilaterally decided that “this doesn’t need to be mentioned in the changelog.” The entire process involved no external oversight, no industry standard, no user consent.
But the user is the person running this program on their own machine.
I’m not writing this to conclude that “Anthropic is bad” or that “users are overreacting.” The reason this controversy racked up 1,284 points on Hacker News is precisely that both sides have defensible arguments — Anthropic has real commercial losses to prevent, and users have real grounds to demand transparency.
What’s actually worth thinking about is this: if “honest disclosure would break the scheme” can justify operating in the dark, then any AI company in the future can use the same logic to do anything they deem “necessary” without the user ever knowing. This isn’t alarmism. Last century, tech companies turned “to improve your experience” into a universal pretext for hoovering up private data — we know this script by heart.
Invisible ink isn’t the problem. Not telling anyone the ink exists — that’s the problem.
Image: OG cover from Thereallo’s blog post, illustrating how Claude Code embeds invisible markers in system prompts via Unicode character substitution. Source: thereallo.dev
Reference Links:
- https://thereallo.dev/blog/claude-code-prompt-steganography
- https://news.ycombinator.com/item?id=48734373
- https://lobste.rs/s/qs2sxd/claude_code_is_steganographically
- https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks
- https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropic-claims-that-chinas-alibaba-illicitly-distilled-its-models-from-april-to-june-2026-says-effort-involved-25-000-fake-accounts-and-28-8-million-exchanges-on-claude