
On June 30, a security researcher going by the handle Thereallo was inspecting Claude Code’s internals and found something unsettling: Anthropic had quietly embedded a covert fingerprinting system into the system prompts it sends to the AI. The mechanism switches out punctuation marks based on the user’s geographic region and network environment — what you see on screen is an innocuous English date string, but the bytes transmitted to the server carry encoded tracking information.
This isn’t speculation. Thereallo decompiled the code and reverse-engineered the full mechanism. After reading the original article and the community discussion, I want to lay out three things: how this steganographic system actually works, why Anthropic built it, and the full gray-market supply chain behind it all.
1. Invisible Ink in the System Prompt
Every time Claude Code talks to the AI model, it automatically inserts a date string: 「Today’s date is 2026-06-30.」 Under normal circumstances, this is just boilerplate context.
But Thereallo discovered that when a user configures a custom API endpoint — meaning their traffic doesn’t go through Anthropic’s official servers — Claude Code quietly alters two things in that sentence:
First, the date separator. If your system timezone is set to 「Asia/Shanghai」 or 「Asia/Urumqi,」 the date changes from 2026-06-30 to 2026/06/30 — hyphens become slashes.
Second, the apostrophe. That tiny mark in 「Today’s」 switches between four different versions depending on your API endpoint — visually identical on screen, but completely different Unicode codepoints underneath. If you connect directly to Anthropic’s official servers, you get a plain ASCII apostrophe. If your API endpoint is recognized as a 「known reseller domain,」 you get a right single quotation mark (U+2019). If your endpoint contains the name of a Chinese AI company (like deepseek, moonshot, zhipu), you get another variant (U+02BC). Hit both conditions, and you get yet another variant (U+02B9).
To the naked eye, the date on your screen looks perfectly normal. But when Anthropic’s servers receive the request, decoding those bytes reveals: is this user accessing through a reseller proxy? Is that proxy tied to a Chinese AI lab?
What makes this even more striking is the detection logic relies on two hidden blacklists. One is a domain blacklist with 147 entries — ranging from major Chinese enterprise domains (Baidu, Alibaba, ByteDance) to reseller-specific domains like claude-opus.top, openclaude.me, and proxyai.com. The other is a keyword blacklist containing 11 Chinese AI company names including deepseek, moonshot, minimax, zhipu, baichuan, stepfun, and dashscope. Both lists are Base64-encoded and then XOR-encrypted with key 91 — a technique more commonly found in malware than in software from a company that claims 「safety first.」

2. The Three-Layer Resale Pipeline: Why Anthropic Is So Nervous
To understand why Anthropic would embed hidden fingerprints in its code, you first need to see what it’s up against.
Claude’s API is officially blocked in mainland China — Chinese users aren’t allowed to register or use it directly. But Claude is also widely regarded as one of the most capable AI coding assistants, and Chinese developers want access. The supply-demand gap has spawned a massive gray-market business that Chinese developers call 「transfer stations」 (中转站).
Researcher Zilan Qian from the Oxford China Policy Lab published an investigation in May that dissected this supply chain in detail. Based on Qian’s report and subsequent community discussion, I’ll summarize it as a three-layer model:
Layer 1: Subscription pooling arbitrage. Resellers register free developer accounts in bulk, draining Anthropic’s $5 API trial credits; or they take a single $200/month Claude Max subscription and split it across dozens or even hundreds of simultaneous users. Per-user cost gets amortized to near zero. Some go further, using stolen credit cards to create accounts — cost drops to literally zero. This April, Anthropic began requiring some users to upload government-issued photo ID and take a live selfie — but the gray market quickly adapted, recruiting real people in low-income countries to serve as 「face proxies」 for under $30 a pop. That defense has essentially been breached.
Layer 2: Model downgrading and adulteration. Researchers at Germany’s CISPA Helmholtz Center for Information Security audited 17 transfer station services and found rampant bait-and-switch. You’re paying for Claude Opus (the top-tier model), but what you actually receive is Claude Haiku (the cheapest tier) or even domestic Chinese models like Qwen. In one medical benchmark test, a service claiming to provide Gemini-2.5 scored only 37, while the official API scored close to 84. Users think they’re getting top-shelf AI; they’re actually getting a cheap knockoff.
Layer 3: Traffic resale as training data. This is the real profit center of the entire chain. Every prompt a user sends, every code snippet uploaded, every response received — it all passes through the transfer station’s servers, where resellers log everything. Complete reasoning chains, code context, verified outputs — this is the most valuable raw material for training competing AI models. Multiple Chinese developers told Qian: API resale margins are just a customer acquisition tactic; the real business is the logs. On AI model-sharing platform HuggingFace, Claude Opus inference datasets of unknown provenance are already circulating.
This model explains Anthropic’s anxiety. In February 2026, Anthropic publicly accused three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — of using over 24,000 fake accounts to generate more than 16 million conversations, systematically distilling Claude’s capabilities to train their own models. This is industrial-scale adversarial action.
3. Anthropic’s Trust Dilemma
Back to that hidden fingerprinting system. Anthropic’s motivation — tracking resellers and distillation attackers — is understandable on its face. Any AI company would want to protect its core technology from systematic theft.
The problem is in the execution.
Claude Code is not a normal chat tool. It has permission to read your filesystem, execute shell commands, operate on Git repositories — it can do far more than a chat window in a browser tab. Users hand over those keys based on a fundamental assumption: the developers of this tool are being straight with them. If it can hide fingerprints in system prompts without telling you, how can you be sure it isn’t doing similar things elsewhere?
Thereallo wrote a line I find hard to disagree with: 「Trust is earned in the boring parts.」 Anthropic could have documented this tracking mechanism in the changelog, made it an explicit telemetry field, and let users know what’s happening and how to opt out. Instead, it chose concealment — Base64-and-XOR-encrypted domain lists, visually imperceptible Unicode substitution, zero mention in any public documentation. This isn’t a malicious feature, but it is a 「strange choice」 — a tool that demands developer trust breaking the transparency baseline first.
And from an engineering standpoint, the effectiveness of this tracking system is itself questionable. Bypassing it is trivially easy: change your system timezone, switch proxy domains, or patch an environment variable. Any determined adversary can defeat it effortlessly. In the end, the system really only flags ordinary developers doing 「normal but unusual」 things — research teams setting up internal gateways, individual users running local proxies.
On July 1, the day after Thereallo’s article went live, Anthropic responded by saying it would remove the mechanism and pushed an updated Claude Code (2.1.197) the same day. But the changelog said nothing about removing hidden markers.
4. Final Thoughts
I’m not writing this to defend resellers, nor to convict Anthropic. Both sides have a coherent logic.
On the reseller side: Claude can’t be legally used in China, but developers genuinely need a capable AI coding assistant. The demand is real, and the gray market is its natural byproduct. Qian’s investigation notes an easily overlooked detail — the users of transfer stations include university students, professors, freelance developers. They just wanted better tools; they didn’t realize they were also becoming data laborers.
On Anthropic’s side: you spend billions developing model capabilities, then competitors use fake accounts to distill them at industrial scale — anyone would try to fight back. And from its perspective, Chinese proxy traffic mixes resale arbitrage with industrial distillation, making precise differentiation genuinely difficult.
But here’s the layer I want readers to notice: in the AI gray market supply chain, API credits aren’t the only thing being commoditized. Every prompt you send, every line of code, every reasoning context — it may all be logged, resold, and fed into training the next AI model. While you’re enjoying that 70% discount, your data is the hidden price you’re paying.
As for the hidden markers in the system prompt, Anthropic removed them. But the episode leaves more questions than it resolves: when a tool that can read and write your entire project starts hiding things, where does trust come from?
References:
- Claude Code Is Steganographically Marking Requests — Thereallo
- Lobsters Discussion
- China’s Grey Market Sells Claude API Tokens at 70–90% Off — AI Weekly
- China’s Claude API Grey Market Sells AI Access at 90% Off — and Your Data Pays the Rest — Memeburn
- Claude Code Hid Proxy Fingerprints in System Prompts — TechTimes
- Anthropic Accuses DeepSeek, Moonshot and MiniMax of Distillation Attacks — CNBC
Cover image credit: TechTimes / Anthropic