Anthropic has spent the last year branding itself as the safety-first AI company. This week, a developer found something inside Claude Code that made a lot of people question that reputation.

A researcher at thereallo.dev published a breakdown showing that Claude Code, Anthropic's popular coding tool, has been quietly embedding invisible markers in the system prompts it sends to the model. The markers encode two things about the user: whether they're running a proxy, and whether their timezone is set to a Chinese timezone. It's been in the app since version 2.1.91, released in March.

The mechanism is small and deliberately hidden. Claude Code swaps a normal apostrophe in the system prompt for one of four visually identical Unicode variants. One flags a known domain. Another flags a lab keyword. A third flags both. The timezone format also shifts when a China timezone is detected. The whole classification lookup is base64-encoded and XOR-scrambled inside the binary, which is what tipped researchers off that this wasn't a normal telemetry feature.

The original discovery came from a Reddit user, LegitMichel777, who runs Claude Code through a proxy to mix models across providers. He noticed his outputs shifting after the update, pulled apart the binary, and found the fingerprinting. The decoded blocklist reads like a list of Anthropic's most vocal critics: DeepSeek, Moonshot, MiniMax, Zhipu, StepFun, 01.AI, plus a long tail of proxy and reseller domains.

An Anthropic employee eventually confirmed the feature on X, calling it "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation."

That reasoning isn't unreasonable on its own. Anthropic has publicly accused exactly those labs of running large-scale distillation campaigns, where a competitor trains its model on Claude's outputs to skip years of research. The company said it caught around 24,000 fraudulent accounts pushing more than 16 million requests through that pipeline. Building some way to spot the bad actors makes sense.

The issue is that this defense quietly tags every user, not just suspicious ones. As the thereallo researcher put it, "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust." They also flagged the obvious flaw: anyone actually trying to steal Claude's capabilities can change their timezone or patch the binary in about ten minutes. The people who actually get caught are legitimate developers running proxies for normal reasons.

Anthropic pushed out version 2.1.197 to remove the fingerprinting after the disclosure. The changelog didn't mention it.

Security researcher Noah Lebovic, who has done his own critical work on Claude Code, added some fairness to the story, noting this is "a genuinely hard problem and not a diss post; other similar products have similar issues, and Anthropic is just atypically open about sharing security research." Reasonable point. Every frontier lab is scrambling to figure out how to stop their models from being cloned by competitors who paid nothing for the training bill.

Into the Valley

The uncomfortable thing for Anthropic isn't that they built anti-distillation defenses. Everyone is doing that. It's that the entire company is positioned as the transparent one, the responsible one, the lab that tells you what's actually happening inside the product. Slipping invisible markers into a developer tool and hiding them behind XOR encoding is the opposite of that pitch. Anthropic will move past this week fine. But the next time they publish a research post about somebody else's bad behavior, more people are going to remember that when it was their turn to be transparent, they picked the encoded apostrophes instead.