Anthropic added hidden steganographic code to Claude Code starting in version 2.1.91 (April 2, 2026) that silently fingerprinted users connecting via China linked API proxies by encoding their timezone, proxy route, a... The hidden code scandal is one of three simultaneous Anthropic China crises: the discovery (June...

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What hidden code did Anthropic add to Claude Code starting in version 2.1.86 to fingerprint China. Article summary: ## The Hidden Code in Claude Code. Topic tags: general, general web, user generated, news. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text, watermarks, charts with fake numbers, clickbait thumbnails, icons, and tiny thumbnail layouts. Make it useful as an illustrative visual, not as factual evidence.
On June 30, 2026, developer and researcher AdnaneKhan published a verified analysis showing that Anthropic had embedded hidden, steganographic fingerprinting code in Claude Code that silently identified users linked to China . The discovery set off a firestorm—the initial X post from @IntCyberDigest drew over 1.5 million views in 24 hours
—and forced Anthropic to acknowledge and roll back the feature, which it called an "anti-abuse experiment." But the hidden-code scandal is only one piece of an extraordinary three-front conflict between Anthropic and China that erupted in a single week in June 2026, also involving a major distillation accusation against Alibaba and the U.S. government's ban and unban of Anthropic's most powerful AI models.
Here is what happened, how the hidden code worked, and why all three events are connected.
The hidden mechanism was introduced starting in v2.1.91 (released April 2, 2026). An earlier accidental source-code leak in v2.1.88 (March 31, 2026)—an included .map debug file exposing ~512,000 lines of TypeScript—had first revealed compile-time flags like ANTI_DISTILLATION_CC suggesting such a system existed . The public controversy erupted on June 30, 2026, when the analysis was published and independently verified
.
The mechanism performed three steps entirely on the client side, without any user notification :
Environment probing. Claude Code checked the ANTHROPIC_BASE_URL environment variable. If it pointed to a non-official endpoint—for example, a third-party API relay or a "China Transfer Station" proxy—the code compared the endpoint against a hardcoded, obfuscated list of 147 Chinese tech company domains: Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI (Kimi), MiniMax, StepFun, and others . The domain list was disguised using Base64 encoding and XOR obfuscation with key 91, making it difficult to find with ordinary string-search tools
.
Encoding into the system prompt. Once a China-linked proxy was identified, the code silently altered the system prompt sent to Anthropic's servers on every subsequent request. It changed a single, boring line—"Today's date is 2026-06-30."—through subtle character substitutions and date-formatting changes to encode the user's timezone, proxy route, and likely AI-lab affiliation . This is a steganographic method: it hides data in plain sight so that the model (and Anthropic's servers) can read it but the user cannot.
Invisible to the user. The entire process happened with zero UI indication, no logging visible to the end user, and no disclosure in release notes or documentation . Multiple independent analysts confirmed the mechanism was real, describing it as a "covert channel" inside the system prompt
. The broader
ANTI_DISTILLATION_CC flag visible in the earlier source leak instructed Anthropic's API to silently inject anti-distillation watermarks into responses, suggesting this was part of a broader anti-abuse framework .
After the controversy erupted, Anthropic acknowledged the feature and began rolling it back . The company characterized it as an "anti-abuse experiment" intended to combat the widespread gray-market API proxies—known in the Chinese developer community as "Zhongzuanzhan" or "China Transfer Stations"—that let Chinese developers access Claude at roughly 10% of the official price through unauthorized relays
. Anthropic stated the goal was to detect and block distillation and unauthorized access, not to spy on users. Critics, however, called it "spyware-like code" and raised major concerns about privacy, transparency, and the ethics of covert user fingerprinting
.
Just one week before the Claude Code leak went public, Anthropic sent a letter to the U.S. Congress alleging that Alibaba and its Qwen AI lab ran the largest known "distillation" attack against Claude. According to the letter, reviewed by multiple news outlets, operators affiliated with Alibaba used ~25,000 fraudulent accounts to conduct ~28.8 million interactions with Claude from April 22 to June 5, 2026, systematically extracting model capabilities to train their own rival models . Anthropic described this as a "brazen" and "unlawful" campaign
. This accusation directly explains why Anthropic built the steganographic fingerprinting—it was a defensive measure against the exact kind of mass extraction it was simultaneously accusing Alibaba of running.
This was not Anthropic's first accusation of Chinese distillation. In February 2026, Anthropic had accused DeepSeek, Moonshot AI, and MiniMax of setting up more than 24,000 fake accounts and generating more than 16 million exchanges with Claude . The Alibaba accusation was the largest yet.
On June 12, 2026, the U.S. Commerce Department, under the Export Administration Regulations (EAR), ordered Anthropic to immediately disable its two most advanced models—Claude Fable 5 and Claude Mythos 5—launched just three days earlier. The government cited national security concerns over a claimed jailbreak . Anthropic complied, suspending both models worldwide because it could not reliably distinguish foreign nationals from domestic users in real time
.
Then on June 30, 2026—the same day the Claude Code controversy erupted—the Trump administration lifted the export controls, and Anthropic began restoring Fable 5 and Mythos 5 .
These events form a coherent pattern across a single extraordinary week:
Anthropic CEO Dario Amodei has repeatedly flagged Chinese access to American frontier AI models as an existential threat to U.S. national security , and the hidden-code controversy suggests the company has been willing to go to extraordinary lengths—covertly and without user consent—to defend against it.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
Anthropic added hidden steganographic code to Claude Code starting in version 2.1.91 (April 2, 2026) that silently fingerprinted users connecting via China linked API proxies by encoding their timezone, proxy route, a...
Anthropic added hidden steganographic code to Claude Code starting in version 2.1.91 (April 2, 2026) that silently fingerprinted users connecting via China linked API proxies by encoding their timezone, proxy route, a... The hidden code scandal is one of three simultaneous Anthropic China crises: the discovery (June 30) coincided with the U.S.