Claude Code is steganographically marking requests

What Claude Code is doing

  • Client inspects environment (e.g., ANTHROPIC_BASE_URL, hostname, timezone) for signs of Chinese labs or resellers.
  • If matched, it steganographically encodes that classification into the system prompt using subtle Unicode variants and date formatting.
  • Domain and lab keyword lists are obfuscated in the binary via base64/XOR.
  • This happens client‑side and is not clearly disclosed in UI, docs, or release notes.

Intended purpose & effectiveness

  • Many commenters infer the goal is to detect:
    • Chinese API resellers pooling cheap Claude Code subscriptions.
    • Model distillation by Chinese and other labs.
  • Some see this as “defense in depth” akin to trap streets or anti-cheat: easily bypassed by sophisticated actors but enough to catch sloppy resellers.
  • Others call it “amateur hour”: trivial to evade (change domain, strip the markers) while still burning trust with legitimate users.

Impact on legitimate users

  • Concern that:
    • Normal developers using proxies, corporate gateways, or unsupported regions might be misclassified.
    • Anthropic could silently degrade responses, route to weaker models, or ban accounts based on these tags.
  • Several note there are legitimate reasons to proxy (auditing, filtering secrets, multi-account routing) that could be penalized.

Trust, ethics, and privacy

  • Many view the hidden, obfuscated behavior on user machines as malware‑like and a breach of trust, independent of motive.
  • Others argue it’s a standard anti-abuse measure, comparable to analytics or anti-cheat, and likely covered by existing ToS/privacy language.
  • Legal questions raised: potential consumer fraud if service is silently degraded, GDPR/export-control/EULA issues, even CFAA‑shaped concerns; others dispute that this rises to illegality.

Comparisons & broader reactions

  • Compared to:
    • Trap streets, watermarking, corporate surveillance tooling, and game anti-cheat.
    • Prior Anthropic incidents (Fable’s hidden model degradation, source-map leak) as part of a pattern of “shady” behavior.
  • A noticeable subset of commenters say this reinforces their shift away from Claude Code toward:
    • Open-source or simpler harnesses (pi, Codex, OpenCode, custom agents).
    • Cheaper or open-weight models (GLM, DeepSeek, Qwen, local deployment).
  • Some frame it in geopolitical terms (keeping “superintelligence” from China); others see that framing itself as dangerous and hypocritical.