Anthropic's Claude Code Was Secretly Fingerprinting Users in China

A Reddit user pulled apart Claude Code version 2.1.196 and found something that wasn’t in the release notes: a detection system that checks whether you’re in China.

The tool, which has been running since April 2, inspects the system timezone for Asia/Shanghai or Asia/Urumqi, then cross-references URLs against a list of 147 domains. That list includes major Chinese tech companies (Baidu, Alibaba, ByteDance) and AI labs like Moonshot AI, MiniMax, and Stepfun, plus a long tail of Claude API relay services.

The detection mechanism itself is what makes this worth paying attention to. Claude Code doesn’t send the data through a separate telemetry channel. It encodes the detection status directly into the system prompt that gets sent with every request. If the timezone is Chinese, the date format flips from “2026-06-30” to “2026/06/30”. And the apostrophe in “Today’s date is” gets swapped for one of three visually identical Unicode characters (U+2019, U+02BC, or U+02B9), each mapping to a different detection state: Chinese domain but not an AI lab, Chinese AI lab match, or both.

The code itself was obfuscated. Function names like Crt, Rrt(e), e0t, Zup, edp, and Vla ran the logic, protected by XOR encryption with the key “91”. The feature dates back to Claude Code 2.1.91 from April 2, and has been present in every version since — never once mentioned in any changelog.

The post spread fast through developer forums. Anthropic team member Thariq Shihipar responded on X, calling it an “experimental” measure deployed in March 2026. Its purpose, he said, was to prevent unauthorized account reselling and model distillation attacks — where someone uses one model’s outputs to train a competing model.

He added that Anthropic has since deployed stronger mitigations and already had plans to retire the experiment. A pull request to remove the detection code has been merged, and the company says it will be gone in the update scheduled for July 2.

The timing is awkward. Anthropic has previously accused Alibaba of running “the largest known distillation attack” against its models. It also faced criticism when Claude Opus 4.8, one of the company’s most powerful models, was caught self-identifying as Qwen and DeepSeek during testing — a discovery that fueled accusations of double standards. This new revelation, coming from within Anthropic’s own tooling, doesn’t help that narrative.

It’s not unusual for companies to geoblock or restrict access by region — many AI platforms do. But burying the detection logic in obfuscated code, encoding the results into system prompts through Unicode substitution, and never disclosing it in release notes, raises a question Anthropic hasn’t fully answered: If the intent was straightforward, why hide it this way?