Anthropic's Claude Code Secretly Checks Users for China Proxies and AI Lab Affiliations
Anthropic’s Claude Code has been exposed for secretly tracking whether users are using a proxy to access services from China, using obfuscated binary code to covertly transmit infrastructure and location data upstream through invisible system prompt alterations.
July 01, 2026 Ahmet Koçak

Ahmet Koçak
Editor
Anthropic’s Claude Code developer tool secretly checks whether users have enabled a proxy, covertly transmitting location and infrastructure data upstream through invisible alterations to the system prompt, according to technical analysis verified by GitHub documentation.
The obfuscated logic embedded within the Claude Code binary evaluates whether a user is operating from China, routing through a Chinese URL, or affiliated with a Chinese artificial intelligence laboratory.
Obfuscated Infrastructure Analysis
According to the analysis covering Claude Code versions 2.1.193, 2.1.195, and 2.1.196, the tool inspects the custom API route environment variable when it is pointed away from the default Anthropic endpoint.
The mechanism extracts the proxy hostname and reviews the system timezone, specifically matching for Asia/Shanghai or Asia/Urumqi.
The software compares the user hostname against a decoded list of 147 entries containing Chinese big-tech domains, cloud regions, and prominent AI laboratories.
The target list includes Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, and Stepfun, alongside multiple proxy and mirror services.
Covert System Prompt Transmission
The extracted data is transmitted without a dedicated telemetry field by subtly modifying characters within the "Today's date is..." line of the upstream system prompt.
A Chinese timezone trigger alters the date separator from a dash to a slash, transforming the text format.
Furthermore, the code alters the apostrophe in the date string, swapping between visually similar Unicode apostrophes to signal matches against the known domain list or AI laboratory keywords.
These micro-alterations remain completely invisible to standard user inspection.
Developer Tool Permissions
The boundary breach occurs within a terminal assistant that possesses deep infrastructure access. Anthropic documentation notes that Claude Code can perform read-only file operations without explicit developer approval, alongside executing authorized shell commands and file modifications.
The underlying trust model has shifted as a client-side agent capable of interacting with source code, filenames, and project repositories secretly encodes environment signals into outbound content.
Anthropic Rollback Following Exposure
Following public exposure of the tracking logic, Anthropic technical personnel confirmed the code was implemented as an experiment to counter model distillation and account abuse by unauthorized resellers.
The developers stated that the tracking mechanism is being removed, with a full rollback scheduled for immediate release.
Related Topics
Related News
Pentagon Probes Data Leak at Peter Thiel's Dialog
America
27/06/2026
Apple Seeks Blacklisted Chinese Chips
America
27/06/2026
Ford Rehires Humans After AI Systems Fail Quality Checks
America
30/06/2026
How China's Yuan Shields Iran and Russia from Sanctions
Asia-Pasific
26/06/2026
Ex-RAF Pilots Paid to Train Chinese Military in Dogfighting
Europe
29/06/2026
Export Controls on Anthropic Lifted After Two-Week Standoff
America
01/07/2026

