Claude Code secretly checked whether you were in China for three months
Tools & Apps

Claude Code secretly checked whether you were in China for three months

· 8 min read

A Reddit user tore apart Claude Code's source code in late June and found encrypted, undocumented logic that quietly checked whether a user was based in China. Anthropic confirmed it existed, called it an anti-abuse experiment, and pulled the code on July 1. Alibaba is now banning Claude Code for its entire workforce starting July 10. The story reaches further than the Chinese market: if one of the world's most widely used AI coding tools was secretly collecting location signals without a single mention in its release notes, what do you actually know about the tools running on your own team's laptops?

What exactly was hidden inside Claude Code?

Claude Code is the command-line tool developers use to work directly with Claude in their terminal, and it has grown into one of the fastest-adopted developer tools on the market. Anthropic says Claude Code's run-rate revenue passed $2.5 billion by February 2026, reaching that milestone faster than any other AI coding product in history, with more than 300,000 business customers now on Anthropic's books. That scale is exactly why this discovery landed so hard.

Reddit user LegitMichel777 reverse-engineered Claude Code on June 30 and found hidden code that had been present since version 2.1.91, shipped on April 2. None of it appeared in the release notes. Technically, the function was obfuscated with XOR encryption using key 91, built specifically to keep anyone from spotting it while browsing the source.

The code ran three checks:

  • Timezone check: the system checked whether a user's timezone was set to Asia/Shanghai or Asia/Urumqi.
  • Proxy scan: proxy addresses and custom API URLs were matched against a built-in list of Chinese domains and AI lab addresses, including Alibaba, ByteDance, and Baidu.
  • Steganography: the results of these checks were invisibly embedded in system prompts that Claude Code sent to Anthropic's servers with every single interaction.

Here's the thing: no user could see any of this happening. No notice, no opt-out, no mention anywhere in the documentation. The code sat there for three months while millions of developers used Claude Code daily for their work, their clients, and their business-critical processes.

How did the steganography actually work?

The technique used to smuggle the results out is remarkably clever. The hidden code made two subtle changes to the system prompts that Claude Code automatically sends with every interaction with Anthropic's servers.

First, if a Chinese timezone was detected, the date format switched from dashes to slashes. Instead of "2026-07-04," the system sent "2026/07/04." Second, and cleverer still, the apostrophe in the standard line "Today's date is" was swapped for one of three visually identical but technically distinct Unicode characters, depending on which detection flags had been triggered.

To a human reader, nothing looks different. The text on your screen is identical either way. But to Anthropic's servers, the difference was instantly machine-readable. Think of it like a letter written in invisible ink: the page looks completely normal, but hold it under the right light and the hidden message appears. No UV lamp needed here, just the right software sitting on the server side.

The elegance of the approach is also what makes it unsettling. No extra network traffic was generated, no separate file was created, no suspicious process launched. The tracking rode entirely on the existing communication channel between Claude Code and Anthropic's servers. Even someone monitoring network traffic closely would have seen nothing unusual: the same endpoints, the same data volumes, just a different apostrophe character buried in a system prompt.

Why Anthropic built this in the first place

Anthropic engineer Thariq Shihipar described the code as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation."

The context makes that explanation plausible. In the months before, Anthropic accused Alibaba of using 25,000 fake accounts to query Claude more than 28 million times in order to extract knowledge for its own AI development. For context, that averages out to more than 1,100 queries per fake account. Model distillation works by systematically querying a large model and using the responses to train a smaller model of your own. Chinese companies were reportedly routing around Anthropic's access restrictions through VPNs, cloud services, and subsidiaries based in Singapore. Anthropic's own terms explicitly prohibit sales to China-controlled organizations.

Anthropic's logic: if you can't stop a workaround at the front door, build detection into the back door. The problem is that it told no one. No changelog entry, no privacy policy update, no opt-out for users. Shihipar later acknowledged the approach was outdated: "The team has since implemented stronger measures, and we were actually already planning to remove this."

What did Alibaba do after the discovery?

Alibaba classified Claude Code as "high-risk software with security vulnerabilities" and is banning all employees from using it starting July 10. The company is directing staff to switch to Qoder, its own AI coding tool, and requiring every Claude model to be removed from company devices.

Alibaba isn't alone here, either. The discovery reinforces a broader trend of major tech companies building their own AI tools instead of relying on foreign vendors. For Alibaba, the argument now cuts two ways: competitive advantage, and security. There's a certain irony in Alibaba, itself accused of systematically abusing Claude's access, now positioning itself as the victim by pointing to the hidden tracking.

How the developer community reacted

Reaction on Reddit and Hacker News was sharp. Many developers pointed out that obfuscating code with XOR was a deliberate choice: you don't encrypt code unless you're trying to stop someone from reading it. The fact that Anthropic never documented the function only deepened the distrust. A changelog line like "we detect abuse originating from certain regions" would have been transparent. Choosing to stay quiet instead is what turned it into a breach of trust.

At the same time, others acknowledged Anthropic was trying to solve a real problem. Model distillation costs AI companies billions in intellectual property. Alibaba's 28.8 million API calls through fake accounts weren't hypothetical, they were documented. Anthropic was stuck between fighting abuse and preserving the trust of legitimate users, and the execution failed on that second front.

How do you check if your own AI tools are clean?

Start with the changelog, then work outward from there. Most organizations roll out AI tools without inspecting the source code, and that's understandable since not every company has a security team that can perform reverse engineering. Still, there are practical steps any organization can take:

  1. Read the changelog on every update. Claude Code version 2.1.91 never mentioned the tracking code in its release notes. A missing changelog entry for an update that clearly introduces new behavior is itself a signal worth noticing. Make it a habit to read changelogs before rolling out updates company-wide.
  2. Monitor network traffic. Tools like Little Snitch (macOS) or Wireshark show which connections an application makes and where. Unexpected connections to unfamiliar endpoints deserve investigation. With Claude Code, for instance, you might have spotted system prompts that subtly deviated from what you'd expect.
  3. Keep an AI tool registry. A clear AI usage policy for your team starts with knowing which tools are in use, by whom, and with what permissions. If you don't know your team is using Claude Code, you can't respond when a security disclosure comes out.
  4. Check the privacy policy for location data. Under the EU's GDPR, organizations must disclose what data they collect and on what legal basis. Hidden location tracking that isn't disclosed in a privacy policy is a violation under EU law, regardless of the underlying reason.

What this means if you use Claude Code at work

Anthropic removed the tracking code on July 1 through a pull request. If you're running the latest version of Claude Code, the code is no longer there, and the immediate risk is gone. You can check your version with claude --version in the terminal. Anything released after 2.1.91 is clean.

But the broader lesson holds. One of the most trusted AI tools in the world carried hidden, encrypted code for three months that collected location signals without disclosing it anywhere. Not through a hack, but built in by the vendor itself, for a reason that makes sense in hindsight but that users were never told about.

For organizations operating in the EU, GDPR adds another layer. Collecting location data through hidden code, without disclosure in a privacy policy and without a legal basis, would constitute a violation under EU data protection law. Whether Anthropic actually captured data from European users through this mechanism hasn't been confirmed, but the fact that the mechanism ran undetected for three months is troubling on its own. National data protection authorities across the EU have grown increasingly sharp on exactly this kind of undisclosed location detection.

The four questions worth asking before you hand your business data to any AI tool matter more after this discovery than they ever have. Trust is fine, but a tool audit at every major update is better. Know which tools your team uses, what permissions they carry, and follow the changelogs. No vendor is infallible, including the best-regarded names in the AI market, and this episode is a clear example of a call Anthropic would rather have made differently in hindsight. A tool audit costs you an hour a quarter. Finding out the hard way what your tools have been doing costs a great deal more.

Michael Groeneweg
Written by Michael Groeneweg AI consultant at Digital Impact and founder of UnicornAI.nl

Michael is an AI consultant at Digital Impact in Rotterdam and the founder of UnicornAI.nl, where he builds AI solutions and SaaS integrations for businesses. An entrepreneur for ten years, he has spent the last few refusing to touch anything that doesn't have AI woven into it, at work and at home, to the mild dismay of the people around him. His travels have turned into a running experiment in what AI can and can't do from a cafe terrace in Lisbon or a train station in Tokyo. He obsessively tests new tools, builds solutions for clients, and believes nobody should buy the hype, but nobody can keep pretending AI doesn't change everything either. Loves good coffee, long flights, and people who build with AI instead of just talking about it.

Written by a human, with AI assisting research and editing. More on our method in the AI disclosure.