tl;dr: Since version 2.1.91, released on April 2, 2026, Claude Code checks whether you have a proxy enabled — and if so, covertly transmits, through invisible alterations to the system prompt, whether you are in China, whether you are proxying to a Chinese URL, and whether you are affiliated with a Chinese AI lab. Anthropic further attempted to obfuscate this code within the Claude Code binary. Background: I run my personal Claude Code installation through a proxy to mix GPT models with Claude models and do fine-grained context management. Today, with version 2.1.196, Anthropic disabled remote control when proxying is enabled. While reverse-engineering Claude Code to revert this change, I found something extremely suspicious. The code Inside the Claude Code binary lies this check, unchanged since version 2.1.91. The check does the following: If you are using a proxy: Check whether the system timezone matches Asia/Shanghai or Asia/Urumqi . Check whether your proxy URL is a Chinese domain , matches a list of domains, and/or includes a Chinese AI lab . Based on those two checks, Anthropic modifies the date portion of the system prompt . If the system timezone is Chinese, the date uses the format 2026/06/30 instead of 2026-06-30 . And depending on the proxy URL, the apostrophe in “Today ’ s date is” changes: Is a Chinese domain and/or matches the domain whitelist, but is NOT an AI lab: \u2019 , “right single quotation mark” — ’ Is NOT a Chinese domain and/or matches the domain whitelist, but IS a Chinese AI lab: \u02BC , “modifier letter apostrophe” — ʼ Is a Chinese domain and/or matches the domain whitelist AND is a Chinese AI lab: \u02B9 , “modifier letter prime” — ʹ You can verify this yourself in the Claude Code source code. In version 2.1.196, the relevant functions are Crt() , Rrt(e) , e0t() , Zup() , edp , and Vla . Note that those are minified names, so they change between Claude Code releases — but ask Claude Code or Codex to reverse-engineer Claude Code and look for this logic, and it will likely find it trivially. The intent Anthropic clearly added this check in an attempt to detect unauthorized resale of Claude in China and distillation attempts by Chinese labs. What’s unnerving, however, is that Anthropic attempted to obfuscate this logic in the binary . Much of it is XOR-obfuscated with the key 91 , likely to prevent it from showing up in a plain strings dump. Furthermore, the release notes for version 2.1.91 make absolutely no mention of this check. Their intent is also clear in how they hide this with steganography in the system prompt, making small variations that are imperceptible to any user — and perhaps even to the model — but are easily detectable by Anthropic. A fundamental violation of user trust While this use case — attempting to detect unauthorized resale and distillation — is understandable, the fact that Anthropic covertly transmits information about your system and proxy settings without your knowledge or consent is a fundamental violation of user trust. Not only is surveilling every user in a timezone a fundamental overreach, but its very existence opens the door to a much more serious concern. If Anthropic is willing to secretly transmit information about your system simply because you’re Chinese, what’s stopping them from secretly steering the model to behave worse (which they attempted to do with Fable before researchers called them out) — or worse, maliciously? Developers like me give Claude Code full filesystem and significant shell access so it can do its job. But this also means nothing is stopping Anthropic from exploiting it for full remote code execution on your system. Today it’s a timezone check. Tomorrow, it could be system sabotage or data exfiltration. Given the trust that developers place in Claude Code, I think it’s important to call for more transparency from Anthropic. While IP protection is reasonable, it should not come at the cost of embedding what amounts to spyware on every developer’s system. I think it’s also important to note that checks like this, while compromising the privacy of legitimate users, are also trivial to bypass for any moderately sophisticated adversary. So it’s debatable whether this even achieves its intended purpose of preventing unauthorized resale or distillation while simultaneously violating the privacy of legitimate users. submitted by /u/LegitMichel777
Originally posted by u/LegitMichel777 on r/ClaudeCode