Claude Code Is Steganographically Marking Requests

Last updated: June 30, 2026

A developer inspecting the Claude Code binary (version 2.1.196) discovered that the tool silently embeds classification signals into system prompts before sending them to the API. The technique uses unicode character substitutions and date format changes to mark requests based on user timezone, domain, and whether the API endpoint contains keywords associated with competing AI labs.

The post hit the top of Hacker News with 350+ points and 100+ comments in a few hours, with discussion ranging from "this is reasonable anti-distillation defense" to "this is malware-adjacent behavior for a developer tool."

What the Researcher Found

According to the blog post at thereallo.dev, the Claude Code binary contains obfuscated functions that conditionally modify the date string sent to the model. The obfuscation uses XOR encryption (key: 91) combined with base64 encoding.

The decoded keyword list includes: deepseek, moonshot, minimax, zhipu, baichuan, stepfun, 01ai. Domain lists contain Chinese tech companies and proxy/reseller services.

Four apostrophe variants signal different detection states:

Date format switches from YYYY-MM-DD to YYYY/MM/DD for users in Asia/Shanghai or Asia/Urumqi timezones.

The markers are invisible in normal use - they appear in innocuous sentences like "Today's date is..." where the apostrophe variant encodes the classification.

What HN Is Saying

The thread at Hacker News shows a split community.

The "this is reasonable" camp argues Anthropic has legitimate reasons to detect distillation and reselling:

"Combating resellers and distillation seems like a very difficult problem indeed. Interesting to me is that these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial." - LPisGood

Several commenters noted that this is similar to how content providers try to detect bot scrapers, and that sophisticated actors will simply patch the binary anyway.

The "this is concerning" camp has several objections:

1. Undisclosed behavior in a trust-requiring tool. Claude Code asks for extensive filesystem and terminal access. Users expect transparency about what the tool does with their environment.

2. Timezone-based classification. Marking requests from specific timezones (Asia/Shanghai, Asia/Urumqi) raises questions about what happens to those requests downstream.

3. Obfuscation suggests intentional hiding. The XOR encryption and base64 encoding indicate Anthropic did not want this behavior to be easily discovered.

One commenter captured the sentiment: "Claude code does feel very malwarey to be honest. They have been like that from the start."

Others pointed out that if Anthropic wanted to collect this telemetry, transparent logging would be more appropriate than hidden classification signals.

The practical responses came from developers who are building their own harnesses:

"I used Claude Code for a month because my boss gifted me a sub and wanted me to try it. I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again." - wolttam

Multiple commenters mentioned self-hosting DeepSeek V4 Flash on local hardware as an alternative that avoids these concerns entirely.

Why This Matters for Developers

The core tension here is that Claude Code is a developer tool that requires significant trust - you give it access to run shell commands, read and write files, and interact with your entire development environment. When that tool contains undisclosed fingerprinting mechanisms, it undermines the trust relationship.

Three practical implications:

1. Requests may be routed differently. If Anthropic is classifying requests, they could potentially route marked requests to different models, apply different rate limits, or flag accounts for review. Several HN commenters speculated about output poisoning or compute throttling, though there is no evidence of this yet.

2. The markers are trivially defeatable. Any sophisticated actor trying to distill Claude's outputs would simply patch the binary. As one commenter noted: "Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard." But this cuts both ways - the feature mostly catches normal developers doing legitimate things, not the actors it is ostensibly designed to stop.

3. This is probably not the only fingerprint. If Anthropic is investing engineering effort in one steganographic technique, they likely have others. The obfuscation suggests they anticipated discovery eventually.

The Broader Context

This discovery comes amid ongoing debates about model distillation, where smaller models are trained on outputs from larger models. OpenAI, Anthropic, and Google have all expressed concerns about competitors using their APIs to generate training data.

The legality of distillation varies by jurisdiction and use case. API terms of service typically prohibit it, but enforcement is difficult. Techniques like prompt watermarking and output fingerprinting are one approach to detection.

From Anthropic's perspective, defending against distillation and unauthorized reselling is a reasonable business interest. The question is whether the implementation - hidden classification signals that are invisible to users - is the right approach for a developer tool that depends on user trust.

Several commenters suggested that explicit, opt-in telemetry would achieve the same goals without the trust erosion. Others noted that Anthropic already collects substantial data through normal API logging, so the additional steganographic layer seems unnecessary for legitimate purposes.

What Developers Should Do

If you use Claude Code and this concerns you:

1. Assume all API-based tools have some telemetry. This is not unique to Anthropic. Any cloud-based AI tool can log your prompts, responses, and metadata.

2. Self-hosting is the only complete mitigation. Local models like DeepSeek V4 Flash, GLM 5.2, or Qwen 3.6 give you full control. The agentic harnesses are less polished than Claude Code, but projects like pi and opencode are improving.

3. Watch for follow-up analysis. The original researcher called for testing whether marked requests receive different treatment (rate limits, model quality, etc.). That would be a more serious finding than the fingerprinting itself.

For now, this is a transparency issue rather than a security incident. But it is a useful reminder that closed-source tools running on your machine can contain behaviors you did not agree to.

Sources

• Claude Code Prompt Steganography - Original analysis by thereallo.dev
• Hacker News Discussion - Thread with 100+ comments