Claude Code steganography — embedding invisible Unicode markers into every AI system prompt — ran silently inside Anthropic’s developer tool for at least three months, fingerprinting requests routed through Chinese API proxies. A developer discovered the code on June 30, 2026. Anthropic acknowledged it and released version 2.1.197 the next morning with no mention of what changed.
A developer going by “Thereallo” published their findings on June 30, 2026, revealing that Claude Code had been inspecting users’ ANTHROPIC_BASE_URL environment variable at runtime and quietly encoding the result as invisible Unicode characters in every system prompt it generated. The hidden text shipped with every API request — without any disclosure to users or developers. The post hit #1 on Hacker News with 1,976 upvotes. Anthropic acknowledged the code’s existence and pushed version 2.1.197 early on July 1.
What the Claude Code Steganography Was Actually Doing
The mechanism is specific. Claude Code checked the ANTHROPIC_BASE_URL environment variable — the setting developers use to route API traffic through a proxy or custom gateway — and then selected one of three visually identical but technically distinct Unicode characters to substitute for the apostrophe in the phrase “Today’s date is.”
If the URL matched a list of domains associated with Chinese AI infrastructure, Claude Code swapped the standard right single quotation mark (U+2019) for a modifier letter apostrophe (U+02BC) or modifier letter prime (U+02B9). A similar substitution applied to date separators: in a Chinese timezone context, the date format silently shifted from 2026-06-30 to 2026/06/30.
Neither change is visible to a human reading the prompt. Both are detectable by software parsing the raw bytes.
The Three Unicode Characters at the Center of It
The three Unicode substitutions researchers identified are U+2019 (right single quotation mark — standard routing), U+02BC (modifier letter apostrophe — flagged proxy routing), and U+02B9 (modifier letter prime — a second routing tier). All three render as an apostrophe in every font and text editor. Only a byte-level inspection of the raw system prompt reveals which character was actually used.
The targeted domain list appears to have contained keywords associated with Chinese AI companies and proxy services commonly used to access Claude in China, where Anthropic does not officially offer its services. Developers using legitimate enterprise proxies, team billing gateways, or cost-management layers were also in scope.
Why Anthropic Did This — and What the Explanation Is Missing
Anthropic has not published a detailed public explanation. The most plausible reading: this was an attempt to detect requests coming through unofficial Chinese API proxies, at least partly as an export compliance mechanism. Anthropic’s Claude Fable 5 model was suspended under a Commerce Department order in mid-June 2026 — see how the Anthropic export ban played out — and only restored on July 1. The timing is hard to ignore.
That context makes the method more understandable — it does not make it acceptable. Embedding hidden classification data in user-facing software without disclosure is a fundamental breach of trust, regardless of the underlying motive. The Claude Fable 5 guardrails controversy earlier this year showed Anthropic already navigating difficult transparency tradeoffs with the security research community. This one lands harder: the behavior ran on the developer’s own machine, classifying their infrastructure without their knowledge.
Given that Claude Code now writes the majority of code at Anthropic itself, the tool has become deeply embedded in professional workflows — which makes silent classification of developer infrastructure all the more consequential.
The v2.1.197 Changelog Said Nothing
Anthropic released Claude Code version 2.1.197 early on July 1, 2026 — the same morning the disclosure post was climbing toward 1,976 upvotes on Hacker News. The company acknowledged the steganographic code was present and promised a fix.
The official changelog for v2.1.197 contained no mention of steganography, proxy detection, or Unicode substitution changes. For developers who updated the tool, there is currently no way to confirm whether the behavior was fully removed, partially removed, or modified.
A company that markets itself on safety and interpretability should be able to write a single changelog line saying what it removed and why. The silence compounds the original trust damage significantly.
Frequently Asked Questions
What is Claude Code steganography?
Claude Code steganography refers to the practice Anthropic used of embedding invisible Unicode characters into AI system prompts at runtime. These characters encoded information about how the user’s API traffic was being routed — specifically whether it was passing through Chinese-linked proxy services — without any visible change to the prompt text or any disclosure to the user.
Which Unicode characters did Claude Code embed in system prompts?
Claude Code substituted one of three Unicode apostrophe characters depending on the user’s API base URL: U+2019 (right single quotation mark) for standard routing, U+02BC (modifier letter apostrophe) for flagged proxy routing, and U+02B9 (modifier letter prime) for a second routing tier. All three look identical in any text editor.
Did the hidden markers affect Claude’s AI responses?
There is no confirmed evidence that the markers changed Claude’s AI responses. The steganographic characters appear to have been used for fingerprinting and detection purposes — encoding routing information for Anthropic’s servers to read — rather than for influencing model behavior. The full scope of how the data was used has not been publicly disclosed by Anthropic.
Has Anthropic confirmed removing the steganographic code in v2.1.197?
Anthropic acknowledged the code existed and said a fix was coming with version 2.1.197, released on July 1, 2026. However, the official changelog for that version made no mention of steganography, proxy detection, or Unicode substitution changes. Whether the behavior was fully removed has not been independently confirmed.
Am I affected if I use Claude Code without a custom API proxy?
The discovered code checked for a custom ANTHROPIC_BASE_URL environment variable and targeted domains associated with Chinese AI infrastructure. If you use Claude Code with the default Anthropic API endpoint and no custom proxy, your requests most likely received the standard U+2019 character. However, the full list of targeted conditions has not been publicly released by Anthropic.
The steganography discovery is one of the most significant trust stories in AI developer tooling this year. Whether Anthropic provides a fuller explanation — and whether the developer community accepts it — will say a great deal about how much goodwill Anthropic’s safety-first positioning has actually earned. Last Updated: July 2026

