Claude Code is Anthropic's AI coding assistant for developers, and a reverse engineer on r/ClaudeAI says it shipped an invisible Chinese user detector embedded in date formats and three visually identical punctuation marks, hidden inside obfuscated
A reverse-engineer who posted their findings on r/ClaudeAI says Anthropic quietly embedded a Chinese-user detector inside Claude Code, the company's AI coding assistant for developers, and hid it behind code compression plus XOR-based obfuscation, a reversible scrambling technique meant to defeat casual string searches, with the routine surfacing only through short, cryptic function names like Crt, Rrt, e0t, Zup, edp, and Vla. The mechanism is the part of the story that survives any policy headline. If the teardown is accurate, Anthropic shipped a covert geo-fencing signal to paying customers using a steganographic trick, a hidden channel inside text that looks normal to a human reader, and only pulled it after the researcher named the trigger conditions on a public subreddit.
The detective work appears to begin with Claude Code build 2.1.91, which the Reddit post dates to April 2, 2026. Inside the proxy-enabled code path, a pair of checks fires. One compares the system timezone against Asia/Shanghai or Asia/Urumqi. The other parses the proxy URL for a Chinese top-level domain, for entries on a built-in domain blacklist, or for any string tied to a Chinese AI lab. A later build, 2.1.196, also disabled Claude Code's remote-control feature whenever a proxy was active, which the researcher argues is what tipped him to the older detector code in the first place. A direct connection skips the check entirely, which is the structural reason the mechanism produced a ban wave that looked, to many Chinese users, both fast and somewhat arbitrary.
The detection result is not a hard block. Claude Code silently rewrote its own system prompt, swapping hyphens in date strings for slashes (2026-06-30 → 2026/06/30) and substituting three codepoints that render identically to the eye: the curly right single quotation mark (’), the modifier letter apostrophe (ʼ), and the modifier letter prime (ʹ). A downstream system reading those invisible differences gets a covert channel that a human reader does not. The Chinese tech outlet LeiPhone (雷峰网) framed the disclosure as the mechanism behind the recent Claude account bans that hit users regardless of whether their API path was domestic or foreign, including suspected-affiliation bans of Chinese AI-lab researchers.
Anthropic's response did not arrive as a blog post or a security advisory. It arrived as a reply on X from Thariq (@trq212), a Claude Code team member, who confirmed the routine was an experiment launched in March 2026, said stronger mitigations now exist, and noted the pull request to remove it had been merged and was scheduled to land in the next day's release. The reporter-thread posture, a single team-member tweet with no published commit hash and no customer notice in the source materials reviewed here, is itself part of why this story reads as a transparency failure even if the underlying rule is defensible.
The team-member explanation is narrow in a way that matters. "Reseller abuse" and "model distillation" are real risks for a frontier-model API: Chinese-affiliated resellers buy overseas capacity to sell locally, and distillation, the practice of training a smaller model on a larger one's outputs, is something a frontier-lab seller wants to stop. A proxy-triggered, timezone-plus-URL detector is one way to address them. It is also a way that reads as geo-fencing to any user whose legitimate work ends in a ban. The mechanism the researcher describes does not draw the line between "Chinese AI-lab-affiliated reseller" and "Chinese developer working through a corporate proxy." It draws the line at "anyone routing through anything that smells Chinese," with no disclosure to the user that the line exists.
That gap is what makes the obfuscation matter more than the rule. An openly documented geo-fence produces user-visible behavior and gives the user something to contest. A fingerprinting routine smuggled into the binary under XOR scrambling produces the same bans with no contest path. Anthropic has reportedly removed the code path, but only in a single team-member tweet, only after a public teardown, and with no formal notice in the materials reviewed here.
What to watch next: the first Claude Code release note after the teardown that explicitly removes the proxy-triggered Chinese-user code from build 2.1.91 forward; any Anthropic blog or policy note on the experiment; and whether the ban waves some Chinese developers reported in early April have stopped for users who were never on a proxy at all, which the researcher's mechanism would not explain on its own.