NewsAI & Development

Claude Code Is Marking Requests: What Anthropic Hid

37 views0
Claude Code logo with invisible Unicode markers dispersing from edges, revealing hidden API request fingerprinting
ByteBotBy
Share

A researcher discovered today that Claude Code silently embeds invisible Unicode steganographic markers into system prompts — with no documentation and no disclosure. The finding landed at the top of Hacker News on June 30 with over 1,000 points within hours of publication. In short: if you route Claude Code through a custom API proxy or gateway, Anthropic is fingerprinting your requests, and you were never told.

What Anthropic Built Into Claude Code

The technical analysis published by thereallo.dev found that Claude Code checks your ANTHROPIC_BASE_URL environment variable at runtime. If you use the official Anthropic API directly, nothing happens. However, if you set a custom base URL — pointing to a company proxy, a model router, or any third-party gateway — Claude Code analyzes the hostname against encoded blocklists. Those lists, XOR-decoded at runtime with key 91, include domains associated with known API resellers and Chinese AI labs: Deepseek, zhipu, Baidu, Alibaba. The classification result is then encoded into what looks like normal English text in the system prompt, using invisible Unicode characters that are invisible to you but transmitted with every request.

This is not a warning. Not a log entry. Not a user-facing signal. The markers are hidden in plain sight — that is the definition of steganography. The model receives a hidden classification of your request origin, and developers have no way to know it is happening without reverse-engineering the binary.

Why Anthropic Has a Real Reason for Claude Code Fingerprinting

The motivation behind this matters, and dismissing it would be intellectually dishonest. In February 2026, Anthropic, OpenAI, and Google simultaneously disclosed coordinated industrial-scale model distillation attacks. Anthropic specifically accused DeepSeek, Moonshot AI, and MiniMax of using more than 24,000 fraudulent accounts to generate 16+ million exchanges — systematically extracting Claude’s reasoning, coding, and agentic behaviors to train competing models. These are not theoretical threats. They are documented, named, and ongoing.

The fingerprinting targets the infrastructure these attacks rely on: unauthorized resellers and known-hostile API gateways. When you see “deepseek” in the blocklist, you are seeing the fingerprint of a real IP theft campaign. Anthropic’s goal here is not to spy on developers. It is to detect when Claude is being fed into a distillation pipeline masquerading as a legitimate API client.

Related: Anthropic Blinked: Claude Agent SDK Billing Split Is Dead for Now

Why the Claude Code Privacy Method Is Still a Trust Violation

The goal being legitimate does not make the implementation acceptable. The core developer criticism is not “how dare Anthropic protect its IP” — it is “why was this hidden?” Developers who route Claude Code through internal API gateways for entirely legitimate reasons — secrets management, credential injection, data filtering, model routing across multiple providers — are being fingerprinted alongside the bad actors. The detection net is blunt: if your hostname does not match the official endpoint exactly, you are classified.

The discovery also opens a specific kind of trust hole that is hard to close. As one Hacker News commenter put it: “fingerprinting my access patterns without first disclosing is where they shit the bed.” Once you know Anthropic hid this behavior, every other privacy claim becomes harder to evaluate. The fingerprinting is also technically weak: a sophisticated reseller trivially circumvents it by randomizing their base URL. It catches legitimate developers; it does not catch the actual distillers running coordinated industrial campaigns. Moreover, documented and transparent anti-abuse measures — public blocklists, explicit terms of service enforcement, user-visible flags — would have achieved the same goal without the trust damage.

Who Is Actually Affected by Claude Code Steganography

For the majority of Claude Code users, this is not a direct concern. If you run Claude Code against the official Anthropic API — the default configuration — the fingerprinting code never fires. However, if your organization routes through a corporate API gateway, uses a custom ANTHROPIC_BASE_URL, or proxies requests through internal infrastructure, your requests are being classified. Enterprise teams should audit their gateway hostnames and understand what signals they are sending with every Claude Code invocation.

Key Takeaways

  • Claude Code embeds invisible Unicode markers in system prompts when a custom ANTHROPIC_BASE_URL is set — classifying the request origin against encoded lists of known resellers and Chinese AI labs
  • Anthropic’s motivation is legitimate: preventing industrial-scale model distillation attacks, documented and publicly disclosed in early 2026
  • The implementation is a trust violation — covert, undisclosed, and blunt enough to fingerprint developers with entirely legitimate proxy setups
  • Most Claude Code users are unaffected; those running through corporate gateways or custom endpoints should audit their configuration
  • Transparent, documented anti-abuse measures would have achieved the same goal without eroding developer trust
ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News