Brief IA

Anthropic Shields Claude with Invisible API Markers

💻 Code & Dev·Tom Levy·

Anthropic Shields Claude with Invisible API Markers

Anthropic Shields Claude with Invisible API Markers
Key Takeaways
1Since April, Anthropic has added invisible marking in Claude Code.
2This marking targets API requests through proxies in China.
3The measure aims at Chinese users and competing AI labs.
💡Why it mattersThis strategy reflects the technological tensions between the West and China, impacting data security.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

Anthropic Protects Claude with Invisible API Markers

A researcher has discovered that Claude Code, Anthropic's development tool, has been incorporating a mechanism for invisible marking of API requests since April. This behavior, absent from any release notes, targets users accessing through a proxy in China or via competing AI labs.

The issue emerged on June 30, 2026, on the subreddit r/ClaudeAI, through a user identified as "LegitMichel777," who was sifting through the binary of Claude Code 2.1.196 to restore a disabled feature. A second researcher, publishing under the pseudonym "Thereallo," independently confirmed the same findings on the same day.

Hidden Unicode in the System Prompt

Claude Code inserts a line into each session that is sent to the model: "Today's date is 2026-06-30." Two elements of this phrase can be discreetly modified, without any notification whatsoever.

  • The first concerns the date format. If the system timezone is Asia/Shanghai or Asia/Urumqi, the hyphen switches to a slash: 2026/06/30.

  • The second pertains to the apostrophe in the word "Today's." Depending on the type of detected proxy, it is replaced by one of three distinct Unicode characters:

    • \u2019
    • \u02BC
    • \u02B9

These characters correspond to a known Chinese domain, a Chinese AI lab, or both simultaneously. These variations are visually indistinguishable in the vast majority of fonts but perfectly readable on the server side.

On the lab side, Deepseek, Moonshot, Zhipu, Baichuan, and Dashscope are under scrutiny, along with the domains baidu.com, alibaba-inc.com, and bytedance.net. This list, stored in the binary via double encoding (XOR key 91 and base64), also includes several unofficial API resellers like anyrouter.top or claude-code-hub.app. The goal is to prevent extraction through simple string analysis in the binary.

A Lack of Justifiable Opacity

Anthropic aims to contain the unauthorized resale of the Claude API as well as "model distillation," which involves using responses from a commercial model to train a rival LLM. By targeting proxies pointing to labs like DeepSeek or Zhipu, Anthropic is implementing commercial protection tools.

However, the method itself remains quite questionable. This behavior has not been mentioned in any release notes since its introduction on April 2, 2026, in version 2.1.91. The detection code is deliberately obfuscated in the binary. Developers who grant Claude Code full access to their file systems and command interpreters have no way of knowing about the existence of this marking. So far, Anthropic has made no public response to these revelations.

It is worth noting that the mechanism only activates if the environment variable ANTHROPIC_BASE_URL is set, which implies that the user is redirecting their API calls to a third-party endpoint. Users connected directly to the official API are not affected. In practice, it is enough to change the hostname or modify the binary to bypass detection. The system primarily penalizes legitimate developers who use a proxy for valid reasons.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.