Anthropic is pulling a hidden mechanism from Claude Code that quietly fingerprinted developers routing their traffic through Chinese proxies and AI-lab domains. A researcher going by Thereallo decompiled the tool and published the findings, which hit the top of Hacker News before Anthropic responded and said a fix would ship.
What was actually in there
The technical writeup lays it out. Claude Code checks the ANTHROPIC_BASE_URL environment variable, the setting people flip when they point the tool at a custom proxy instead of the official endpoint. If that URL has been overridden, the code then looks at the system timezone, checking specifically for Asia/Shanghai or Asia/Urumqi, and scans the proxy hostname against a list of Chinese domains and AI-lab keywords.
Get a match, and the tool rewrites the system prompt. Not visibly. It swaps the dashes in the date string for slashes and replaces the apostrophe in "Today's date is" with a near-identical Unicode character. You would never catch it in a normal monospace font. Anthropic's servers read it instantly. The domain list was hidden behind XOR obfuscation and base64, which is the part that made people uneasy, since that is the kind of thing malware does to dodge scanners.
Thereallo was measured about it.
"This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."That reads as the fair take. The goal is defensible. The delivery, less so.
Anthropic's explanation, and the timing
Thariq Shihipar, an engineer on the Claude Code team, responded on X on Tuesday. He called it an experiment from March aimed at stopping unauthorized resellers from abusing accounts and at protecting against distillation, the practice of training a cheaper model on a stronger one's outputs. He added the team had shipped stronger protections since and had been meaning to take this down anyway, that the pull request was merged, and that it should be fully gone in the next release.
Maybe. The obvious problem is that "we were going to remove it anyway" only surfaced after someone found it. The code had reportedly been sitting in the binary since a version released in early April with no mention in the release notes. Asked whether the tracking was disclosed anywhere in its terms of service, an Anthropic spokesperson pointed The Register back to Shihipar's remarks, which did not answer that question.
Why China
The context here isn't subtle. Anthropic doesn't offer its products in China and has publicly accused several Chinese labs, including DeepSeek, Moonshot, MiniMax and Alibaba, of using Claude outputs to train competitors. Plenty of Chinese developers reach Claude anyway through foreign accounts and third-party proxies, which is exactly the traffic this code was built to spot.
The catch is that it barely works. Change your timezone, change your domain, patch the binary, and the marker is gone. So it flagged the least sophisticated users while doing little against a determined lab. Not a great trade for the trust it cost.
The rollback is expected in the Claude Code release following Shihipar's Tuesday statement. Worth watching whether Anthropic ever specifies what those "stronger mitigations" actually are.




