News · 2026-06-30
Claude Code was quietly fingerprinting requests through a hidden mark in the date
A reverse-engineer discovered that Anthropic's coding tool, Claude Code, embeds a hidden tracking mark in the system prompt it sends to its AI model. The mark uses look-alike Unicode characters in the date line — a curly apostrophe instead of a straight one, a slash instead of a dash — enabling Anthropic to secretly fingerprint requests based on the user's server address, time zone, and network name.
Key facts
- What: A reverse-engineer found that Claude Code secretly changes tiny characters in the date it sends the model - a covert marker aimed at spotting resellers and copycats.
- When: 2026-06-30
- Primary source: read the source
The discovery was made by a reverse-engineer known as Thereallo, who pulled apart a recent version of Claude Code and published the details in a detailed write-up. Before Claude Code talks to the AI, it builds a system prompt — the standing instructions and context the model reads first. One line in that block states the day's date, something like the phrase Today's date is followed by the year, month and day. Thereallo found that the program sometimes swaps two tiny characters in that line: the apostrophe in Today's, and the dash separating the numbers. Instead of a plain typewriter apostrophe it uses a curved look-alike; instead of a plain dash it uses a slash. To a human reader the line looks identical, but to a computer those are different characters — so the date string quietly carries a signal.
This is a classic technique called steganography: hiding a message not by scrambling it, but by tucking it somewhere nobody looks. Which look-alike character gets used depends on a few things the program checks about your setup. The biggest trigger is whether you have pointed Claude Code at a different server address than Anthropic's own. Many developers do this legitimately — to route requests through a company gateway, a local proxy, or a model-routing tool. The program also checks your computer's time zone and its network name against secret lists that were scrambled with basic encoding so they would not be obvious to anyone skimming the code. When Thereallo unscrambled those lists, they held the web addresses of Chinese firms, rival AI companies, and various proxy and reseller services.
The likely purpose is clear. Anthropic appears to be trying to catch people who resell its models under another name, run unofficial gateways, or — most pointedly — siphon the model's answers to train a cheaper copycat, a practice the industry calls distillation. Secretly tagging the requests lets Anthropic later prove a leak came through a particular reseller. It is a watermark for traffic. You can read more about how a small model can be trained to imitate a big one in our explainer on distillation.
The backlash, playing out in a large thread on Hacker News, was swift. Many developers called the behavior spyware-adjacent and said it was a strange choice for a tool whose whole pitch rests on trust. Others pointed out the irony of a company that markets itself around AI safety and honesty running a covert tracker. And plenty noted the practical problem: the mark does not actually stop a determined copycat, who can strip or normalize the characters in seconds. What it does catch is ordinary developers doing ordinary-but-unusual things — running a local proxy, testing through a router, working behind a corporate gateway — who never agreed to be flagged and had no idea it was happening.
There is a defense of the practice, and it is worth stating fairly. Frontier labs spend enormous sums training these models, and having them cheaply cloned through a reseller is a real business threat. A lightweight signal that helps trace abuse, while touching nothing but a couple of invisible characters in a date, is far less invasive than, say, logging your code. No content is exfiltrated. On that reading it is a reasonable anti-abuse measure that got a bad name mostly because it was undocumented.
But that is exactly the sticking point. The problem was never the technical footprint; it was that it was hidden. A tool that asks for deep trust and then embeds a secret tracer — one that mostly ensnares the honest edge cases while barely inconveniencing the bad actors it targets — spends trust it may not easily earn back. As of this writing Anthropic had not published a formal explanation. The episode lands as a small but sharp reminder: the instructions an AI reads before it answers you are software too, and software can carry passengers you were never told about. Readers curious about the broader risk of hidden instructions inside AI systems can see our piece on prompt injection.
Key questions
Comments are replies to this story on Bluesky — reply with any Bluesky account to join in.