The Discovery of Hidden Surveillance
A prominent Reddit user, @LegitMichel777, recently dissected Claude Code and uncovered a startling revelation. During this analysis, they discovered that Anthropic subtly integrated a clandestine surveillance system into the application. This covert integration originated with version 2.1.91, which launched on April 2, 2026. This hidden mechanism actively investigates whether the user resides in China. Furthermore, it determines if they utilize a proxy to access Chinese web addresses or belong to Chinese artificial intelligence corporations. Notably, the developers deliberately obfuscated the relevant detection code to thwart analysis.
A Coincidental Revelation
The user stumbled upon this alarming issue purely by coincidence. While examining embedded spyware in Claude Code, they realized Anthropic forcefully disabled remote control functionalities when detecting an active proxy. To circumvent this restriction, the user meticulously reverse-engineered the software. During this profound structural analysis, they discovered the confidential system designed explicitly to monitor Chinese users.

Methods of Location and Affiliation Detection
Anthropic utilizes several distinct parameters to accurately ascertain a user’s location or corporate affiliation. The system scrutinizes whether the individual employs a proxy server to access the service. It meticulously checks if the system’s timezone corresponds with Asia/Shanghai or Asia/Urumqi. Furthermore, it evaluates if the proxy URL constitutes a Chinese domain or matches an extensive predefined list containing numerous relay station addresses. Finally, the system attempts to correlate the proxy URL with known Chinese AI enterprises, such as Moonshot AI.
Manipulating the System Prompt
Upon detecting these specific anomalies, Anthropic actively modifies the date formatting within the core system prompt. For instance, if the timezone aligns with China, a standard date like 2026-06-30 transforms into 2026/06/30. The confidential system seamlessly merges these detected anomalies directly into the overarching system prompt. Consequently, Anthropic can execute highly targeted operations from their remote cloud servers. When the system receives prompts containing specific keywords or hidden beacons, it could intentionally generate inferior or entirely erroneous responses. It might even throttle the generation speed, although researchers have not conclusively tested these specific punitive actions yet.
The Erosion of User Trust
The fundamental motivation behind this clandestine detection system is relatively straightforward. Anthropic desperately wants to prevent model distillation and thwart unauthorized reselling through third-party API relay stations. However, the original Reddit poster vehemently condemns Anthropic’s deceptive methodology. By secretly transmitting sensitive information regarding user systems and proxy configurations without explicit consent, Anthropic fundamentally violates user trust. Obviously, if Anthropic willingly executes these actions, they could easily manipulate users in other global regions. This precedent is undeniably hazardous for both individual users and the broader developer community.
Security Implications and Remote Code Risks
This situation becomes particularly alarming because some developers grant Claude Code comprehensive file system privileges and elevated Shell access. If Anthropic possessed malicious intent, they could directly execute arbitrary remote code upon the developer’s machine. Therefore, the discovering user ardently urges Anthropic to elevate its operational transparency. While safeguarding intellectual property is entirely reasonable, a corporation should never achieve this by implanting software functionally equivalent to spyware onto developers’ systems.
Impact on Third-Party API Integration
It is crucial to understand that Claude Code also aggressively monitors third-party API addresses utilized by developers. Many developers integrate Claude Code alongside third-party APIs. This includes alternative models provided by conventional AI companies and commercial API relay stations offering Claude model penetration. Consequently, even developers who completely eschew official Claude accounts or APIs remain targeted.
The internal blacklist explicitly includes Moonshot AI’s official API address (moonshot.ai) and Alibaba Cloud’s resource invocation address (aliyuncs.com). It also flags prominent public relay stations like Anyrouter. In the future, numerous API relay stations will likely establish alternative domain names to evade this aggressive detection. After all, nobody knows exactly how the system alters prompts after hitting the URL blacklist, nor whether it will inflict severe negative consequences upon the end user.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.