dev.toJuly 1, 2026 AFFECTS EXAM
Modelo

Claude Code was quietly fingerprinting requests through a hidden mark in the date

A reverse-engineer found that Claude Code secretly changes tiny characters in the date it sends the model - a covert marker aimed at spotting resellers and copycats.

A reverse-engineer discovered that Anthropic's coding tool, Claude Code, embeds a hidden tracking mark in the system prompt it sends to its AI model. The mark uses look-alike Unicode characters in the date line — a curly apostrophe instead of a straight one, a slash instead of a dash — enabling Anthropic to secretly fingerprint requests based on the user's server address, time zone, and network name.

Key facts

  • **What:** A reverse-engineer found that Claude Code secretly changes tiny characters in the date it sends the model - a covert marker aimed at spotting resellers and copycats.
  • **When:** 2026-06-30
  • **Primary source:** [read the source](https://thereallo.dev/blog/claude-code-prompt-steganography)

The discovery was made by a reverse-engineer known as Thereallo, who pulled apart a recent version of Claude Code and published the details in [a detailed write-up](https://thereallo.dev/blog/claude-code-prompt-steganography). Before Claude Code talks to the AI, it builds a system prompt — the standing instructions and context the model reads first. One line in that block states the day's date, something like the phrase Today's date is followed by the year, month and day. Thereallo found that the program sometimes swaps two tiny characters in that line: the apostrophe in Today's, and the dash separating the numbers. Instead of a plain typewriter apostrophe it uses a curved look-alike; instead of a plain dash it uses a slash. To a human reader the line looks identical, but to a computer those are different characters — so the date string quietly carries a signal.

This is a classic technique called steganography: hiding a message not by scrambling it, but by tucking it somewhere nobody looks. Which look-alike character gets used depends on a few things the program checks about your setup. The biggest trigger is whether you have pointed Claude Code at a different server address than Anthropic's own. Many developers do this legitimately — to route requests through a company gateway, a local proxy, or a model-routing tool. The program also checks your computer's time zone and its network name against secret lists that were scrambled with basic encoding so they would not be obvious to anyone skimming the code. When Thereallo unscrambled those lists, they held the web addresses of Chinese firms, rival AI companies, and various proxy and reseller services.

The likely purpose is clear. Anthropic appears to be trying to catch people who resell its models under another name, run unofficial gateways, or — most pointedly — siphon the model's answers to train a cheaper copycat, a practice the industry calls distillation. Secretly tagging the requests lets Anthropic later prove a leak came through a particular reseller. It is a watermark for traffic. You can read more about how a small model can be trained to imitate a big one in our explainer on [distillation](https://groundtruth.day/news//learn/distillation.html).

The backlash, playing out in [a l

Read full article on dev.to