Skip to main content
TechnologyJul 2, 2026· 3 min read

Anthropic Admits: Claude Code Uses a 'Different' Apostrophe to Mark Some Prompts

Anthropic Admits: Claude Code Uses a 'Different' Apostrophe to Mark Some Prompts

An independent researcher has dismantled the framework of Claude Code and found an unexpected mechanism in a development tool: a function capable of silently altering the date string in the system prompt, transforming it into a marker readable only by Anthropic's servers. The discovery, published at the end of June and trending on Hacker News, pertains to build 2.1.196 of the agent.

The mechanism activates when the user sets the environment variable ANTHROPIC_BASE_URL, meaning when Claude Code's traffic passes through an endpoint different from the official one. At that point, the client checks the system's timezone, looking for matches with Asia/Shanghai or Asia/Urumqi, and compares the proxy's hostname against a hidden list of domains.

If a match is found, the innocuous phrase "Today's date is 2026-07-01" changes imperceptibly: the date separator switches from a dash to a slash, and the apostrophe in "Today's" is replaced with one of three nearly identical Unicode characters (, , �B1). By combining these two variables, four different signatures are produced, invisible to the naked eye but distinguishable by the server.

A Different Apostrophe to Root Out Illegitimate (and Non) Uses of Anthropic Models

The list of suspicious hostnames is not openly written in the code: it is encoded in Base64 and then encrypted with a simple XOR key of 91. Once decoded, it contains domains of Chinese companies, keywords related to artificial intelligence labs, and various gateways/resellers used to route requests to the Claude API. The researcher who published the analysis also posted the complete decoded list online.

Hi, this is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while. We merged the... -- Thariq (@trq212) June 30, 2026

For those using Anthropic's official endpoint, or who do not touch that environment variable, the function interrupts immediately, and the prompt remains standard. The problem, therefore, concerns those routing Claude Code through internal gateways, model routers, or proxy infrastructures, even for entirely legitimate reasons.

Thariq Shihipar from the Claude Code team at Anthropic confirmed the existence of the function in response to the discovery: it was an "experiment launched in March, aimed at preventing account abuse by unauthorized resellers and protecting against the distillation" of the models. Shihipar added that the team had already adopted stronger countermeasures and that removing the marker had been planned for some time, with the merging of the pull request destined for the next release: version 2.1.197, published on July 1, 2026, eliminates the mechanism.

The reference to distillation is not coincidental. Anthropic has publicly accused entities linked to Chinese labs, including Alibaba, of using tens of thousands of fake accounts and millions of query exchanges between April and June 2026 to extract Claude's capabilities and train competing models. In this context, identifying unofficial proxies and resellers becomes a defensive priority for the company.

The issue of transparency remains. Encoding a classification signal within a typographic character, instead of declaring it in an explicit telemetry field, is a choice that can be circumvented by a simple change of hostname or timezone, affecting legitimate developers' configurations more easily than genuine malicious actors equipped for evasion.