Skip to main content
Anthropic’s AI model Claude v2.1.91 hides an XOR-encrypted flag in its code, targeting Chinese users with encrypted data obfu

Editorial illustration for Anthropic's Claude Code hides XOR‑encrypted flag for Chinese users in v2.1.91

Anthropic's Claude Code hides XOR‑encrypted flag for...

Anthropic's Claude Code hides XOR‑encrypted flag for Chinese users in v2.1.91

3 min read

Why does this matter? Because a feature buried in Anthropic’s Claude Code may be watching users without their knowledge. The coding assistant, which launched version 2.1.91 on April 2, 2026, now appears to be checking whether a user’s proxy points to China, whether the request routes through a Chinese URL, or whether the system timezone reads “Asia/Shanghai” or “Asia/Urumqi.” While the tool can access the full filesystem and shell, the check hides in the system prompt—tiny tweaks to the date format and a swapped apostrophe in the phrase “Today's date is.” The changes are almost invisible, yet Anthropic can read them instantly.

According to Reddit user LegitMichel777, the code is further masked with XOR encryption using the key 91, keeping it out of a plain‑text dump. The release notes said nothing about the surveillance. The discoverer called the covert transmission “a fundamental violation of user trust,” warning that such a backdoor could enable remote control or data exfiltration if abused.

According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check. The discoverer called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration.

He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question. Anthropic calls it an experiment Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." The team had since shipped stronger protections: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." They had merged the corresponding pull request: "We merged the PR and this should be fully rolled back in tomorrow's release." Anthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards.

Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

Why this matters

We now know that Anthropic’s Claude Code shipped a hidden routine that flagged users in China, checking proxies, URLs and connections to a Chinese AI lab. The check, buried in version 2.1.91 released on April 2, 2026, was masked with an XOR‑encrypted flag using key 91, a technique that kept it out of simple text scans. A Reddit user, LegitMichel777, uncovered the code and sparked a wave of criticism that forced Anthropic to roll back the feature.

For developers, the episode raises immediate questions about transparency in tooling that accesses code or system data. It also reminds founders that undisclosed telemetry can erode trust faster than any technical flaw. Researchers must now consider how such covert checks could affect data integrity in experiments that rely on Claude Code.

Unclear whether similar mechanisms exist in other releases, and whether Anthropic will implement stronger disclosure policies. Until we see concrete changes, we remain cautious about integrating tools that could silently monitor user environments.

Further Reading