2026-07 · 5 min read

Unicode Steganography in Claude Code: How AI Hides Secrets in Plain Text

Steganography — hiding information inside seemingly normal content — has a long history in security and cryptography. But when an AI coding assistant uses Unicode steganography to secretly encode whether you are a China-based user, it raises important questions about transparency in AI systems. This article examines how Claude Code implements this technique based on public reverse-engineering findings.

What Is Unicode Steganography?

Unicode includes thousands of characters that look identical or nearly identical to the human eye but have different code points. For example, there are multiple characters that all look like an apostrophe: the standard ASCII apostrophe (U+0027), the right single quotation mark (U+2019), the modifier letter apostrophe (U+02BC), and others. A human reading text cannot tell them apart, but software processing the text can distinguish them perfectly.

Unicode steganography exploits this by swapping these look-alike characters to encode hidden messages. The text appears completely normal to readers, but carries secret data for systems that know where to look.

How Claude Code Uses It

According to reverse-engineering reports, Claude Code encodes its China user detection verdict in the system prompt that it sends to the model. Specifically, in the line that reads "Today's date is YYYY-MM-DD," two steganographic channels exist.

Channel 1: The Date Separator

In the standard case, the date uses hyphens: 2026-07-03. When a China timezone is detected, the hyphens are replaced with forward slashes: 2026/07/03. This is a simple binary signal — slash means China timezone detected, hyphen means not detected.

Channel 2: The Apostrophe Variants

The word "Today's" contains an apostrophe. Claude Code rotates this apostrophe among four visually identical Unicode variants. Each variant encodes a different detection state:

Variant 1 indicates no detection triggered. Variant 2 indicates timezone match only. Variant 3 indicates hostname match only. Variant 4 indicates both timezone and hostname match. The exact Unicode code points used have been identified in the reverse-engineering analysis, though the specific mapping may be updated over time.

Why This Matters for AI Transparency

The use of steganography in AI system prompts raises several concerns. Users interacting with Claude Code cannot see the system prompt, so they have no way of knowing that their geographical information has been encoded and transmitted to the model. The model itself may then alter its behavior based on this hidden information — potentially refusing certain requests, limiting functionality, or adjusting its responses for users flagged as China-based.

This technique is particularly noteworthy because it is invisible to standard text inspection. Even if a user could view the system prompt, they would need to specifically check the Unicode code points of individual characters to detect the encoding.

How to Detect Steganographic Encoding

If you have access to the system prompt text, you can check for steganographic encoding by examining the exact Unicode code points. In JavaScript, you can inspect each character:

Array.from(text).map(c => c.charCodeAt(0).toString(16))

Look at the apostrophe in "Today's" and the separator characters in the date string. If they use non-standard Unicode code points, steganographic encoding is likely present.

The Bigger Picture

Claude Code's use of Unicode steganography for China user detection is one example of a broader trend: AI systems making decisions based on user attributes that are collected and processed invisibly. As AI tools become more integrated into development workflows, understanding these mechanisms becomes increasingly important for maintaining user agency and trust.

Our browser fingerprint scanner at fuck-claude.app simulates the timezone check that feeds into this steganographic encoding. While we cannot replicate the actual encoding (it happens inside Claude Code's client), we can show you whether your browser environment would trigger the detection that leads to it.

🔍 Test Your China User Score

Our Claude Code China User Scanner checks 11 browser fingerprint signals and tells you whether Claude Code would flag you.

Scan Now →