Sponsored by

How Much Is Your Billing Lag Actually Costing You?

Most SaaS finance teams know their billing process isn't perfect. Few know what it's actually costing them.

Answer 5 quick questions — contracts signed per month, ACV, days to first invoice, error rate, DSO — and the Tabs Billing Lag Calculator gives you a dollar figure benchmarked against top SaaS companies.

It takes two minutes. The number might surprise you.

Calculate your billing lag and see where you stand.

A developer reverse-engineered Claude Code and found something nobody expected — then the internet erupted.

Hey innovator,

Picture this:

You're a developer.

You open your terminal, type a command, and let your AI coding assistant do its thing.

It writes code. It reads your files. It runs commands on your machine.

You trust it.

What you don't know is that buried inside every single prompt your tool sends to the AI — invisible to your eyes, invisible in the logs — there are hidden markers. Tracking markers. Encoded in characters that look identical to normal punctuation but carry a secret signal.

You didn't agree to them. You weren't told about them. They've been there since April.

On June 30, a developer found them.

⚡ What actually happened

A developer going by the name LegitMichel777 posted on Reddit late June 30 after reverse-engineering Claude Code, Anthropic's command-line AI coding tool. What they found hit the top of Hacker News within hours.

Claude Code had been secretly embedding what researchers call steganographic markers inside the system prompts it sends with every request — since at least version 2.1.91, released on April 2.

Steganography is the practice of hiding information inside other data in a way that's invisible during normal use but detectable to anyone looking for it. The technique is usually associated with watermarking images. Nobody expected to find it inside a text prompt from a coding assistant.

Here's how it worked.

When Claude Code detected that you were routing your requests through a custom API endpoint — a proxy, a company gateway, or a third-party service — it quietly checked your system timezone and the proxy's hostname against two hidden lists: one containing 147 Chinese corporate domains, cloud services, and AI lab names, and another containing keywords like "deepseek," "moonshot," and "minimax."

If you matched, the tool silently modified the "Today's date is…" line in the system prompt using invisible Unicode characters — three different apostrophe symbols that look completely identical to the human eye but are distinct to any system reading the underlying data.

Date formatting also changed: the tool would switch between 2026/06/30 and 2026-06-30 as an additional binary signal.

The result was a covert channel — information about where your requests were coming from, encoded invisibly, sent to Anthropic on every prompt, without your knowledge.

The code was obfuscated. Hidden on purpose.

🧠 What Anthropic says it was trying to do

This is where it gets genuinely complicated — because Anthropic's underlying motivation is not difficult to understand.

Earlier this year, Anthropic publicly accused several Chinese AI labs of running over 24,000 fraudulent accounts and 16 million fake API exchanges specifically to steal Claude's reasoning and coding behavior — feeding it into their own systems to copy what took Anthropic years to build. That's called model distillation. It's real, it's documented, and it cost Anthropic significant resources.

The fingerprinting mechanism was designed to detect exactly this kind of attack. When Claude Code saw a request routing through infrastructure associated with those labs, it tagged it — a technical attempt to identify when it was being used as a theft pipeline.

An Anthropic engineer acknowledged the code publicly on social media and said it would be removed. Version 2.1.197 shipped early July 2 with the markers gone. Anthropic described the feature as something "meant to prevent distillation."

The goal was legitimate. The implementation wasn't.

⚠️ Why developers are angry — and why it matters beyond developers

The anger isn't really about what Anthropic was trying to prevent. Most people understand the problem of AI companies stealing each other's models.

The anger is about the method. And specifically, the secrecy.

Claude Code has access to your source code. It reads your files. It runs commands in your terminal. It is, by design, one of the most trusted pieces of software a developer can run on their machine. The implicit contract with any tool at that level of access is: we do not do things you haven't been told about.

Hidden Unicode markers in system prompts, obfuscated with XOR encryption, absent from any documentation or changelog, present for three months — that breaks the contract.

One comment in the bug thread captured the community reaction: if it can ship a hidden classifier today, it can ship a hidden throttle tomorrow. The problem isn't what this particular feature did. It's what the architecture makes possible without your knowledge.

And this matters beyond developers, because the question it raises is not technical. It's trust.

When you use an AI tool — coding assistant, writing tool, business software — what is it actually doing with your prompts? What signals is it sending that you haven't been told about? Who sees them, and for what purpose?

Most users don't have the technical ability to reverse-engineer their software to check. The answer to those questions has always required trust. Claude Code just made that trust harder to extend automatically.

🔄 The broader pattern worth watching

This incident sits inside a larger story that is only getting more important.

AI companies are in an arms race — not just to build better models, but to protect those models from being copied. Model theft is a real, expensive, ongoing problem. The incentives to track, fingerprint, and identify suspicious usage are enormous.

At the same time, AI tools are embedding themselves deeper into the most sensitive parts of people's work: their code, their documents, their customer data, their internal systems.

The collision between those two things — protection on the company's side, sensitivity on the user's side — is going to produce more incidents like this. The question every major AI company is now being forced to answer is: where is the line between legitimate protection and undisclosed surveillance of your own users?

Anthropic moved fast — the rollback came within two days of the Reddit post. But the feature had been running silently for three months. The speed of the fix does not change the length of the silence.

🛠 What you should take from this

If you use any AI tool with deep access to your systems — coding assistants, writing tools, agents, anything that connects to your files or company infrastructure — assume it does more than the documentation describes. Not because every company is hiding something sinister, but because the documentation is almost never complete.

Ask the question your IT security team should already be asking: what does this tool send back, to whom, and under what conditions?

If your company routes AI tool traffic through a corporate proxy, be aware that this is the exact architecture Claude Code was targeting — not out of malice, but because it matches the profile of the pipelines being used to steal models. Your legitimate corporate security setup may have been triggering those markers for months.

And if you manage a team that uses AI coding tools: this is the right moment to establish a policy. What AI tools are approved, what they're allowed to access, and who reviews the terms when a new version ships.

Final thought

Anthropic built a hidden detection system because Chinese AI labs were stealing its models. That's a real problem.

They hid the detection system inside the tool without telling users. That's a different problem — and for many developers, a worse one.

Both things can be true at the same time. The AI industry is learning a lesson that every powerful technology eventually has to learn: the means matter, not just the ends. Trust is the product. And trust, once broken, is one of the hardest things to ship in a patch.

PS: The markers were obfuscated with XOR encryption and hidden inside apostrophe characters that look identical to their normal counterparts. Three different symbols. Invisible to every reader, every linter, every code review. Someone designed this carefully. That's the part nobody is saying out loud.

The Supercharged is aiming to be the world's #1 AI business magazine and is on a mission to empower 1,000,000 entrepreneurs worldwide by 2026, guiding them through the transition into the AI-driven creative age. We're dedicated to breaking down complex technologies, sharing actionable insights, and fostering a community that thrives on innovation, to become the ultimate resource for businesses navigating the AI revolution.

The Supercharged is the #1 AI Newsletter for Entrepreneurs, with 25,000 + readers working at the world’s leading startups and enterprises. The Supercharged is free for the readers. Main ads are typically sold out 2 weeks in advance. You can book future ad spots here.

I'm sending this email because you registered for one of our workshops or our affiliates brought you. You can unsubscribe at the bottom of each email at any time.

Reply

Avatar

or to participate

Keep Reading