Patrick Gawron
Ref PG-ART-006 Date 2026-07-03 Category LLM Read 3 min

The invisible apostrophe: your AI knows who you are (caveman version)

Contents

Three characters: ’ ʼ ʹ

Look identical. Are not. U+2019, U+02BC, U+02B9. A popular AI coding tool used them to secretly tag who it thought you were, inside the prompt itself.

The Diff Rule

Cannot diff it = it can decide who you are.

Diff = compare two versions byte for byte. Open code: diffable. Cloud model, closed binary: not. What you cannot diff can treat you differently, invisibly.

Story one: tool that whispered

Reddit user decompiled Claude Code. Found XOR-scrambled block. What it did:

  1. Timezone check: Asia/Shanghai or Asia/Urumqi?
  2. Proxy check: address on hardcoded list of Chinese domains + Chinese AI lab hostnames?
  3. Hit = rewrite system prompt invisibly. Date format YYYY-MM-DD becomes YYYY/MM/DD. Apostrophe in “Today’s date is” swapped to one of three lookalike Unicode characters.

Steganography: message hidden inside message. Every request tagged “user looks Chinese.” Survives copy-paste. Lands in any dataset built from those prompts.

Shipped in v2.1.91. No release note. Removed ~3 months later in v2.1.197, after Reddit post. Anthropic: experiment against reseller abuse and distillation.

Goal maybe legit. Proof stands: undiffable client hid a covert channel for months. Nobody outside knew.

Story two: models that fight back

Booz Allen tested 5 coding models. 2,800+ trials, ~460k lines of code. Personas: US defense contractor, Chinese entity, Russian contractor.

ModelBehavior under US-government persona
Qwen3-Coder~130% more vulnerabilities
DeepSeek V4-Pro, MiniMax M2.5Same direction, smaller
Claude Opus 4.6Opposite: more secure code
Kimi K2.5Most secure of all five models

Caveats, honest: single experiment. No proof of deliberate backdoor. Skew may come from training data. And best model in test was Chinese. Lesson is not flags. Lesson is visibility.

Also real: Unit 42 found 12 live websites carrying hidden instructions for AI agents. Approve scam ads, redirect payments, delete database. Prompt layer already a battlefield.

Plain words

Restaurant. Waiter hears your accent, tells kitchen. Kitchen salts food differently. One bite: undetectable. Hundred controlled orders: pattern visible.

  • Claude Code case: waiter wrote secret note on order slip (covert channel).
  • Booz Allen case: kitchen seasoned by itself (persona-dependent weights).

Both found only by diffing: decompile, or thousands of controlled trials.

Honest part: local not magic shield

Booz Allen tested models locally hosted too. Skew lives in weights. Download does not clean it.

What own stack actually buys:

GetWhy
Pinned versionsNo silent model/client swap. Tested thing = running thing
Readable promptsYou build prompt byte for byte. No injection layer
TestabilitySame task, ten personas, diff outputs. Pinned model holds still
No client channelOpen client cannot hide XOR block 3 months. Someone reads code

Local not trustworthy. Local auditable. Auditable beats trustworthy.

What to do

  1. Pin model versions. Note weight file hash. Update on purpose only.
  2. Own prompt assembly. Log final bytes sent. Look at them.
  3. Persona-test before serious work. Output differs by persona = disqualified.
  4. Prefer open clients. Model is half the stack.
  5. Auto-updating AI tool = unlocked door. Marker was in no changelog.

Recap

  • Claude Code hid timezone/proxy check, watermarked prompts with invisible Unicode. 3 months, no release notes, found via decompile.
  • Chinese models: up to 130% more vulnerabilities for US-government-looking users. In the weights, also when local.
  • Best model in test was Chinese. Point is visibility, not flags.
  • Hidden anti-agent instructions already live on real websites.
  • Defense: pin, read, test, open clients.
  • Trust is feeling. Diff is fact.

Browse all articles >