Claude API Sold at 90% Off in Chinese Grey Market

Key Takeaways

• Proxy services in China sell Claude API access at 10% of official prices through stolen credentials and bulk account farming
• Users requesting premium models like Claude Opus may receive cheaper alternatives with fraudulently relabeled outputs
• Operators harvest every prompt and response passing through their servers, reselling the data as AI training material

A grey-market economy of API proxy services in China is reselling access to Anthropic's Claude models at 10% of official prices. The findings come from an investigation by Oxford China Policy Lab researcher Zilan Qian, published Monday.

The proxy networks, called "transfer stations" in Chinese developer communities, operate openly on GitHub, Taobao, and Telegram. Their pricing model works through stolen credentials, model substitution, and harvesting user prompts and outputs for resale as AI training data.

How the Supply Chain Works

Qian's research describes a modular supply chain where most participants handle only one or two links. Upstream operators bulk-register Anthropic accounts by farming free API credits, exploiting corporate discounts, or subdividing $200 Max subscription plans across dozens of users.

Some accounts enter the pool at zero cost, purchased with stolen credit card details, according to Qian.

Anthropic has tried to fight back with identity verification requirements. Some users now face photo ID and live selfie checks. But the supply chain adapted. Qian reports that operators have recruited real people in lower-income countries to complete verification in person.

The Worldcoin biometric black market provided a template. Iris scans harvested in Cambodia and Kenya sold for under $30 on that platform.

White House and Anthropic Warnings

These findings give weight to warnings issued by both the White House and Anthropic in recent weeks. In late April, the White House accused Chinese entities of running "industrial-scale" distillation campaigns against U.S. frontier models using tens of thousands of proxy accounts.

Anthropic disclosed similar activity in February, identifying roughly 24,000 fraudulent accounts linked to Chinese labs. The list included DeepSeek, Moonshot AI, and MiniMax.

Model Substitution Fraud

German researchers at the CISPA Helmholtz Center for Information Security audited 17 of these proxy services. They found widespread model substitution.

Proxy access marketed as "Gemini-2.5" scored just 37% on a medical benchmark where the official API scored nearly 84%. Users requesting Claude Opus may instead receive responses from cheaper models like Sonnet, Haiku, or even domestic Chinese alternatives like Qwen. The output gets fraudulently relabeled.

This creates a double problem: customers pay for premium models but receive inferior ones, while the quality gap could affect any downstream products built on the API.

Data Harvesting Is the Real Business

The proxy operators collect every prompt and response that passes through their servers. For coding agents, that means complete reasoning chains, repository context, and human-verified outputs.

Several Chinese developers told Qian that the access markup is essentially customer acquisition. Harvesting those logs is the actual business. The data gets resold as AI training material.

Datasets of Claude Opus 4.6 reasoning outputs with no clear provenance already circulate in the market, according to the investigation.

Implications for Developers

Any developer using unofficial API access faces multiple risks. Their code, prompts, and proprietary logic may end up in training datasets used by competitors. They might receive degraded model outputs that affect product quality. And they could face legal exposure for using stolen credentials.

The investigation also raises questions about data security for anyone who has used these services unknowingly. Prompts containing sensitive business information, customer data, or trade secrets may already be circulating.

Frequently Asked Questions

How do Chinese proxy services sell Claude API access so cheaply?

They use stolen credit cards to create accounts at zero cost, exploit corporate discount programs, subdivide subscription plans across many users, and farm free API credits. The data they harvest from users provides additional revenue.

What is model substitution in AI API fraud?

When users pay for access to premium models like Claude Opus but actually receive responses from cheaper models like Sonnet, Haiku, or domestic Chinese alternatives. The output is fraudulently relabeled to hide the substitution.

How does Anthropic verify user identity for Claude API access?

Anthropic now requires photo ID and live selfie checks for some users. However, fraudsters have recruited people in lower-income countries to complete verification in person, bypassing these controls.

What happens to prompts sent through grey market API proxies?

Every prompt and response is collected by proxy operators and resold as AI training data. For coding agents, this includes complete reasoning chains, repository context, and human-verified outputs.

Which Chinese labs were linked to fraudulent Anthropic accounts?

Anthropic identified DeepSeek, Moonshot AI, and MiniMax among the labs linked to roughly 24,000 fraudulent accounts discovered in February 2025.

Source: Latest from Tom's Hardware