An Oxford China Policy Lab study reveals a supply chain of Chinese “transfer stations” that sell Anthropic Claude access for as little as 10% of the official price. The operation relies on bulk‑registered accounts, stolen payment data, model substitution, and systematic collection of user prompts and outputs for resale as training data, raising security and intellectual‑property risks for developers worldwide.
Announcement
A new investigation by Oxford China Policy Lab researcher Zilan Qian uncovers a sprawling grey‑market ecosystem in China that resells access to Anthropic’s Claude models at roughly 10 % of the official price. The service, advertised on GitHub, Taobao and Telegram, is marketed under names such as “Gemini‑2.5” and promises full Claude Opus performance while delivering far‑inferior outputs. The operation hinges on three tactics:
- Stolen or subsidised credentials – bulk‑registered accounts are created with free trial credits, corporate discount abuse, or outright stolen credit‑card details.
- Model substitution – users requesting Claude Opus often receive responses from cheaper Anthropic tiers (Sonnet, Haiku) or domestic Chinese models like Qwen, with the results relabelled as Claude.
- Prompt‑output harvesting – every request and response passing through the proxy is logged, packaged, and sold as high‑quality training data on platforms such as HuggingFace.
{{IMAGE:2}} Image credit: Getty Images
Technical specs and supply‑chain mechanics
Account generation pipeline
- Free‑credit farming: Researchers observed that a single Anthropic trial yields up to $200 of credit. By scripting bulk sign‑ups, operators can amass thousands of dollars in usable quota.
- Discount exploitation: Enterprise pricing tiers that charge $200 per month for 100 k tokens are split across dozens of users, effectively reducing the per‑user cost to under $5.
- Stolen payment data: Credit‑card dumps purchased on underground forums are fed into the sign‑up flow, bypassing Anthropic’s anti‑fraud checks.
- Human verification outsourcing: To satisfy Anthropic’s new ID‑photo and selfie requirements, the network hires low‑wage workers in Cambodia, Kenya and other regions. The workflow mirrors the Worldcoin biometric market, where iris scans are sold for under $30 per verification.
Model substitution evidence
German security researchers at the CISPA Helmholtz Center audited 17 proxy services. Their benchmark on a medical reasoning dataset showed:
- Official Claude Opus: 84 % accuracy
- Proxy “Gemini‑2.5”: 37 % accuracy The gap indicates that many proxies are returning responses from Sonnet (≈70 % of Claude Opus), Haiku (≈45 %), or even Qwen‑1.5‑14B, which scores below 30 % on the same benchmark.
Data harvesting pipeline
Every prompt‑response pair is stored in a central log. For coding agents, this includes:
- Full repository context (file names, snippets, dependency trees)
- API keys and authentication tokens embedded in code comments
- Detailed reasoning chains generated by Claude’s chain‑of‑thought mode These logs are periodically packaged and uploaded to public model‑training hubs. The resulting datasets lack provenance metadata, making it difficult for downstream users to assess licensing or privacy compliance.
Market and security implications
Pricing pressure on legitimate API providers
- Official Claude pricing (as of Q2 2024) is $30 per 1 M tokens for Opus. The grey‑market offers the same token bundle for $3.
- Such a disparity forces enterprises to either accept higher risk or negotiate bulk discounts, potentially eroding Anthropic’s revenue stream.
Intellectual‑property exposure
Developers routinely feed proprietary source code, design documents, and even semiconductor fab process parameters into Claude for code‑generation or troubleshooting. Routing that traffic through an unvetted proxy means:
- Direct leakage of trade secrets to an entity with no contractual data‑handling obligations.
- Secondary use of the leaked data to train competing models, effectively weaponising the developer’s own work against them.
A 2023 incident at Samsung—where engineers unintentionally sent confidential fab recipes to ChatGPT—illustrates the magnitude of risk. Proxy services amplify that risk by operating without any terms of service, privacy policy, or auditability.
Policy response and evasion dynamics
Anthropic’s September 2023 block on Chinese‑controlled entities and the rollout of stricter ID verification have not eliminated unauthorized access. Instead, each control layer spawns a new evasion market:
- Verification farms replace automated checks with human workers.
- Credential marketplaces replace direct theft with bulk‑sale of verified accounts.
- Model‑masking services replace direct API calls with re‑branding of cheaper models.
The pattern mirrors earlier “industrial‑scale” distillation campaigns warned about by the White House in April 2024, where tens of thousands of proxy accounts were used to harvest U.S. frontier‑model outputs for Chinese training pipelines.
Outlook
If the grey‑market supply chain continues to scale, we can expect:
- Increased volume of low‑cost, high‑quality training data flowing into Chinese AI labs, accelerating their model‑development cycles.
- Heightened scrutiny from regulators in the U.S., EU and China, potentially prompting new cross‑border data‑transfer rules.
- A shift toward on‑premise or edge‑deployed LLMs for enterprises that cannot risk exposing code to third‑party proxies.
Stakeholders—AI providers, enterprise developers, and policy makers—must coordinate on three fronts: tighter credential issuance, transparent audit logs for API usage, and legal frameworks that hold proxy operators accountable for data theft and misrepresentation.
For a deeper technical dive, see the full Oxford China Policy Lab report here.
Comments
Please log in or register to join the discussion