Chinese proxy networks sell Claude API access at 90% off. They harvest every prompt that passes through.

Anthropic geoblocks China, requires overseas credit cards, and as of April 2026 runs live biometric verification on new accounts. None of it has stopped a sprawling grey market from reselling Claude API access at roughly 1 RMB per $1 of tokens, a 70% to 90% discount.

A detailed investigation by ChinaTalk traces how “transfer stations” operate openly on Taobao, Telegram, WeChat, and GitHub. The operation has three revenue streams: the markup on cheap tokens, the model substitution fraud, and the data they collect from every request that passes through their servers.

What we know

• Credential sourcing. Upstream suppliers bulk-register Anthropic accounts by farming $5 free API credits, exploiting corporate discount tiers, or subdividing $200 Max subscription plans across dozens of users. Some accounts enter the supply chain at zero cost, purchased with stolen credit card details. To clear Anthropic’s identity verification, operators recruit real people in lower-income countries to complete biometric checks, with iris scans reportedly selling for under $30.

• Model substitution. A German research team auditing 17 proxy services found that users requesting Claude Opus frequently received responses from cheaper models: Sonnet, Haiku, or domestic Chinese alternatives like Qwen and GLM. The outputs were relabeled to look like Opus responses. One proxy marketing itself as “Gemini 2.5” scored 37% on a medical benchmark where the official API scored 83.82%.

• Prompt harvesting. Every request through these proxies (prompts, responses, tool calls, and full reasoning chains) stays on operator servers. ChinaTalk’s investigation found several Chinese developers who confirmed that harvesting these logs is the actual business model. The data feeds supervised fine-tuning pipelines, distills reasoning patterns from frontier models, and gets resold to competitors. Users aren’t just customers. They’re unpaid data producers.

• Scale. Specialized ranking sites track proxy uptime and pricing in real-time, similar to how AWS instance prices get aggregated. GitHub repositories catalog active transfer stations. The infrastructure looks more like a commodity market than a black-market operation.

What we don’t know

• How many total users route through these proxies. The ChinaTalk investigation doesn’t estimate the aggregate volume, though the number of competing services suggests significant demand.
• Whether Anthropic has detected and revoked specific batches of stolen credentials tied to these networks, or if the supply chain replaces them faster than enforcement can act.
• How much of the harvested data has already been used to train competitor models. Anthropic disclosed in February 2026 that Chinese AI firms routed 16 million queries through Claude to copy its behavior, but the connection to these specific proxy networks isn’t confirmed.

Anthropic’s countermeasures

The company has progressively tightened access controls:

• Complete geoblock of Chinese IP addresses
• Overseas credit card requirement with address matching
• Ban on entities more than 50% owned by Chinese companies
• Live biometric KYC verification rolled out in April 2026

Each layer gets circumvented. The biometric requirement, the newest barrier, is being defeated by recruiting verification subjects in countries where a $30 payment for an iris scan represents real money. The people performing these checks face legal and reputational risks they don’t fully understand, according to ChinaTalk’s reporting.

What this means for you

If you’re a developer and you’ve seen suspiciously cheap Claude API access advertised anywhere, the pricing tells you everything. There’s no legitimate way to offer 90% off Anthropic’s rates. The discount comes from stolen credentials, and the hidden cost is that your prompts, your code, and your data get logged, sold, and used to train the next competitor.

For companies building on the Anthropic API: verify you’re hitting Anthropic’s actual endpoints. If a vendor or internal tool routes through a third-party proxy, assume every token is being recorded. The medical benchmark scores from the German audit team show that model substitution isn’t hypothetical. It’s routine.