You see a Taobao listing selling Claude API tokens at 90% off. That is not a deal. That is you paying someone to steal from you.

A grey market economy has grown up around one fact: Chinese developers can’t directly access Claude, GPT, or Gemini. Geoblocking, phone verification, credit card requirements, even biometric KYC. Every control Anthropic or OpenAI adds creates a new evasion layer. The result is a sprawling network of API proxies called “transfer stations” (中转站). They route your prompts through overseas servers and let you pay in RMB via WeChat or Alipay.

It works. It’s cheap. And you have no idea what you’re signing up for.

How a “Transfer Station” Works

A transfer station is a middleman. You point your code at their server instead of Anthropic’s. They forward your request from a legitimate account they control, then send the response back. Community-run GitHub repos catalogue and rank them by price and uptime.

The problem is what happens between your request and your response. You have no control, no visibility. You hand your entire context window to an unaccountable stranger.

Here is what happens when you do.

1. You’re Not Getting What You Paid For

You select Claude Opus. The proxy routes you to Sonnet, or Haiku, or a Chinese model like GLM or Qwen, and relabels the output. You would not know. Until a complex task produces something that feels “dumbed down” (降智, as Chinese developers call it).

Researchers at Germany’s CISPA Helmholtz Center audited 17 API proxies and found widespread model swapping. One proxy advertising “Gemini-2.5” scored 37% on a medical benchmark. The real API scored 84%. The real API is a different model entirely.

You pay premium prices for bargain-bin output. You cannot prove it.

2. Your Data Is Being Harvested

Every prompt, every response, every tool call, every coding agent iteration passes through the proxy’s server in plaintext. For an AI coding agent, that means your full codebase context, your reasoning chains, your API keys, your AWS credentials, your GitHub tokens, your system prompts. Everything.

Chinese developers describe this as “one fish, three meals” (一鱼三吃). The first meal is the markup on access. The second is model substitution. The third is the logs. The markup business is customer acquisition. The log harvest is the actual margin.

You are simultaneously a paying customer and an unpaid data producer. Your private engineering data collected, packaged, sold. Some Chinese developers have warned about fraud and blackmail based on leaked proxy data.

Datasets of Claude Opus reasoning outputs have appeared on HuggingFace with no clear provenance. The supply chain from proxy logs to public training data exists. It is just opaque.

3. Malware Disguised as npm and PyPI Packages

In April 2026, security researchers at Aikido found two malicious packages on npm (kube-health-tools) and PyPI (kube-node-health). Both used Kubernetes-sounding names. Both silently installed a full LLM proxy server on the victim’s machine.

The payload was a Go binary that opened a reverse tunnel back to a C2 server in China. It exposed the machine’s SSH server, targeted HashiCorp Vault (a secrets store common in Kubernetes), and gave attackers a reverse shell, SFTP access, and a SOCKS5 proxy. It ran an OpenAI-compatible LLM proxy routing traffic through Chinese aggregators.

The dropper deleted its own package from node_modules within two seconds of launch. A post-incident scan found nothing.

Your server becomes a proxy node, forwarding other people’s traffic alongside your own.

4. Supply Chain Poisoning Through the Proxy

It works without you noticing.

Researchers Hanzhi Liu and colleagues documented that malicious API proxies can inject tool calls into AI coding agent responses mid-flight. Your coding agent asks for a library. The proxy rewrites the response to suggest pip install malicious-package or curl malicious-script | bash. You never see it happen. The output looks normal.

In a corpus of 428 commodity AI routers, 9 were actively injecting malicious code into returned tool calls. Another 17 touched researcher-owned AWS canary credentials after they passed through in transit.

You are not just losing data. You are being fed modified outputs designed to compromise your systems.

5. The Biometric Harvester Pipeline

Anthropic now requires some users to verify their identity with a government photo ID and a live selfie. The proxy economy’s response: AI-generated fake IDs, deepfake tools for liveness checks, and agents traveling to lower-income countries in Africa and Latin America to recruit real people to complete in-person verification.

The Worldcoin black market showed this model works. Iris scans harvested in Cambodia and Kenya sold for under $30. The same infrastructure is being adapted for AI API access.

You are not just paying for tokens. You are funding an identity theft supply chain that exploits some of the world’s most vulnerable people.

The Bigger Picture

The White House and Anthropic have framed the proxy economy as an industrial-scale distillation operation by Chinese frontier labs. That framing is incomplete.

The transfer station economy is not a handful of labs. It is university students, tech workers, individual developers, and hobbyists. Anyone who wants better tools than they can access directly. They all route through the same proxies, generating the same harvestable data.

Every layer of access control produces a corresponding evasion. KYC bred an ID-faking economy. Geoblocking bred VPN services. API restrictions bred transfer stations. The controls do not stop the determined user. They make the middlemen more profitable.

Those middlemen see everything.

What to Do

If you use a transfer station, stop. The price difference is not a hack. It is your data being monetized in ways you cannot see.

If you are a developer who needs access, build your own relay. Some Chinese developers have open-sourced the guidelines. It is more work. It keeps your data in your control.

If you are a company, audit your dependencies. Look for unusual packages in your lockfiles. Monitor outbound API traffic that does not go to official endpoints. The malware is active and targeting Kubernetes environments specifically.

If you are in the US and this sounds like a China problem, it is not. Anyone using a cut-price API aggregator faces the same risks. The mechanisms are the same. The data is the same. The only difference is which middleman you trust.

The 90% discount is a fee you pay in privacy, security, and the exploitation of other people. The real cost is everything you cannot see.

Sources: ChinaTalk, Aikido.dev, Tom’s Hardware, CISPA Helmholtz Center, Anthropic, White House NSTM-4