China's shadow market offers access to Claude, Gemini, GPT, and other frontier models. Pay a local seller, get an API endpoint, connect it to a coding tool, and use models that are hard or impossible to reach directly from mainland China.
These API relay platforms are being advertised on Taobao and Xianyu. Sellers promise no-VPN access, low latency, large context windows, coding-tool compatibility, and official-looking Claude, Gemini, and ChatGPT access. Some listings claim "1:1 official models."
Claude and Gemini are not normally available in mainland China. Those shadow API sellers offer a workaround: instead of calling Anthropic, Google, or OpenAI directly, the developer calls the seller's server.
That server is the middleman. It receives the prompt, sends it somewhere else, gets an answer back, and returns that answer to the developer's tool.
The product is a working API path to models the buyer cannot easily call directly.
The seller usually gives the buyer three things:
To the buyer, it looks similar to using an official API. Put the base URL and key into your tool (e.g. a coding harness), choose a model name, and send requests.
The important difference is that the endpoint is not run by the model company. It is run by the seller. The buyer is not sending prompts directly to Anthropic, Google, or OpenAI. The buyer is sending prompts to a third party that decides what to do next.
The possible upstream routes can be an official API account, a cloud account, a consumer subscription, a pool of accounts, or a cheaper substitute model returned under a more expensive model name.
As a user you cannot verify which route the seller actually used for a request.
The flow is straightforward:
Developer tool
->
Seller's API endpoint
->
Upstream account or model chosen by the seller
->
Answer returned to the userThe seller's endpoint is doing the routing. That means the seller controls the upstream account, the model choice, the logs, rate limits, and any fallback behavior.
A March 2026 audit of shadow APIs found weak transparency around provider identity, upstream models, and infrastructure. The authors identified 17 shadow API providers that had already appeared in research and open-source workflows.
So the model name you are seeing as a user might very well be fake. A dropdown that says Claude or Gemini does not prove that the request actually went to the official Claude or Gemini API.
Some sellers advertise access below official API prices.
Small discounts can have ordinary explanations: unused quota, promotional credits, volume pricing, or a cheaper payment path.
Very large discounts need a different supply source. ChinaTalk's investigation into cheap Claude tokens in China describes transfer stations, account merchants, SMS verification services, card merchants, proxy networks, subscription pooling, and downstream resellers. It says some Claude access is sold at roughly 10% of the official price.
Several mechanisms can reduce the seller's cost:
Coding agents make subscription resale especially attractive. A normal subscription is priced for one user. If a seller turns that subscription into a shared endpoint for many users, the apparent per-user cost drops until the account is limited or banned.
Anthropic's February 2026 distillation report shows the same kind of account infrastructure at larger scale. Anthropic said DeepSeek, Moonshot, and MiniMax generated more than 16 million Claude exchanges through about 24,000 fraudulent accounts. It also described proxy networks where banned accounts are replaced and traffic is spread across many nodes.
A shadow API seller can advertise one model and serve another.
If the buyer asks for Claude Opus or Gemini Pro, the seller can send the prompt to a cheaper model and still return the response under the expensive model name.
The shadow API audit found performance gaps, inconsistent safety behavior, and failed fingerprint checks when comparing shadow APIs with official APIs. In one reported case, an endpoint sold as Gemini-2.5 performed far below the official API on a medical benchmark.
This matters for normal users, but it also matters for research. If a paper or benchmark uses a shadow API endpoint while assuming it is testing an official model, the measured system may not be the model named in the paper.
The obvious risk is privacy: you are sending proprietary code through an unknown server. A coding-agent session typically includes repository context, stack traces, package files, test outputs, tool calls, failed patches, successful patches, and human feedback. That is extremely valuable training data.
ChinaTalk argues that proxy logs may be one of the hidden monetization channels in this market. Every request passing through a proxy includes the full prompt, response, tool calls, and iteration history. For AI coding agents, those logs are unusually rich because they capture real engineering workflows and sometimes human-validated fixes.
Anthropic says that Chinese AI labs generated millions of Claude exchanges to train or improve their own models. This makes the economics easier to understand. A relay station might not need to make much profit on tokens if the traffic also produces valuable training data. The user thinks they are buying discounted inference while the operator is in the business of acquiring training data.
Providers can ban accounts, block suspicious regions, require stronger verification, monitor traffic patterns, and shut down obvious abuse. But if one account dies, another replaces it. If one relay endpoint is blocked, traffic moves to another. If one seller disappears, another appears on a marketplace. If KYC gets stricter, someone will provide identity verification, overseas cards, phone numbers, or cloud accounts.
Anthropic described this kind of infrastructure as “hydra cluster” behavior: networks of fraudulent accounts with no single point of failure. In one case, it said proxy services mixed suspicious extraction traffic with unrelated customer traffic, making detection harder.
What I'm building
Give Vroni a GitHub issue, bug report, spec, or rough idea. It reads the repo, plans the change, writes code, runs checks, and works toward a review-ready pull request.
Take a look at vroni.comI respect your privacy. Unsubscribe at any time.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。