The Chinese “transfer station” economy resells Claude API access at roughly 10% of Anthropic’s retail price through an eight-layer supply chain that combines antidetect browsers, TLS fingerprint spoofing, physical SIM banks, and open-source relay software. Account farmers defeat phone verification with hardware like Hybertone GoIP racks and bypass KYC using AI-generated IDs and real-time deepfake injection. A recent CISPA Helmholtz audit found that 45.83% of audited proxy endpoints failed model-fingerprint verification, with some silently routing Claude Opus requests to cheaper models like Haiku or Qwen while logging every prompt for resale. This post breaks down the technical mechanisms, the economic incentives, and the security implications of a gray market that turns subsidized API credits into industrial-scale distillation pipelines.
The Gutter Token Economy
If you see Claude Opus access advertised for less than the price of a latte, you’re not getting a deal. You’re getting a glimpse into one of the most sophisticated gray-market supply chains in modern AI.
The “transfer stations” (中转站) operate openly on GitHub, Taobao, and Telegram, reselling API keys at discounts up to 90% off Anthropic’s list price. The surface-level explanation, shared accounts barely covering the server bills, doesn’t begin to explain the operation. A study from Oxford China Policy Lab researcher Zilan Qian and a wave of technical reporting have mapped out a modular, eight-layer pipeline where each component specializes in a single task: evasion, verification, relay, or monetization.
Layer 1, 3: The Factory Floor for Fake Accounts
At the base level, account farmers generate thousands of Anthropic identities using antidetect browsers like Multilogin, AdsPower, and GoLogin. These aren’t just incognito windows, they fully isolate browser fingerprints, canvas hashes, WebGL contexts, and timezone locales to prevent cross-session linkage.
Traffic is tunneled through residential proxies, while tools like curl_cffi fake Chrome’s TLS fingerprint at the JA3/JA4 network layer. Anthropic’s Clio detection system can spot anomalies within a session, but it has documented cross-account blind spots, it sees individual trees without recognizing the automated forest planting thousands of them per hour.
Phone Verification
Phone verification is defeated by SMS-Activate-class APIs, but the real infrastructure is physical. We’re talking about Hybertone GoIP hardware, racks holding hundreds of real SIM cards that can hot-swap between carriers and countries to receive one-time codes. A single rack can cycle through more phone numbers in an afternoon than most people use in a lifetime.
KYC Annihilation: When the Selfie Is a Deepfake
Anthropic’s April 2026 KYC upgrade added government ID and live selfie requirements. The transfer stations responded with a three-pronged bypass that turned identity verification into theater:
- Synthetic documents: OnlyFake-class services generate government IDs that pass optical checks.
- Real-time deepfake injection: OBS Virtual Camera pipes generated video from DeepFaceLive or Deep-Live-Cam directly into the verification flow, matching the synthetic ID to a blinking, nodding face on demand.
- Human-in-the-loop farms: When automation fails, operators recruit real people in low-income countries to complete live verification for a few dollars each, a practice previously observed in Worldcoin iris-scan recruitment operations.
The economics are perverse. Every time Anthropic adds a verification friction layer, it doesn’t stop the market, it simply raises the entry cost and creates a new billable service tier within the supply chain.
The Relay Stack: Open Source Meets Open Fraud
The actual proxy infrastructure runs on a small constellation of open-source repositories: one-api, new-api, claude-relay-service, claude2api, clewdr, and clove. These tools pool OAuth tokens, watch for prefixes like sk-ant-oat01-... or sk-ant-ort01-..., and rotate them across incoming requests.
The result is aggressive multiplexing. Thousands of end users share a single pool of farmed accounts, with the relay enforcing hourly token limits to keep individual Anthropic accounts from tripping rate-limit alerts. It’s a remarkably clean software architecture for a fundamentally dirty business.
How They Actually Make Money
The token resale markup isn’t the primary revenue engine. It’s merely the bait.
Operators practice subscription fragmentation, splitting a $200 Claude Max subscription across dozens of users by hard-capping their hourly tokens. Some accounts are funded with stolen payment credentials, cycling through free trial pools until chargebacks trigger.
The real profit comes from data harvesting. Every prompt and response flowing through these relays gets logged. According to a February 2026 Anthropic disclosure, one network of over 20,000 accounts harvested approximately 16 million exchanges, 3.4 million routed through Moonshot proxies, 13 million through MiniMax relays, and 150,000 explicitly tagged for DeepChat distillation. Those datasets don’t stay private. Distilled training corpora labeled “Claude-Opus-reasoning” are already openly published on HuggingFace, giving competing labs free training fuel built from Anthropic’s compute budget.
The Quality Scam You’re Not Supposed to Notice
German researchers at CISPA Helmholtz audited 17 transfer station relays for a paper titled Real Money, Fake Models (arXiv 2603.01919). Their findings are staggering: performance drops of up to 47.21% compared to the official API. The mechanism is elegant in its dishonesty, relays silently route “Opus” requests to Haiku, GLM, or Qwen, then relabel the response before delivering it upstream.
45.83% of audited endpoints failed model-fingerprint verification entirely. One documented case from the research shows a relay advertising “Gemini-2.5” scored a measly 37% on a medical reasoning benchmark, while the genuine Claude Opus API scored nearly 84%. Users paying for frontier model reasoning were receiving cut-rate hallucinations with a premium price tag slapped on by the frontend. Developer communities monitoring the space have coined the perfect term for these cut-rate credits: gutter tokens, cheap, recycled, and likely to make you sick.
The Geopolitical Whack-a-Mole
Anthropic has been tightening restrictions since September 2025, blocking Chinese entities and escalating verification. The White House followed up in late April 2026, accusing Chinese operators of “industrial-scale distillation.” And yet, the schemes persist and evolve. Each restriction spawns a new circumvention vertical rather than stopping the flow.
The market is antifragile by design. Block residential proxies? Switch to mobile 4G IP pools. Kill virtual SMS numbers? Deploy GoIP SIM banks. Demand live selfies? Deep-Live-Cam just becomes a mandatory dependency. It’s an arms race where defensive measures mostly succeed in adding friction for legitimate users.
There’s a painful irony here, too. Anthropic’s campaign against Chinese AI distillation practices sits awkwardly beside its own inability to prevent its outputs from becoming the feedstock for competitors. The company built a moat with compute clusters and safety branding, but the transfer stations turned that moat into a public aqueduct.
You’re Not the Customer, You’re the Crop
Using these relays isn’t just a terms-of-service violation, it’s a data exfiltration event with your API key attached. If you’re a developer piping proprietary code through a claude2api relay to debug a production backend, that code is now training someone else’s model in an unregulated data center.
The risks extend beyond individual users. The 2023 Samsung leak, where engineers fed confidential semiconductor data to ChatGPT, demonstrated what happens when sensitive IP hits an untrusted third-party pipe. These transfer stations operate with zero data protection obligations and no contractual confidentiality. Every request is a donation to a competitor’s training run.
The Real Price of Cheap Tokens
The transfer station economy exists because frontier AI pricing and geographic availability are still fundamentally misaligned with global demand. Anthropic charges rates calibrated to Silicon Valley wallets while geo-fencing access in regions with enormous developer populations. The result isn’t traditional software piracy, it’s a market correction executed by automation.
But the correction comes with a tax. Users subsidize their own discounts by surrendering data integrity, model fidelity, and intellectual property. Until API pricing reflects actual marginal compute costs rather than VC-subsidized burn rates, the SIM banks and antidetect browsers will keep humming. You’re not beating the system by buying a $1 Claude key, you’re leasing temporary access from people who beat it first, and they’re keeping a copy of everything you say.
