How to buy cheap Claude tokens in China

From the article:

Regardless of whether Chinese labs rely on distillation to “catch up”, both documents misread the proxy economy they’re describing. Underneath the handful of labs sits a much larger market, one that has been operating in public on GitHub, Taobao, Twitter, and Telegram. It is a grey economy of API proxies (commonly called “transfer stations,” 中转站) that lets Chinese developers access Anthropic’s models at as low as 10% of the official price. The participants extend far beyond selective experienced AI researchers, and the motivations are much broader than building a frontier model to catch up. Everyone who wants to use more advanced AI models or tools, be they university professors and students, tech workers, individual developers, or hobbyists, uses API proxies. The logs they generate may have become a commodity, traded for purposes ranging from model training to targeted fraud.

Meanwhile, every layer of control frontier US AI companies have added (geoblocking, phone verification, credit card requirements, and now live biometric KYC checks) has produced a corresponding layer of evasion infrastructure. These new SMS farms and biometric harvesting operations have implications that extend beyond geopolitics into how frontier AI safety frameworks are designed.

[...]

A transfer station (中转站) is what the Chinese developer ecosystem calls an API proxy–an overseas server that sits between a developer and Anthropic’s infrastructure. It accepts API requests, forwards them as if they originated from the transfer station’s location, and passes the response back. The user redirects their software to the proxy’s server instead of Anthropic’s, and pays the API proxy RMB via WeChat or Alipay. This sidesteps both the VPN and the overseas credit card needed for direct access. Prominent transfer stations are catalogued in community repositories and ranked by real-time price and uptime. Below them, a longer tail of small and individual projects comes and goes.

While this setup sounds functionally identical to legitimate Western API aggregators like OpenRouter, transfer stations operate in an entirely different universe of legality and trust. Legitimate aggregators exist to simplify developer workflows, charging standard rates based on transparent enterprise agreements. Transfer stations, conversely, are built explicitly for evasion, routing data through unaccountable middlemen.

[...]

A transfer station is not a sole entity. It sits in the middle of a layered supply chain, with most participants never interacting with each other directly.

Upstream are the resource providers: account merchants who bulk-register or acquire Anthropic accounts at scale; SMS verification platforms that supply the foreign phone numbers needed to pass sign-up checks; and, at the more technical end, reverse engineers who analyze Anthropic’s client code to find authentication shortcuts or detect when detection logic has changed. The payment infrastructure with card merchants and proxy networks also enables overseas billing from inside China.

The upstream also tackles more sophisticated KYC regimes–either by AI or humans. AI services have demonstrated the ability to generate highly realistic fake IDs capable of bypassing identity verification on major platforms, and deepfake tools now allow criminals to create digital clones that successfully pass biometric verification remotely. Even if the defender can successfully detect AI faking humans, a more labour-intensive method exists to find real humans. Agents travel to lower-income countries in Africa or Latin America to recruit real individuals willing to complete in-person verification. The Worldcoin black market offered a documented precedent, with iris scans harvested from KYC merchants in Cambodia and Kenya, sold for under $30.

[...]

Almost no one operates the full chain. Most participants own one or two links and monetise those well, resulting in a resilient, modular system. AI model providers can suspend individual operators, but the upstream account pools and downstream customer base remain intact. So long as there are developers who want access to Claude and identity black markets willing to supply the credentials, which are both durable features, a replacement can be stood up quickly.

[...]

Meal 2: Swapping models and inflating tokens. Because users’ inputs and model outputs are mediated through a proxy, users cannot verify which model their request was actually routed to. A user selects Opus 4.7, but the proxy can silently route to Sonnet, Haiku, or, in the worst case, GLM or Qwen, and fraudulently relabel the output. In a recent paper from Germany’s CISPA Helmholtz Center for Information Security (which cited my article last year on grey market!), researchers audited 17 API proxies and found widespread model swapping–API proxy access to “Gemini-2.5” achieved only 37.00% on a medical benchmark, a staggering drop from the 83.82% performance of the official API. On the user end, the tell only comes on complex tasks, when the output feels off (often referred to as 降智, or “dumbed-down”), but there is no clean way to prove it. Numerous public records highlight concerns that certain API proxies have noticeably compromised model performance. These proxies are suspected of “diluting” (掺水) services by substituting premium frontier models with inferior tiers.

Besides model swapping, overconsumption of tokens also makes the price per token cheaper, though at the expense of driving up the total cost. Some of it is structural, as proxies that rotate accounts frequently destroy cache continuity as a side effect, forcing users to burn full-price tokens on context that would otherwise be nearly free. Some of it may be deliberate as the proxy providers try to milk more usage. The line between the two is difficult to draw from the outside.

Meal 3: The logs are the product. This is perhaps the most important part as it intersects with data privacy and distillation. Every request that passes through a proxy — full prompt, full response, tool calls, iterations — is sitting on the proxy operator’s server. For AI coding agents, those logs contain long reasoning chains, real engineering decisions, repository context, and human-verified correct outputs. This makes them an ideal dataset for post-training: for supervised fine-tuning on real engineering tasks, and, where full reasoning traces are captured, for distilling Claude’s reasoning patterns into smaller models. Chinese developer communities assert this is happening in at least some cases, but whether proxy operators are systematically harvesting and selling these logs, and to whom, remains unverified. However, downstream distillation data does exist on the open web. Several datasets of Claude Opus 4.6 reasoning outputs circulate on HuggingFace with no clear source for the outputs. Theoretically, one can clean and sell similar distilled datasets to other model developers in China.

The first two meals are useful for providing cheaper tokens cheaper than Anthropic officially charges, but to really make prices ridiculously low — at 10%, or even 5%, of the original price — one needs to eat the third meal. And as a Chinese saying goes, there is no free lunch in the world (天下没有免费的午餐). Several Chinese developers have revealed that the markup business is just customer acquisition, and the log harvest is the actual margin. Users are simultaneously paying customers and unpaid data producers, selling their private data to proxy operators in exchange for a low price. Some also warn of potential promotion, fraud, and even blackmail based on leaked users’ data from the proxy. To avoid privacy risks, some Chinese developers have also constructed their own Claude Code API proxy and open-sourced the guidelines.