The Shadow Economy of AI: How 'Transfer Stations' Bypass Frontier Model Restrictions in China

The geopolitical struggle for AI supremacy is often framed as a battle between state-sponsored labs and official policy. However, a more pervasive and complex struggle is happening in the "grey economy" of API proxies. While the White House and companies like Anthropic warn of industrial-scale distillation campaigns by Chinese entities, they often overlook the vast, decentralized market of "transfer stations" (中转站) that allow ordinary developers, students, and hobbyists in China to access frontier models like Claude.

This ecosystem is not merely a tool for state-level espionage or model distillation; it is a sophisticated infrastructure of evasion that exposes the fundamental limits of geoblocking, KYC (Know Your Customer) checks, and account monitoring as tools for AI governance.

The Architecture of the Transfer Station

A transfer station is essentially an API proxy—an overseas server that acts as a middleman between a Chinese developer and the model provider's infrastructure. Instead of connecting directly to Anthropic, the user redirects their software to the proxy's server and pays in RMB via WeChat or Alipay. This setup bypasses the need for a VPN, an overseas credit card, and a foreign phone number.

This is not a simple one-man operation but a modular, layered supply chain:

• Upstream Resource Providers: These actors handle the "dirty work" of account creation. They include SMS verification platforms for foreign numbers, account merchants who bulk-register accounts, and reverse engineers who find authentication shortcuts. To bypass biometric KYC (live selfies and IDs), some operators recruit real individuals in low-income countries in Africa or Latin America to complete verification for a fee.
• The Transfer Station (The Middle): The operational layer that manages the API interface, handles payments, and continuously cycles accounts to stay ahead of abuse-detection algorithms.
• Downstream Customers: This includes individual developers using tools like Claude Code, enterprises integrating the API into internal workflows, and secondary resellers who repackage the access for sale on e-commerce platforms like Taobao.

The "Three Meals": How Tokens Become 90% Cheaper

The most striking feature of this market is the price: tokens are often sold at 10% or even 5% of the official cost. This pricing is achieved through a strategy described in the Chinese community as "one fish, three meals" (一鱼三吃).

1. Access Markup and Arbitrage

Operators leverage various tactics to lower their own costs, including farming free credits from bulk-registered accounts, reselling unused quotas, and exploiting the gap between flat-rate subscription plans (like the $200 Max plan) and pay-per-token API costs. In darker cases, accounts are funded using stolen or fraudulent credit cards, reducing the operator's cost to nearly zero.

2. Model Swapping and "Dilution"

Because the proxy mediates the request, the user cannot verify which model is actually processing their prompt. A user may pay for Claude Opus 4.7, but the proxy may silently route the request to a cheaper model like Sonnet, Haiku, or even a local Chinese model like Qwen or GLM, while relabeling the output as Opus.

This practice, known as "diluting" (掺水), leads to a perceived "dumbing down" (降智) of the AI. Research from Germany’s CISPA Helmholtz Center found that some proxies claiming to provide Gemini-2.5 achieved only 37% on a medical benchmark, compared to the official API's 83.82%.

3. Data Harvesting as the Primary Product

For many operators, the low price of tokens is simply a customer acquisition strategy. The real profit lies in the logs. Every prompt, response, and reasoning chain passing through the proxy is captured. These logs are goldmines for:

• Post-training and Distillation: Using high-quality reasoning traces from Claude to fine-tune smaller, local models.
• Data Brokerage: Selling curated datasets of real-world engineering tasks to other labs.
• Fraud and Blackmail: Using leaked private data for targeted scams or extortion.

Implications for AI Safety and Governance

The existence of this grey market reveals a critical flaw in current AI safety frameworks. Most providers rely on system-level access control—detecting harmful patterns and suspending accounts. However, when users route through a transfer station, the provider sees the proxy's IP and account, not the end user's.

The Failure of Attribution

If a malicious actor uses a proxy to generate a bioweapon or conduct a cyberattack, the provider can ban the account, but the upstream supply chain can replace it in hours. The attribution is lost; the provider is banning a disposable proxy account, not the actor.

The Erosion of Monitoring

Advanced monitoring systems, such as Anthropic’s Clio, look for coordinated patterns across accounts. However, if a harmful inquiry is distributed across multiple proxy accounts, the signal becomes fragmented and nearly invisible, bypassing the detection logic designed to stop coordinated spam.

Beyond Geopolitics: The Human Cost

The harms of the transfer station economy extend beyond the US-China rivalry. The infrastructure used to bypass AI blocks is the same infrastructure used for broader criminal activity. The biometric data harvested from individuals in the Global South to pass KYC checks can be resold to open fraudulent bank accounts or create deepfakes. The account-farming operations fuel markets for phishing and credit card fraud.

Ultimately, the "transfer station" phenomenon proves that access blockage rarely stops determined users; it simply creates a profitable market for those capable of circumventing it. In the process, it transforms the user from a customer into a product, where the price of "cheap tokens" is paid with privacy, security, and the exploitation of vulnerable populations globally.