The dark token economy: cheap Claude tokens, your prompts as the real product
TL;DR Almost half of calls through cheap LLM proxies hit a different model than advertised, and every prompt is logged on the operator's server for downstream fraud and distillation. 8 public repos with ~172K GitHub stars actively resell unauthorized API access.
A Shanghai engineer needs the Claude API, which is blocked in China, so she points her app at a proxy URL, pays via WeChat at one-tenth of list price, and ships. The proxy quietly swaps the model, logs every prompt, and bills an Anthropic account opened with a face video harvested in Lagos.
Three pieces this spring map the same market: Zilan Qian (ChinaTalk) on the supply chain, Zhang et al. (CISPA) on what proxies actually serve, and Google's Mandiant team on threat-actor attribution.
I decided to take a deeper look into the dark token providers and the economy.
First, I looked at public repos and immediately found 8 that offer cheaper tokens, with ~172,000 GitHub stars combined.
API proxy repos, May 18, 2026.
| Repo | Stars | Description |
|---|---|---|
| xtekky/gpt4free | 66,244 | Wraps free chat-site interfaces (Microsoft Copilot, Perplexity, Pollinations, etc.) as a programmatic API |
| chatanywhere/GPT_API_free | 38,014 | Hosted China-based service giving daily free quotas and selling API keys for GPT, Claude, Gemini, DeepSeek |
| router-for-me/CLIProxyAPI | 33,371 | Wraps Gemini CLI, Claude Code, ChatGPT Codex, Grok Build subscriptions as an OpenAI-compatible API; named by Mandiant as used by PRC-nexus actor UNC5673 |
| Wei-Shaw/sub2api | 21,725 | Self-hosted gateway that splits paid AI subscriptions across multiple users |
| Wei-Shaw/claude-relay-service | 11,787 | Self-hosted Claude API relay; named by Mandiant as used by PRC-nexus actor UNC5673 |
| glidea/one-balance | 413 | Cloudflare Worker reseller; README advertises 0.2x rate, ¥0.2 = $1 of credit |
| glidea/claude-worker-proxy | 268 | Cloudflare Worker Claude proxy; README advertises ¥29 for 500 Sonnet calls and lists a WeChat contact |
| aiprodcoder/MIXAPI | 246 | one-api / new-api fork explicitly marketed for enterprise channel redistribution (二次分发) |
Most transactions happen off GitHub: payment via WeChat or Alipay, support in QQ groups, listings on Xianyu, and contact details published inside READMEs. Bigger toolkits (one-api, new-api, LiteLLM) are dual-use and not included, though CISPA found 11 of 17 audited shadow APIs run on one-api or its fork new-api.
Highlights:
- What are the dark tokens? Tokens from a parallel API market that resells unauthorized access to frontier LLMs through fraudulent or pooled accounts behind attribution-stripping proxies, often at a fraction of official rates. Claude tokens sell at a 90% discount in China.
Frontier model pricing, May 18, 2026.
| Lab | Two generations back | Previous generation | Current frontier |
|---|---|---|---|
| Anthropic | Claude 3 Opus: $15 / $75 | Opus 4.6: $5 / $25 | Opus 4.7: $5 / $25 |
| OpenAI | GPT-5: $1.25 / $10 | GPT-5.4: $2.50 / $15 | GPT-5.5: $5 / $30 |
| Gemini 1.5 Pro: $1.25 / $5 | Gemini 2.5 Pro: $1.25 / $10 | Gemini 3.1 Pro: $2 / $12 |
Prices are USD per million tokens, input / output.
- The dark token economy drivers. Geo restrictions are one. Rising frontier-model token prices are another, and probably the more powerful one: OpenAI is up 4x on input and 3x on output in eight months; Google is up 60% on input and 2.4x on output over eighteen months.
- Dark token economics. LLM API proxy providers use three main levers: price arbitrage, silent model swapping, and log harvesting.
- Price arbitrage. Operators stack free-trial farming, quota reselling, discount arbitrage, and subscription splitting to source tokens below cost, then mark them up. Margins are thin and depend on volume, which requires a continuous supply of verified accounts.
- Model swapping. The customer pays for Claude 4.7 and gets Haiku or Qwen. The proxy pockets the spread. CISPA found this happens in almost half of the calls.
- Log harvesting. Where the real money lives. Every prompt and response is logged. The corpus becomes leads for fraud and training data.
- Business resilience. The dark token economy runs on a specialist supply chain that spans biometric harvesters, account farmers, SMS verification farms, payment processors, proxy operators, and downstream resellers. With no single end-to-end operator, the business is resilient to disruption.
- Is it really a problem for frontier labs? Their two big concerns are distillation and resource abuse. The dark token business is not yet tied to significant distillation, so labs worry more about resource abuse, mostly from free-tier and subsidized accounts (edu, startups). Anthropic disabled ~1.45M accounts in H2 2025; OpenAI disrupted 40+ malicious networks since 2024.
My take:
- The dark token economy is growing, and not only in China. Rising frontier-model token prices, geographic blocks, and KYC requirements are all driving demand for dark tokens.
- The real profits for dark-token operators come from harvesting user prompts and model responses. The harvested logs are highly valuable for downstream fraud and model distillation.
- Evaporating token subsidies are squeezing AI startup margins, forcing them to look for "creative" ways to reduce token costs through alternative providers. You may not have visibility into the token chain, but it is worth running continuous quality and performance monitoring to spot regressions early.
Sources:
- Zilan Qian, How to Buy Cheap Claude Tokens in China (ChinaTalk, May 2026)
- Zhang et al., Real Money, Fake Models: Deceptive Model Claims in Shadow APIs (CISPA, arXiv 2603.01919, March 2026)
- Google Threat Intelligence Group, AI Vulnerability Exploitation and Initial Access (Mandiant, 2026)
- Anthropic exposes industrial-scale AI model theft (TWR, Feb 2026)
- OpenAI requires government ID verification for GPT-5.3-Codex (TWR, Feb 2026)
- Frontier API pricing: Anthropic, OpenAI, Google Gemini