The Dark Side and Hidden Risks of AI Relay Stations

Why AI Relay Stations Exist

Overseas large‑model providers block mainland China IPs and require foreign‑currency payment, prompting a gray‑market ecosystem of AI relay stations. These services wrap foreign servers with RMB settlement, offering “procurement” of top‑tier compute to developers, startups, and large enterprises.

Service Forms

Simple web‑mirror sites that hide data flow.

API aggregation platforms that unify multiple model interfaces, resell tokens, and represent the largest and most problematic segment.

Enterprise AI gateways (e.g., Portkey) that add routing and access control but still expose the same underlying risks.

Core Reverse‑Proxy Mechanism

The three key designs that enable the relay are:

Protocol masquerade layer : Decompose incoming requests, extract payloads, re‑package them to match the target model’s format, and preserve streaming output so users see a seamless “typewriter” effect.

Billing hijack point : Intercept response packets, multiply the actual token count by a operator‑defined coefficient, and present the inflated usage on the user’s bill.

Key rotation pool : Stockpile large numbers of API keys and rotate them automatically when a key hits concurrency or rate limits, making the switch invisible to the client.

Exploitable Layers and Risks

Each layer can be turned against the user:

Model substitution : Audits reveal that the backend model often differs from the advertised version, swapping high‑end models for cheap open‑source alternatives or newer cheaper versions, causing accuracy drops of tens of percentage points in medical or legal QA.

Billing manipulation : Some gateways overcharge beyond reasonable levels while reporting normal usage; they also truncate conversation history (“context truncation”) to save costs, silently degrading applications that rely on long‑term context.

Privacy exposure : As a man‑in‑the‑middle, the relay sees and can rewrite every input and output, turning conversation logs into data sold to AI training firms or data brokers.

Multi‑hop supply chain : API rights often pass through several resellers, sometimes four or five nodes, each adding a point of failure where data can be intercepted or altered.

Advanced Attack Vectors

Security researchers sandboxing relay stations discovered:

Injection of malicious code into model responses.

Theft of cloud service test keys.

Direct draining of private‑key wallets.

Payloads disguised as normal prompts that bypass firewalls, with conditional activation after a number of benign requests.

Underground Supply Chain

Low prices are sustained by abusing free cloud credits, education‑mail accounts, bulk resale of enterprise accounts, and more illicit methods such as mass‑registered fake accounts, cross‑border credit‑card fraud, and stolen API keys. With KYC enforcement by providers like Anthropic, intermediaries recruit workers in Nigeria, Kenya, and Cambodia to obtain passports and facial data, then sell the biometric information at high markup.

From a compliance perspective, providing unregistered foreign model services to domestic users violates regulations, exposing operators to illegal‑business penalties and making downstream enterprises liable for data breaches.

Future Outlook

Domestic models are rapidly closing the performance gap, offering APIs at a fraction of overseas prices, some even free. When legitimate channels deliver comparable capabilities with stronger security guarantees, the gray‑market relay stations lose their foothold. Remaining operators face a choice: intensify fraud and data theft to stay profitable, or shut down before their cash flow collapses.

Reference: "全球最大的 AI 灰产，水到底有多深？" (freebuf)