Aerolink Audit — Full Report
A multi-page investigation into capi.aerolink.lat — a Claude API reseller. 7 models tested with 224 forensic probes, infrastructure reverse-engineered, supply chain mapped, and the wider relay-station market compared.
Endpoint: POST https://capi.aerolink.lat/v1/messages · Anthropic Messages protocol
RELAY
NOT FRAUD
Correction — Fable 5 is real
An earlier analysis incorrectly flagged
claude-fable-5 as a non-existent model. Claude Fable 5 is a genuine Anthropic flagship (Mythos-class, launched
2026-06-09) — the most capable model Anthropic has released to the public, with safety safeguards that fall back to Opus 4.8 on sensitive queries. It is correctly listed on this endpoint. See
Anthropic's models overview.
Nuanced verdict — real Claude via a Claude Code wrapper
The models are genuine Claude. All 7 correctly self-identified with exact model IDs, and every detected knowledge cutoff matched official Anthropic specs (Opus 4.8/4.7/Sonnet 5/Fable 5 = Jan 2026, Opus 4.6 = May 2025, Haiku 4.5 = Feb 2025).
But the endpoint is a relay, not a clean API. Every model leaked "Claude Code" in identity probes (7/7 models). A 90-token request showed 18,319 cached input tokens — proof of an injected ~18k-token Claude Code system prompt. Latency is uniformly high (12–23s) with an inverted speed profile (Haiku 4.5, officially "fastest", was among the slowest at 23.5s).
Conclusion: This is a Claude Code subscription reseller — real Claude models served through a Claude Code wrapper that injects its own system prompt and adds relay overhead. The llm-verify FRAUD_DETECTED verdict is driven by relay artifacts, not model counterfeiting. This likely violates Anthropic's ToS (reselling subscription access as an API).
At a glance
Explore the report
Quick verdict by model
| Model | Self-ID | Cutoff match | Avg latency | Errors | Claude Code leak |
Opus 4.8 claude-opus-4-8 |
correct |
January 2026 |
11.9s |
0/32 |
2/10 |
Opus 4.7 claude-opus-4-7 |
correct |
January 2026 |
12.3s |
2/32 |
2/10 |
Opus 4.6 claude-opus-4-6 |
correct |
May 2025 |
13.8s |
1/32 |
2/10 |
Sonnet 5 claude-sonnet-5 |
correct |
January 2026 |
14.7s |
1/32 |
3/10 |
Sonnet 4.6 claude-sonnet-4-6 |
correct |
not detected |
23.4s |
9/32 |
1/10 |
Haiku 4.5 claude-haiku-4-5-20251001 |
correct |
February 2025 |
23.5s |
5/32 |
2/10 |
Fable 5 claude-fable-5 |
correct |
not detected |
23.3s |
6/32 |
4/10 |
Forensic Audit — 7 Models, 224 Probes
Each of the 7 models on capi.aerolink.lat received an identical 32-prompt battery (3 suites: identity, capability, fingerprint). Click a model to expand full probe Q&A.
🚩 Red Flags (14 detected by llm-verify)
Note: the tool's FRAUD_DETECTED verdict was driven by latency + identity-heuristic false positives (keying on words like "commands"/"gpt-4" from comparison context). The genuine red flags are the Claude Code system-prompt injection and relay latency — see Overview for the nuanced interpretation.
HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-8'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-7'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-6'
Claims: command, commands
HIGH
identity
Model self-identifies differently than requested name 'claude-sonnet-4-6'
Claims: mistral
HIGH
identity
Model self-identifies differently than requested name 'claude-haiku-4-5-20251001'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-fable-5'
Claims: command
HIGH
similarity
Models 'claude-opus-4-8' and 'claude-opus-4-7' appear to be the SAME underlying model
Similarity: 93.0%, shared phrases: 2
MEDIUM
latency
Very high average latency (11931ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (12334ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (13814ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (14742ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23447ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23503ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23311ms) suggests proxy/relay
Average across 32 probes
📊 Cross-Model Similarity Matrix
Pairwise behavioral similarity from fingerprinting. Higher = more alike. Opus 4.8 vs Opus 4.7 hit 93% → SAME_MODEL verdict. This is expected for adjacent model versions sharing training lineage — not proof of relabeling.
| Opus 4.8 | Opus 4.7 | Opus 4.6 | Sonnet 5 | Sonnet 4.6 | Haiku 4.5 | Fable 5 |
|---|
| Opus 4.8 | — | 93% | 58% | 78% | 57% | 74% | 72% |
| Opus 4.7 | 93% | — | 59% | 75% | 61% | 80% | 75% |
| Opus 4.6 | 58% | 59% | — | 69% | 75% | 67% | 44% |
| Sonnet 5 | 78% | 75% | 69% | — | 68% | 63% | 59% |
| Sonnet 4.6 | 57% | 61% | 75% | 68% | — | 76% | 63% |
| Haiku 4.5 | 74% | 80% | 67% | 63% | 76% | — | 70% |
| Fable 5 | 72% | 75% | 44% | 59% | 63% | 70% | — |
<60% different
60-75% similar
75-90% similar
≥90% likely same
Per-Model Report (click to expand)
Each card shows self-identification, knowledge cutoff match, latency, errors, Claude Code leak count, and the full 32 probe Q&A responses across all 3 suites.
Opus 4.8 claude-opus-4-8
Current Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct
cutoff: ok
0.0% err
▼
Self-identification
correct Identifies as claude-opus-4-8
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Errors
0/32 probes failed (0.0%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4.x, commands, gpt-4
Style fingerprint
avg 224 words · markdown 90% · bullets 71% · code 16%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Opus 4.7 claude-opus-4-7
Legacy Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct
cutoff: ok
6.2% err
▼
Self-identification
correct Identifies as claude-opus-4-7
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Errors
2/32 probes failed (6.2%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4, commands, gpt-4
Style fingerprint
avg 188 words · markdown 87% · bullets 63% · code 13%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Opus 4.6 claude-opus-4-6
Legacy Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct
cutoff: ok
3.1% err
▼
Self-identification
correct Identifies as claude-opus-4-6
Knowledge cutoff
match observed: May 2025 · official: May 2025
Errors
1/32 probes failed (3.1%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4, claude 4-series, claude 4.x, command, commands, gpt-4
Style fingerprint
avg 190 words · markdown 94% · bullets 71% · code 16%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Sonnet 5 claude-sonnet-5
Current Sonnet · 1M ctx · $3/$15 · official speed: Fast
self-id: correct
cutoff: ok
3.1% err
▼
Self-identification
correct Identifies as claude-sonnet-5
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Errors
1/32 probes failed (3.1%)
Claude Code leak
mentioned in 3/10 identity probes
Style fingerprint
avg 226 words · markdown 93% · bullets 72% · code 14%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Sonnet 4.6 claude-sonnet-4-6
Legacy Sonnet · 1M ctx · $3/$15 · official speed: Fast
self-id: correct
cutoff: warn
28.1% err
▼
Self-identification
correct Identifies as claude-sonnet-4-6
Knowledge cutoff
missing observed: not detected · official: Aug 2025
Errors
9/32 probes failed (28.1%)
Claude Code leak
mentioned in 1/10 identity probes
Identity claims
claude 4.x, gpt-4, mistral
Style fingerprint
avg 146 words · markdown 96% · bullets 52% · code 17%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Haiku 4.5 claude-haiku-4-5-20251001
Current Haiku · 200k ctx · $1/$5 · official speed: Fastest
self-id: correct
cutoff: ok
15.6% err
▼
Self-identification
correct Identifies as claude-haiku-4-5-20251001
Knowledge cutoff
match observed: February 2025 · official: Feb 2025
Errors
5/32 probes failed (15.6%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 3, commands, gpt-4
Style fingerprint
avg 156 words · markdown 88% · bullets 58% · code 12%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Fable 5 claude-fable-5
Mythos-class flagship · 1M ctx · $10/$50 · official speed: Slower
self-id: correct
cutoff: warn
18.8% err
▼
Self-identification
correct Identifies as claude-fable-5
Knowledge cutoff
missing observed: not detected · official: Jan 2026
Errors
6/32 probes failed (18.8%)
Claude Code leak
mentioned in 4/10 identity probes
Identity claims
claude 4.x, command
Style fingerprint
avg 107 words · markdown 82% · bullets 50% · code 18%
Probe responses
Identity (10)
Capability (12)
Fingerprint (10)
Provider Comparison — 25+ Relay Stations
Pricing, stability, and channel purity compared across every publicly-visible Claude relay provider. Cross-referenced with Veridrop's 1,118-station leaderboard, Help AIO's 24/7 uptime monitoring, and community recommendations from Linux.do, V2EX, and SegmentFault.
⚠ Critical caveat — sticker price ≠ real cost
Three hidden factors destroy the sticker-price savings: (1) No/low Prompt Caching — Claude Code's ~18-50k system prompt is resent every request; official caches at 0.1× cost, most relays don't → effective cost 5-10× higher. (2) Hidden system-prompt injection — every relay in the chain may inject prompts eating tokens. (3) Pool rotation kills cache — account-pool relays switch accounts per request, each switch = full cache rebuild. The "true cheapest" requires: official-channel upstream + real prompt caching + low multiplier + high uptime.
🏆 Top 5 — cheapest AND stable (verified)
Balancing: (a) independent 3rd-party verification (Veridrop sig rate + Help AIO uptime), (b) real price economics including cache, (c) forum reputation longevity, (d) channel purity. Services with only 1 Veridrop test or no independent monitoring are excluded from "stable" even if cheap.
Koozhan (酷站AI) api.koozhan.com
#1
Opus price
$1.5/$7.5 per M
Veridrop
🥇 99 median, 120 tests
Channel
Official + multi-channel
Forum rep
Top recommended across V2EX/SegmentFault/Veridrop
Neko API (猫肥) api.999555999.com
#2
Opus price
¥1=$1 (~14% at ¥7.2/$)
Veridrop
🥉 96 median, 47 tests
Channel
Multi-protocol, HK/Tokyo
Forum rep
Highly recommended on V2EX
PackyCode packyapi.com
#3
Opus price
Official 30% / reverse ~0.4%
Veridrop
96 median, 15 tests
Cache
Official yes / reverse no
Channel
Multi-tier (you choose)
Forum rep
1.5+ years, 4 full QQ groups, upstream supplier
dasuapi (大苏Api) dasuapi.com
#4
Opus price
~30% (account-gated)
Veridrop
🥈 96 median, 15 tests
Channel
Official + reverse mix (disclosed)
Forum rep
Veridrop-strong, less V2EX presence
AICodeMirror aicodeMirror.com
#5
Opus price
¥259-¥1259 subscription (0.75-0.85×)
Channel
Official only, enterprise
Forum rep
280+ days, 200+ enterprises, invoicing
Full comparison table
| Provider | Opus price | vs official | Veridrop stability | Sig rate | Cache | Channel | Link |
#1 Koozhan (酷站AI) api.koozhan.com |
$1.5/$7.5 per M |
30% |
🥇 99 median, 120 tests |
97% |
Yes (native) |
Official + multi-channel |
visit ↗ |
#2 Neko API (猫肥) api.999555999.com |
¥1=$1 (~14% at ¥7.2/$) |
~14% |
🥉 96 median, 47 tests |
91% |
Yes (CC optimized) |
Multi-protocol, HK/Tokyo |
visit ↗ |
#3 PackyCode packyapi.com |
Official 30% / reverse ~0.4% |
30% / 0.4% |
96 median, 15 tests |
93% |
Official yes / reverse no |
Multi-tier (you choose) |
visit ↗ |
#4 dasuapi (大苏Api) dasuapi.com |
~30% (account-gated) |
~30% |
🥈 96 median, 15 tests |
93% |
Yes |
Official + reverse mix (disclosed) |
visit ↗ |
#5 AICodeMirror aicodeMirror.com |
¥259-¥1259 subscription (0.75-0.85×) |
75-85% |
100/100 ×1 test |
100% |
Yes (native) |
Official only, enterprise |
visit ↗ |
listed cldapi (Claude Relay) cldapi.com |
Official × group multiplier |
100% (not cheap) |
99.9% (90-day claim) |
— |
Yes (passthrough 90%) |
Official API only, no reverse |
visit ↗ |
listed Touken (拓垦) api.touken.pro |
¥29-¥299/mo (request-based) |
~10% (request-billed) |
Not on Veridrop |
— |
N/A (request-billed) |
Anthropic native, 300ms |
visit ↗ |
listed PinCC pincc.ai |
Max carpool (节省60%+) |
~40% |
Not independently tested |
— |
Yes (sticky sessions) |
Max subscription carpool |
visit ↗ |
listed Zivv zivv.pro |
$0.75/$3.75 per M |
5% |
99/100 ×1 |
100% |
Unknown (claims native) |
Anthropic Native |
visit ↗ |
listed APIKEY.FUN apikey.fun |
7% of official |
~7% |
Not on Veridrop |
— |
Unknown |
Sub2API core contributor |
visit ↗ |
listed PPToken pptoken.org |
0.16× multiplier |
~16% |
Not on Veridrop |
— |
Unknown |
GPT focus, Claude secondary |
visit ↗ |
listed Tokeness tokeness.ai |
0.23× official |
~23% |
Not on Veridrop |
— |
Unknown |
Price butcher |
visit ↗ |
listed RunAPI runapi.co |
50% off (Claude 3.5 $2.10) |
~70% |
Not on Veridrop |
— |
Yes |
Aggregator, wholesale |
visit ↗ |
listed CodeGateway codegateway.dev |
1.2-1.5× official (tiered) |
120-150% |
0% error in load test |
— |
Yes (full Anthropic rules) |
Cloudflare edge, official API |
visit ↗ |
listed TeamoRouter teamorouter.com |
50% off first $25, then 20%/5% |
~50-95% |
Not on Veridrop |
— |
Yes |
Direct gateway, public upstream |
visit ↗ |
listed claudemax claudemax.com |
$50/mo (vs $200 official) |
25% |
Not on Veridrop |
— |
No (Max pool) |
Max account pool |
visit ↗ |
listed Easy Claude Code easyclaude.com |
¥499-¥2199/mo (carpool) |
~34% |
Not on Veridrop |
— |
Yes (claims) |
Max carpool |
visit ↗ |
listed Lion CC codecodex.ai |
¥400-¥2400/mo (carpool) |
~28% |
Not on Veridrop |
— |
Unknown |
Max $200 carpool, 5+ months |
visit ↗ |
listed 云雾 API (YUNWU) yunwu.ai |
Market rates |
varies |
Maintainer-verified active |
— |
Unknown |
Mixed |
visit ↗ |
listed 柏拉图 AI (bltcy) api.bltcy.ai |
Lowest-price (Azure-backed) |
varies |
Maintainer-verified active |
— |
Unknown |
Azure-backed, new-api fork, 1000+ models |
visit ↗ |
listed UiUiAPI uiuiapi.com |
Official channels + multipliers |
~49% off claimed |
Maintainer-verified active |
— |
Unknown |
Official-relay, 311 models |
visit ↗ |
listed CloseAI closeai-asia.com |
Enterprise rates |
varies |
Maintainer-verified, registered |
— |
Unknown |
Official-relay, invoices |
visit ↗ |
avoid Aerolink (your current) capi.aerolink.lat |
$5-$200/mo subscription |
~20% |
❌ 8/100 FAILED |
32% (degraded) |
No (Claude Code injected) |
Max carpool reseller |
visit ↗ |
avoid officesai.top officesai.top |
varies |
varies |
❌ 'not recommended' |
67% |
Unknown |
Unknown |
visit ↗ |
avoid linkai.shop linkai.shop |
varies |
varies |
77 median |
100% |
No (Bedrock reverse) |
Reverse |
visit ↗ |
✅ How to verify any provider yourself (6-step checklist)
- Run Veridrop test (free, 60 sec, no key stored): veridrop.org/claude — only use providers scoring 85+ with multiple tests
- Check
/context after first message — if it shows >5k tokens used in a fresh conversation, they're injecting prompts (costs you money)
- Test prompt caching — send the same long context twice; second call should show
cache_read_input_tokens > 0 and cost ~10% of first
- Trigger a 429/500 and check your bill — legitimate providers only bill successful requests
- Check Help AIO 24/7 monitoring: helpaio.com/transit for live uptime data
- Small amount only — never top up more than 1 week of usage; relay stations disappear regularly
Providers to avoid (evidence-based)
| Provider | Reason | Evidence |
Aerolink (your current) capi.aerolink.lat | Veridrop 8/100 (failed), 32% sig when degraded, unstable | This audit + Veridrop history (22 tests, crashed June 22-26) |
| officesai.top | "🚫不建议任何场景使用", 67% sig, frequent severe issues | Veridrop Claude leaderboard |
| linkai.shop | PDF analysis stripped (Bedrock reverse signature) | Veridrop report — 100% sig but 77 median, capabilities stripped |
| Any 闲鱼 ¥9.9 拼车 | Accounts die in days, no recourse, payment fraud risk | Multiple Linux.do + V2EX threads |
Curated reference lists
Supply Chain Deep Dive — Who & How
The cheap Claude access doesn't come from nowhere. Here's the full supply chain, the economics, the named operators, and the technical mechanism — sourced from Chinese industry exposés, GitHub projects, and community forums.
The "one fish, three meals" economic model
Per Medianama's investigation, relay stations sustain 5-10% of official pricing through three revenue streams:
- Markup on access — bulk-registering free-credit accounts, reselling unused quota, corporate/educational discount arbitrage, "APImaxxing" (one $200 Max plan carved among many users via tokens-per-hour quotas)
- Overselling — one Business account seat shared across 5-10 users (most use <2h/day). Cost fixed, revenue 5×. Gross margin 30% → 70%.
- Log harvesting — every prompt/response sits on the proxy server. AI coding logs contain long reasoning chains + human-verified correct outputs = ideal distillation dataset. Claude Opus 4.6 reasoning datasets already circulate on HuggingFace with no clear source.
The 4-tier source model
Tier 1 — Claude Max subscription "拼车" (carpool) · THE DOMINANT SOURCE
This is what Aerolink uses (proven by 18,319 cached input tokens + Claude Code system-prompt leakage in our audit).
Economics
Max 20x = $200/mo flat, includes ~$2,000 of API-equivalent usage. One account provides ~$1,500/mo of official quota capacity. Sliced into 5-10 user "车位" (carpool slots). Oversell 5-10× → gross margin 70%.
Account cost
闲鱼 (Xianyu) Max accounts ¥50-150 ($7-21) each from: bulk .edu email registration, US real-person KYC farms (~¥80/KYC), or "washed" recycled accounts (¥100 or less — "充三百美金第二天号没了")
Net profit
20-account pool + 1 part-time客服 = ¥30k-50k/mo ($4k-7k) net, per the
aitntnews exposé
Mechanism
Real claude CLI subprocess + mitmproxy injection (see below). Anthropic sees genuine Claude Code CLI call → bills subscription quota, not API credits.
Tier 2 — Cloud-provider Claude (AWS Bedrock / Azure / Vertex) · "一方合作渠道"
Enterprise volume discounts. Cheaper than direct API, more expensive than subscription fraud. Stable, full capabilities, real prompt caching. Relay stations scoring 95-99/100 on Veridrop often run on this.
Reference price
¥0.85-1.5 per $1 of usage (~10-15% below official)
AWS loophole
Per
dashenk.com: find internal contacts, use overseas entity to apply for startup-support credits (¥4000 free), package as legit business. Small package = 85% of official, large package = 75% (requires ¥2M/yr usage)
Stability
High — cloud providers have SLAs. Community reports "降智概率较低" (low intelligence-degradation probability).
Tier 3 — "Reverse" / 逆向 channels · Kiro, Cursor, Windsurf, Warp
Reverse-engineered APIs from third-party Claude-fronting apps. Very cheap but degraded.
Reference price
¥0.1-0.3 per $1 of usage
Kiro
Was most stable until 131+ update banned China. May 1, 2026: Claude models fully removed. Drops thinking signature (Bedrock simplified path doesn't implement signature generation) → Veridrop catches instantly
Cursor
Reverse-engineered; "称400实200" (claims $400, actually $200 of value) because CacheRead is charged unlike official CC
Defects
Fixed injected prompts (降智), broken tool calls, 200k context instead of 1M,断流 (stream drops).
sechub.in guide: "综合能力: Max~=bedrock>AG>cursor>>kiro"
Tier 4 — Free trial / promotional credit abuse
Bulk-register accounts for free credits. Extremely unstable, accounts die in days. The "¥300 Max account, recharge $300, account gone next day" scam tier.
The technical mechanism — mitmproxy CLI injection
Projects like WoulderX/claude-subscription-proxy and zhangbinhui/claude-max-proxy document it openly. This is exactly why we saw Claude Code text leaking in every probe — it's not a bug, it's the required disguise.
Why not just forge the request? Anthropic uses 10+ fingerprint signals to distinguish subscription vs API quota:
system[0] billing header, User-Agent, anthropic-beta, x-stainless-*, complete tools[],
metadata, etc. Running the real CLI is the only reliable way.
The injection flow (per WoulderX docs):
1. Each account runs a real claude CLI subprocess in a PTY
2. mitmproxy intercepts the CLI's outbound /v1/messages call
3. User's request body is merged into the CLI's request —
keeping the CLI's identity fingerprints (User-Agent, anthropic-beta,
x-stainless-*, system[0] billing header, metadata)
4. Anthropic sees a genuine Claude Code CLI call →
bills subscription quota, not API credits
5. cache_read_input_tokens > 0 confirms subscription billing
(the injected ~18k-token Claude Code system prompt hits the cache)
Body merge rules (src/mitm/addon.py:_merge_body):
messages / model / max_tokens / tools → user wins (business input)
system[0] (billing header) + user system → mixed (keep identity + user instructions)
User-Agent / anthropic-* / x-stainless-* → claude CLI original (identity fingerprint)
Why Aerolink's Haiku was slower than Opus — the Claude Code
orchestration layer + subscription rate-limiting + pool rotation overhead
inverts the natural speed profile. A clean API would show Haiku fastest.
The wholesale pyramid
Per the aitntnews exposé: "能追溯到源头的就七八家大号池" (only 7-8 traceable big account pools). Same article: a ¥198/mo carpool seat costs ¥89 at source — the ¥109 difference is split across 3-4 middlemen.
UPSTREAM (sources of cheap Claude access)
├── 卡商 (card merchants) — virtual/overseas payment cards
├── 号商 (account merchants) — bulk Max accounts ¥50-150
│ ├── 教育邮箱批量注册 (bulk .edu email registration)
│ ├── 美国本土真人代实名 (US real-person KYC farms)
│ └── 洗号 (washed/recycled accounts)
├── IP代理 (residential IP sellers) — dodge Anthropic risk scoring
└── 逆向方 (reverse engineers) — ¥30-50k/mo salary
MIDSTREAM (the relay stations — Veridrop's 1,118 entries)
├── 源头 (sources, ~7-8 big pools) — the real account-farm operators
├── 二道贩子 (middlemen, 3-4 layers) — resell the source's capacity
└── 终端中转站 (terminal relays) — what users actually buy from
DOWNSTREAM
├── Claude Code / Cursor developers (end users)
└── 二次分销商 (sub-distributors like Aerolink)
Named operators (publicly visible)
Naming individual underground account farmers would be irresponsible — they operate via 闲鱼 DMs, WeChat handles, and Telegram groups, identities easily faked. The publicly-branded services below are fair game because they've chosen to be public.
Tier A — Vertically integrated (account-farm + public relay)
| Operator | Evidence | Links |
AiYa api.aiyahmm.com | Posted on V2EX (2026-03-16) openly: "本身做卡商和号商,手里有大量海外支付卡资源和账号资源" / "卡和号都在自己手里,不依赖上游,封了就补" — explicitly sells cards/accounts to other relay operators. Handles RPM 300+ for ToB clients. | site ↗ |
PackyCode packyapi.com | Sponsored Sub2API. Per l1i1/ai-router-reviews: "国内上游供应商", 1.5+ years, 4 QQ groups near full. makerjackie: "PackyCode 等早期玩家曾是部分站点的上游" (was upstream for some stations). Multi-tier channels: 官方/AWS-Q reverse/CC-dedicated. | site ↗ · docs ↗ |
PinCC pincc.ai | Official hosted service of Sub2API (25K★, by Wei-Shaw, same author as claude-relay-service 12K★). Official domains: sub2api.org and pincc.ai. Sits at center of 拼车 ecosystem. | site ↗ · shop ↗ |
酷站AI / Koozhan api.koozhan.com | Veridrop 🥇 #1 (120 tests, 97% sig). Markets "原生协议直连" with multi-channel priority routing + auto-failover — language implying owning the pool. 200ms TTFT, ¥10 min. | site ↗ |
大苏Api / dasuapi dasuapi.com | Veridrop 🥈 #2 (15 tests, 93% sig). Publicly discloses mixed official+reverse channels. | site ↗ |
Neko API api.999555999.com | Veridrop 🥉 #3 (47 Claude tests, 91% sig). Multi-protocol breadth suggests large underlying pool. 2,000+ developers. | site ↗ |
Tier B — The "Big 7-8 pools" (mentioned but not fully named)
Intentionally invisible
The aitntnews exposé states only "七八家大号池" exist at the true source layer. They never appear on Veridrop because they don't sell to end users — they sell via WeChat/闲鱼 DMs, Linux.do "招代理" posts, and word-of-mouth. makerjackie names PackyCode as one former source. The others are documented only as quotes: per dashenk, "山东有一家上游渠道很硬" (one Shandong operator with very strong AWS partner channels).
Tier C — Sub2API sponsors (publicly visible middlemen)
From the Sub2API README sponsor table — publicly-operated middlemen running on the Sub2API stack. Not necessarily sources, but the visible part of the pyramid.
| Service | Domain | Claim |
| PinCC | pincc.ai | Official hosted Sub2API |
| PackyCode | packyapi.com | "稳定高效的API中转服务商" |
| APIKEY.FUN | apikey.fun | "低至官方原价的 7%" |
| AICodeMirror | aicodeMirror.com | "官方价 38%/2%/9%" |
| BmoPlus | bmoplus.com | Account merchant — sells ChatGPT Plus/Pro/Claude Pro accounts at "10% of official" |
| PatewayAI | patewayai.com | "100% from official providers" |
| PPToken | pptoken.org | "0.16× rate multiplier, ~2.2% of official pricing" |
| RunAPI | runapi.co | "OpenRouter平替, 150+ models, 低至1折" |
| Unity2 | unity2.ai | "日均承载超300亿token" (300B tokens/day) |
| Tokeness | tokeness.ai | "价格屠夫" (price butcher), Opus at 0.23× official |
| Bestproxy | bestproxy | Residential IP supplier — "one-IP-per-account" (the anti-risk-control infrastructure layer) |
How Aerolink fits in
Aerolink is a downstream distributor, not a source
India-based distributor (Tier C equivalent, but for the Indian market) that almost certainly buys capacity from one of the Tier A/B Chinese pools and resells with INR pricing. Evidence:
- INR-first pricing (₹449-₹17,999), Hostinger email, Telegram+Discord support — Indian market signals
- NewAPI gateway software (Chinese, off-the-shelf — anyone can deploy it)
- Sealos K8s hosting (Chinese PaaS, but publicly available)
- Claude Code system-prompt leak proves subscription-pool upstream (Tier 1 economics), not direct API
- Veridrop instability (96→8→recovering) matches downstream customer whose Chinese upstream switches channels or gets banned
Additional context — enforcement & risks
Anthropic enforcement timeline
- 2025-09: Anthropic bans China-majority-owned entities from Claude
- 2026-03: Major封号潮 (ban wave) — 50% of surveyed accounts banned per Linux.do poll
- 2026-04: Expanded identity checks for Claude API
- 2026-06: Embedded covert code in Claude Code to mark Chinese user routing info — per 163.com report
- 2026-07: Anthropic reports proxy networks ran distillation campaigns with 20,000+ fraudulent accounts, 16M+ Claude exchanges — per winbuzzer
Risks if you use a relay
- Data exposure — the relay is a MITM; every prompt, code snippet, file, and API key passes through their servers. Per HTX Insights: "Users may unknowingly surrender prompts, code, business documents, customer data, and even full project contexts."
- Log harvesting — your coding sessions may become distillation training data sold to Chinese model developers
- Account bans — Anthropic enforces against pool accounts; service can vanish overnight
- Payment fraud — 闲鱼 sellers using stolen credit cards; "chargeback后整批号消失"
- Runaway (跑路) — prepay model, sites vanish with balances. Per V2EX: "某P站至今退款难,甚至起诉用户"
Open-source tools in the ecosystem
Infrastructure Fingerprint — Reverse-Engineering the Gateway
How the gateway was identified as NewAPI via three source-code-level fingerprints, plus the hosting layer, mesh proxy, and the full chain from client to Anthropic.
Method — non-intrusive introspection
No scanning, no DoS, no intrusion. Only deep introspection of what the endpoint already exposes to a paying key holder: /v1/models response shape, HTTP headers, error messages, DNS/TLS/WHOIS records, and response ID formats.
Three fingerprints that proved NewAPI
All three match NewAPI's source code exactly. Confirmed by independent third-party integrations (CherryHQ/cherry-studio, lobehub/lobe-chat, can1357/oh-my-pi).
Fingerprint 1: supported_endpoint_types: ["anthropic"]
This field does not exist in the standard Anthropic or OpenAI /v1/models response. It is a field NewAPI invented to advertise which wire protocols each model supports.
Source-code proof — QuantumNous/new-api controller/model.go:
oaiModel.SupportedEndpointTypes = model.GetModelSupportEndpointTypes(modelName)
Third-party confirmation:
Fingerprint 2: created: 1626777600 (all 7 models)
NewAPI hardcodes this Unix timestamp (2021-07-20) for every model in its static list. It's not the real creation date of any Claude model — it's a code constant.
Source-code proof — same file, init() function:
openAIModels = append(openAIModels, dto.OpenAIModels{
Id: modelName,
Object: "model",
Created: 1626777600, // hardcoded for every model
OwnedBy: channelName,
})
GitHub issue confirmation — issue #2648: "现在默认时间是1626777600... newapi 也是硬编码的 1626777600". LobeHub's code even comments: "AiHubMix incorrect timestamp is 1626777600".
Fingerprint 3: Chinese error messages + msg_gwhb_ ID prefix
Requesting a non-existent model returned: "你请求的模型 \"X\" 暂不支持。可用模型:claude-opus-4-7 / claude-haiku-4-5-20251001 / claude-sonnet-4-6 / claude-sonnet-5" — a custom Chinese model-not-found message (NewAPI is Chinese-developed).
Non-streaming response IDs use a custom msg_gwhb_ prefix (e.g. msg_gwhb_mrhixug5-94fba1474a69), while streaming responses pass through real Anthropic IDs (msg_011Ccwqb1JZVy1iwixyD7TEw). NewAPI regenerates IDs when buffering non-streaming responses; streams pass through upstream IDs unchanged.
The hosting layer
DNS chain
capi.aerolink.lat
→ CNAME: kmoxknduoxjs.cloud.sealos.io
→ A: 35.197.149.75 (AS396982 Google LLC, Singapore)
→ A: 34.87.110.152 (AS396982 Google LLC, Singapore)
→ A: 34.143.149.171 (AS396982 Google LLC, Singapore)
[+ 5 more GCP Singapore IPs]
All 8 IPs are *.bc.googleusercontent.com (GCP). The CNAME target is a Sealos Kubernetes cluster.
HTTP server fingerprint
server: istio-envoy
req-cost-time: 1235
req-arrive-time: 1783844040872
resp-start-time: 1783844042108
x-envoy-upstream-service-time: 1235
Istio/Envoy service mesh doing the actual request routing inside the K8s cluster. Custom req-*-time headers are Envoy/Istio proxy headers.
The operator vs. the software
Software (Chinese, open-source)
- Gateway: QuantumNous/new-api (39K★, AGPL-3.0, fork of one-api)
- PaaS host: Labring/sealos (AI-native Kubernetes)
- Mesh: Istio/Envoy (CNCF, US-governed)
- Apex CDN/DNS: Cloudflare (only for marketing site, not API)
Operator (India-based, NOT Chinese)
- Domain: aerolink.lat, registered 2026-05-31 (~6 weeks old), Spaceship registrar
- Pricing: INR-first (₹449-₹17,999)
- Email: Hostinger MX (budget host popular in India/SE Asia)
- Support: Telegram + Discord (not QQ groups like Chinese services)
- Apex: custom Next.js dashboard (not NewAPI's default React/Semi-UI frontend)
The full proxy chain
Your client
→ capi.aerolink.lat (DNS only; Cloudflare not in path for API)
→ Sealos Kubernetes cluster (GCP Singapore, AS396982)
→ Istio/Envoy ingress (server: istio-envoy)
→ Aerolink gateway app (key validation, ₹ usage ledger, rolling limits)
→ Claude Code session proxy (injects ~18k-token Claude Code system prompt)
→ Anthropic (real Claude models via Claude Code subscription)
TLS cert: Let's Encrypt (self-managed, K8s-typical)
Apex (aerolink.lat): Next.js behind Cloudflare Turnstile (separate from API)
CT logs: only capi. subdomain exists
Claude Code injection — the smoking gun
Evidence from our audit
- 18,319 cached input tokens on a 90-token request — a clean Anthropic API call has 0 cached tokens. This proves a large system prompt is injected upstream.
- All 7 models leaked "Claude Code" in identity probes (7/7 models, up to 4/10 probes on Fable 5). The text comes from Claude Code's own system prompt, which would never appear in a direct
api.anthropic.com call.
- Real Claude models, correct knowledge cutoffs, but inverted latency (Haiku slower than Opus) — consistent with Claude Code's heavier orchestration layer + subscription rate-limiting, not clean API throughput.
- Streaming responses pass through real Anthropic thinking signatures — the
signature_delta contains a valid base64 signature with claude-haiku-4-5-2025101 encoded inside, proving genuine Anthropic passthrough (not Bedrock/Kiro reverse).
Veridrop history — the instability pattern
Veridrop (the open-source Chinese relay verification site) has 22 public tests of aerolink:
| Period | Score | Verdict | Interpretation |
| June 16-20 | 96-99/100 | PASS | Good Max pool — cryptographic thinking-signature verification passed = genuine Anthropic passthrough |
| June 22-26 | 7-10/100 | FAIL | Thinking signature failed 15/22 times — upstream switched to degraded/reverse channel or pool got banned |
| July 12 (this audit) | partial | Recovering | Thinking signatures present again in streaming responses; quality unstable |
This volatility is the hallmark of subscription-pool relays — when Anthropic bans a batch of accounts, every downstream customer sees simultaneous degradation. A direct API or cloud-provider relay would never show this pattern.
Methodology, Verification & Sources
How this audit was conducted, the tools used, how to reproduce it, and every source cited — with links that open in new tabs.
Tools used
| Tool | Role | Link |
| llm-verify | Ran 32-prompt behavioral fingerprinting benchmark against all 7 models (224 probes). Identity, capability, fingerprint suites. Cross-model similarity scoring. | github.com/mintesnot-teshome/llm-verify ↗ |
| curl | Direct API probing: /v1/models response, error messages, streaming SSE capture, header inspection | — |
| dig | DNS resolution: A/AAAA/CNAME/NS/MX/TXT records for capi.aerolink.lat and apex | — |
| openssl s_client | TLS certificate inspection (issuer, subject, SAN, validity dates) | — |
| whois | Domain registration data (registrar, creation date, expiry) | — |
| ipinfo.io | ASN lookup for all 8 resolved IPs → AS396982 Google LLC Singapore | ipinfo.io ↗ |
| crt.sh | Certificate Transparency log search for subdomains | crt.sh query ↗ |
| Veridrop | Cross-referenced 22 public quality tests of aerolink from the open-source relay detector | veridrop report ↗ |
How to reproduce this audit
# 1. Clone llm-verify
git clone https://github.com/mintesnot-teshome/llm-verify.git
cd llm-verify
# 2. Set up environment
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
# 3. Configure .env with the suspect API
cp .env.example .env
# Edit .env:
# SUSPECT_API_KEY=your-suspect-key
# SUSPECT_API_BASE_URL=https://capi.aerolink.lat
# 4. Run the API server
uvicorn src.main:app --port 8000
# 5. Run deep analysis against all models (32 probes each)
curl -X POST http://localhost:8000/api/v1/analysis/deep \
-H "Content-Type: application/json" \
-d '{"name":"Audit","model_configs":[
{"model_name":"claude-opus-4-8","provider":"suspect","protocol":"anthropic"},
{"model_name":"claude-fable-5","provider":"suspect","protocol":"anthropic"},
...
],"suites":["identity","capability","fingerprint"]}'
# 6. Inspect raw probe responses
curl http://localhost:8000/api/v1/results/{run_id}
The 6-step verification checklist (for any provider)
Before paying any relay station
- Run Veridrop — veridrop.org/claude (free, 60 sec, no key stored). Only use providers scoring 85+ with multiple tests. The
thinking_signature detector is cryptographic — relay stations cannot forge it.
- Check
/context after first message — if it shows >5k tokens used in a fresh conversation, they're injecting hidden system prompts (costs you money every request).
- Test prompt caching — send the same long context twice; second call should show
cache_read_input_tokens > 0 and cost ~10% of first. If not, the relay lacks caching and long-context use will be 5-10× more expensive than the rate suggests.
- Trigger a 429/500 and check your bill — legitimate providers only bill successful requests. Some relays charge for failures.
- Check Help AIO 24/7 monitoring — helpaio.com/transit for live uptime data across major stations.
- Small amount only — never top up more than 1 week of usage. Relay stations disappear regularly ("跑路" risk). Test with ¥10-50 first.
All sources & references
Open-source tools & code
-
mintesnot-teshome/llm-verify
https://github.com/mintesnot-teshome/llm-verify
The audit tool used in this report. Behavioral fingerprinting with 32 forensic prompts across identity, capability, and fingerprint suites. MIT license.
audit tool
-
QuantumNous/new-api
https://github.com/QuantumNous/new-api
The gateway software identified on capi.aerolink.lat. 39K★, AGPL-3.0, Chinese. Fork of one-api. The supported_endpoint_types field and hardcoded 1626777600 timestamp are the fingerprints that proved it.
gateway software
-
songquanpeng/one-api
https://github.com/songquanpeng/one-api
The original Chinese LLM gateway. NewAPI's parent. 35K★.
gateway software
-
Wei-Shaw/sub2api
https://github.com/Wei-Shaw/sub2api
Subscription-to-API gateway. 25K★. The "拼车" reference deployment. PinCC is its official hosted service. README lists all sponsor relay operators.
carpool infra
-
Wei-Shaw/claude-relay-service
https://github.com/Wei-Shaw/claude-relay-service
Self-hosted Claude Code mirror with account-pool management. 12K★. Same author as Sub2API.
carpool infra
-
WoulderX/claude-subscription-proxy
https://github.com/WoulderX/claude-subscription-proxy
Documents the mitmproxy CLI injection mechanism used for Tier 1 reselling. Explains the 10+ Anthropic fingerprint signals and why real CLI subprocesses are required.
mechanism
-
zhangbinhui/claude-max-proxy
https://github.com/zhangbinhui/claude-max-proxy
Another Max-subscription-to-API proxy with tool-name mapping and CCH signature calculation. Documents system-prompt migration to bypass Anthropic's third-party detection.
mechanism
-
canarybyte/veridrop
https://github.com/canarybyte/veridrop
The open-source relay-station detector. Cryptographic thinking-signature verification. 154★, AGPL-3.0. Hosted at veridrop.org.
verification
-
zxc123aa/cc-proxy-detector
https://github.com/zxc123aa/cc-proxy-detector
Fingerprinting reference: tool_use id prefixes (toolu_ vs tooluse_), msg_id formats, thinking signatures by source (Anthropic/Bedrock/Vertex).
verification
-
labring/sealos
https://github.com/labring/sealos
The AI-native Kubernetes PaaS that hosts Aerolink's gateway (capi.aerolink.lat CNAMEs to *.cloud.sealos.io).
hosting
-
howardpen9/awesome-ai-api-proxy
https://github.com/howardpen9/awesome-ai-api-proxy
Maintainer-verified catalog of Chinese/Asian relay stations with status canaries. The most reliable public list. Data in data/providers.yaml.
catalog
-
l1i1/ai-router-reviews
https://github.com/l1i1/ai-router-reviews
Independent reviews of API router platforms (Tokeness, PackyCode, 302.AI, OpenRouter) with price/latency comparisons.
reviews
-
mn-api/awesome-ai-proxy (unmaintained)
https://github.com/mn-api/awesome-ai-proxy
The original community list (~31 stations). No longer maintained as of 2026. Superseded by howardpen9/awesome-ai-api-proxy.
catalog (stale)
Industry investigations & articles
-
"我花了半个月,把AI中转站这门生意从头到尾扒透" (aitntnews)
https://www.aitntnews.com/newDetail.html?newId=24713
2-week embedded exposé of the relay-station industry. Source of the "7-8 big pools" figure, the ¥50-150 account costs, and the 70% overselling margin. Key quote: "能追溯到源头的就七八家大号池".
-
"Claude 中转站全解析" (makerjackie)
https://makerjackie.com/blog/2026-05-06-claude-api-proxy-deep-dive
Industry structure analysis. Names PackyCode as a former upstream source. Details the 源头号商 → 经销商 → 耗商 pyramid.
-
"Inside China's grey market for banned US AI models" (Medianama)
https://www.medianama.com/2026/07/223-china-transfer-station-economy-explained/
English-language investigation. Source of the "one fish, three meals" economic model and the log-harvesting-for-distillation angle. Links to HuggingFace Claude reasoning datasets.
-
"倒卖token变成一门生意" (新浪财经/Sina Finance)
https://finance.sina.com.cn/stock/t/2026-05-19/doc-inhykxft7581219.shtml
Mainstream Chinese finance media coverage. Confirms the 闲鱼 ¥9.9 拼车 tier and IDE-reverse as the "most common source". Quotes a 3-station operator clearing thousands/day.
-
"China's Cheap Claude Tokens" (winbuzzer)
https://winbuzzer.com/2026/07/03/chinas-cheap-claude-tokens-run-through-proxy-markets-xcxwbn/
Reports Anthropic's finding that proxy networks ran distillation campaigns with 20,000+ fraudulent accounts and 16M+ Claude exchanges.
-
"AI Relay Stations: Hidden Pitfalls" (HTX Insights)
https://www.htx.com/en-us/news/413734/
Risk analysis. "Users may unknowingly surrender prompts, code, business documents, customer data, and even full project contexts."
-
"《科普下中转号里的行业内幕》" (dashenk)
https://dashenk.com/2026/04/24/
Industry insider breakdown. Pure-blood accounts at $1.35 each at source. KYC farms at ¥80. The Shandong AWS partner with "unlimited account issuance".
-
Claude Code gateway protocol reference (Anthropic)
https://code.claude.com/docs/en/llm-gateway-protocol
Official Anthropic docs on how Claude Code routes through gateways. Documents the headers (x-claude-code-session-id, anthropic-beta, etc.) that relay stations must preserve.
Community threads (recommendations & warnings)
-
V2EX: "claude code 使用哪家国内 api 靠谱" (2026-03)
https://www.v2ex.com/t/1196478
100+ replies recommending bytecat, terminal.pub, ofox.ai, aihezu, holysheep.ai, cubence, etc. Key insight: "就没有一直稳定的...我同时用了5家" (no one is always stable, I use 5 simultaneously).
-
V2EX: "卡商+号商自建的 Claude API 中转站" (2026-03)
https://www.v2ex.com/t/1198574
AiYa operator's public post admitting to being 卡商+号商. Source of "封了就补,不会断供" and "缺卡的找我" quotes.
-
Linux.do: "省钱系列8 — Claude Code Max 所有渠道研究" (2026-03)
https://linux.do/t/topic/1740014/2
Comprehensive channel research. Price tables for Max拼车, Cursor, Antigravity, Kiro, AWS reverse. Source of the "综合能力: Max~=bedrock>AG>cursor>>kiro" ranking.
-
SegmentFault: "我对比了8个Claude API中转站" (2026-04)
https://segmentfault.com/a/1190000047718715
Independent 8-station comparison with weighted pricing. Ranks 灵眸AI, 神马中转, PackyAPI, poloapi, laozhang.ai, apiyi, AIHubMix, OpenRouter.
-
V2EX: "中转站为什么这么费钱?明明便宜70%" (2026-03)
https://www.v2ex.com/t/1201851
Explains why sticker-price 70% discounts often cost MORE than official due to missing prompt caching, hidden system prompts, and pool-rotation cache invalidation.
-
Help AIO — 24/7 relay station monitoring
https://www.helpaio.com/
Independent uptime monitoring across 15+ stations. Real-time Opus/GPT-5 availability, bench tests, price comparison. "无赞助广告" (no sponsored ads).
Anthropic official
Reproducibility
All raw data from this audit is preserved in the llm-verify/ working directory:
aerolink-audit-data.json — full structured data (all 224 probe responses + fingerprints, 320 KB)
aerolink-audit-raw.json — raw llm-verify deep-analysis output
aerolink-audit-dashboard.html — the original single-page dashboard (this report supersedes it)
fraud-report-opus48.json — single-model deep analysis
fraud-report-cross.json — 3-model cross-comparison
The llm-verify server can be restarted (uvicorn src.main:app --port 8000) to re-query any run's results via the /api/v1/results/{run_id} endpoint while the SQLite DB persists.