Aerolink Audit — Full Report

A multi-page investigation into capi.aerolink.lat — a Claude API reseller. 7 models tested with 224 forensic probes, infrastructure reverse-engineered, supply chain mapped, and the wider relay-station market compared.

Endpoint: POST https://capi.aerolink.lat/v1/messages · Anthropic Messages protocol
View forensic audit → Compare providers →
RELAY
NOT FRAUD
Correction — Fable 5 is real
An earlier analysis incorrectly flagged claude-fable-5 as a non-existent model. Claude Fable 5 is a genuine Anthropic flagship (Mythos-class, launched 2026-06-09) — the most capable model Anthropic has released to the public, with safety safeguards that fall back to Opus 4.8 on sensitive queries. It is correctly listed on this endpoint. See Anthropic's models overview.
Nuanced verdict — real Claude via a Claude Code wrapper

The models are genuine Claude. All 7 correctly self-identified with exact model IDs, and every detected knowledge cutoff matched official Anthropic specs (Opus 4.8/4.7/Sonnet 5/Fable 5 = Jan 2026, Opus 4.6 = May 2025, Haiku 4.5 = Feb 2025).

But the endpoint is a relay, not a clean API. Every model leaked "Claude Code" in identity probes (7/7 models). A 90-token request showed 18,319 cached input tokens — proof of an injected ~18k-token Claude Code system prompt. Latency is uniformly high (12–23s) with an inverted speed profile (Haiku 4.5, officially "fastest", was among the slowest at 23.5s).

Conclusion: This is a Claude Code subscription reseller — real Claude models served through a Claude Code wrapper that injects its own system prompt and adds relay overhead. The llm-verify FRAUD_DETECTED verdict is driven by relay artifacts, not model counterfeiting. This likely violates Anthropic's ToS (reselling subscription access as an API).

At a glance

7
Models Tested
224
Forensic Probes
7+7
High+Med Flags
24
Failed Probes
17.6s
Avg Latency

Explore the report

🧬
Forensic Audit
Per-model results from 224 probes. Identity, capability, fingerprint suites. Cross-model similarity heatmap. Expandable probe Q&A for all 7 models.
View 224 probe responses →
📊
Provider Comparison
Full pricing + stability table for 25+ relay stations. Top 5 cheapest-and-stable. Veridrop scores, Help AIO uptime, forum recommendations.
Find better alternatives →
⛓️
Supply Chain Deep Dive
Who provides the cheap Claude access. The 4-tier source model. Subscription-carpool economics. Named operators. The mitmproxy injection mechanism.
Trace the upstream →
🔍
Infrastructure Fingerprint
How the gateway was identified as NewAPI via 3 source-code-level fingerprints. Sealos/K8s hosting. Istio/Envoy. The full proxy chain.
See the reverse-engineering →
🛠️
Methodology & Sources
Tools used. How to verify any provider yourself (6-step checklist). All GitHub repos, articles, and community threads linked.
View references →
llm-verify on GitHub
The open-source tool that ran the 32-prompt behavioral fingerprinting benchmark. Clone it, run your own audits, contribute prompt suites.
Open repo in new tab →

Quick verdict by model

ModelSelf-IDCutoff matchAvg latencyErrorsClaude Code leak
Opus 4.8
claude-opus-4-8
correct January 2026 11.9s 0/32 2/10
Opus 4.7
claude-opus-4-7
correct January 2026 12.3s 2/32 2/10
Opus 4.6
claude-opus-4-6
correct May 2025 13.8s 1/32 2/10
Sonnet 5
claude-sonnet-5
correct January 2026 14.7s 1/32 3/10
Sonnet 4.6
claude-sonnet-4-6
correct not detected 23.4s 9/32 1/10
Haiku 4.5
claude-haiku-4-5-20251001
correct February 2025 23.5s 5/32 2/10
Fable 5
claude-fable-5
correct not detected 23.3s 6/32 4/10

Forensic Audit — 7 Models, 224 Probes

Each of the 7 models on capi.aerolink.lat received an identical 32-prompt battery (3 suites: identity, capability, fingerprint). Click a model to expand full probe Q&A.

224
Total probes
7
Models
24
Failed
21
Cross-pairs
14
Red flags

🚩 Red Flags (14 detected by llm-verify)

Note: the tool's FRAUD_DETECTED verdict was driven by latency + identity-heuristic false positives (keying on words like "commands"/"gpt-4" from comparison context). The genuine red flags are the Claude Code system-prompt injection and relay latency — see Overview for the nuanced interpretation.

HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-8'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-7'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-opus-4-6'
Claims: command, commands
HIGH
identity
Model self-identifies differently than requested name 'claude-sonnet-4-6'
Claims: mistral
HIGH
identity
Model self-identifies differently than requested name 'claude-haiku-4-5-20251001'
Claims: commands
HIGH
identity
Model self-identifies differently than requested name 'claude-fable-5'
Claims: command
HIGH
similarity
Models 'claude-opus-4-8' and 'claude-opus-4-7' appear to be the SAME underlying model
Similarity: 93.0%, shared phrases: 2
MEDIUM
latency
Very high average latency (11931ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (12334ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (13814ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (14742ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23447ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23503ms) suggests proxy/relay
Average across 32 probes
MEDIUM
latency
Very high average latency (23311ms) suggests proxy/relay
Average across 32 probes

📊 Cross-Model Similarity Matrix

Pairwise behavioral similarity from fingerprinting. Higher = more alike. Opus 4.8 vs Opus 4.7 hit 93% → SAME_MODEL verdict. This is expected for adjacent model versions sharing training lineage — not proof of relabeling.

Opus 4.8Opus 4.7Opus 4.6Sonnet 5Sonnet 4.6Haiku 4.5Fable 5
Opus 4.893%58%78%57%74%72%
Opus 4.793%59%75%61%80%75%
Opus 4.658%59%69%75%67%44%
Sonnet 578%75%69%68%63%59%
Sonnet 4.657%61%75%68%76%63%
Haiku 4.574%80%67%63%76%70%
Fable 572%75%44%59%63%70%
<60% different 60-75% similar 75-90% similar ≥90% likely same

Per-Model Report (click to expand)

Each card shows self-identification, knowledge cutoff match, latency, errors, Claude Code leak count, and the full 32 probe Q&A responses across all 3 suites.

Opus 4.8 claude-opus-4-8
Current Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct cutoff: ok 0.0% err
Self-identification
correct Identifies as claude-opus-4-8
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Avg latency
11.9s
Errors
0/32 probes failed (0.0%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4.x, commands, gpt-4
Style fingerprint
avg 224 words · markdown 90% · bullets 71% · code 16%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Opus 4.7 claude-opus-4-7
Legacy Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct cutoff: ok 6.2% err
Self-identification
correct Identifies as claude-opus-4-7
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Avg latency
12.3s
Errors
2/32 probes failed (6.2%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4, commands, gpt-4
Style fingerprint
avg 188 words · markdown 87% · bullets 63% · code 13%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Opus 4.6 claude-opus-4-6
Legacy Opus · 1M ctx · $5/$25 · official speed: Moderate
self-id: correct cutoff: ok 3.1% err
Self-identification
correct Identifies as claude-opus-4-6
Knowledge cutoff
match observed: May 2025 · official: May 2025
Avg latency
13.8s
Errors
1/32 probes failed (3.1%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 4, claude 4-series, claude 4.x, command, commands, gpt-4
Style fingerprint
avg 190 words · markdown 94% · bullets 71% · code 16%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Sonnet 5 claude-sonnet-5
Current Sonnet · 1M ctx · $3/$15 · official speed: Fast
self-id: correct cutoff: ok 3.1% err
Self-identification
correct Identifies as claude-sonnet-5
Knowledge cutoff
match observed: January 2026 · official: Jan 2026
Avg latency
14.7s
Errors
1/32 probes failed (3.1%)
Claude Code leak
mentioned in 3/10 identity probes
Identity claims
gpt-5
Style fingerprint
avg 226 words · markdown 93% · bullets 72% · code 14%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Sonnet 4.6 claude-sonnet-4-6
Legacy Sonnet · 1M ctx · $3/$15 · official speed: Fast
self-id: correct cutoff: warn 28.1% err
Self-identification
correct Identifies as claude-sonnet-4-6
Knowledge cutoff
missing observed: not detected · official: Aug 2025
Avg latency
23.4s
Errors
9/32 probes failed (28.1%)
Claude Code leak
mentioned in 1/10 identity probes
Identity claims
claude 4.x, gpt-4, mistral
Style fingerprint
avg 146 words · markdown 96% · bullets 52% · code 17%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Haiku 4.5 claude-haiku-4-5-20251001
Current Haiku · 200k ctx · $1/$5 · official speed: Fastest
self-id: correct cutoff: ok 15.6% err
Self-identification
correct Identifies as claude-haiku-4-5-20251001
Knowledge cutoff
match observed: February 2025 · official: Feb 2025
Avg latency
23.5s
Errors
5/32 probes failed (15.6%)
Claude Code leak
mentioned in 2/10 identity probes
Identity claims
claude 3, commands, gpt-4
Style fingerprint
avg 156 words · markdown 88% · bullets 58% · code 12%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)
Fable 5 claude-fable-5
Mythos-class flagship · 1M ctx · $10/$50 · official speed: Slower
self-id: correct cutoff: warn 18.8% err
Self-identification
correct Identifies as claude-fable-5
Knowledge cutoff
missing observed: not detected · official: Jan 2026
Avg latency
23.3s
Errors
6/32 probes failed (18.8%)
Claude Code leak
mentioned in 4/10 identity probes
Identity claims
claude 4.x, command
Style fingerprint
avg 107 words · markdown 82% · bullets 50% · code 18%

Probe responses

Identity (10)
Capability (12)
Fingerprint (10)

Provider Comparison — 25+ Relay Stations

Pricing, stability, and channel purity compared across every publicly-visible Claude relay provider. Cross-referenced with Veridrop's 1,118-station leaderboard, Help AIO's 24/7 uptime monitoring, and community recommendations from Linux.do, V2EX, and SegmentFault.

⚠ Critical caveat — sticker price ≠ real cost

Three hidden factors destroy the sticker-price savings: (1) No/low Prompt Caching — Claude Code's ~18-50k system prompt is resent every request; official caches at 0.1× cost, most relays don't → effective cost 5-10× higher. (2) Hidden system-prompt injection — every relay in the chain may inject prompts eating tokens. (3) Pool rotation kills cache — account-pool relays switch accounts per request, each switch = full cache rebuild. The "true cheapest" requires: official-channel upstream + real prompt caching + low multiplier + high uptime.

🏆 Top 5 — cheapest AND stable (verified)

Balancing: (a) independent 3rd-party verification (Veridrop sig rate + Help AIO uptime), (b) real price economics including cache, (c) forum reputation longevity, (d) channel purity. Services with only 1 Veridrop test or no independent monitoring are excluded from "stable" even if cheap.

Koozhan (酷站AI) api.koozhan.com
#1
Opus price
$1.5/$7.5 per M
vs official
30%
Veridrop
🥇 99 median, 120 tests
Sig rate
97%
Cache
Yes (native)
Channel
Official + multi-channel
Forum rep
Top recommended across V2EX/SegmentFault/Veridrop
Neko API (猫肥) api.999555999.com
#2
Opus price
¥1=$1 (~14% at ¥7.2/$)
vs official
~14%
Veridrop
🥉 96 median, 47 tests
Sig rate
91%
Cache
Yes (CC optimized)
Channel
Multi-protocol, HK/Tokyo
Forum rep
Highly recommended on V2EX
PackyCode packyapi.com
#3
Opus price
Official 30% / reverse ~0.4%
vs official
30% / 0.4%
Veridrop
96 median, 15 tests
Sig rate
93%
Cache
Official yes / reverse no
Channel
Multi-tier (you choose)
Forum rep
1.5+ years, 4 full QQ groups, upstream supplier
dasuapi (大苏Api) dasuapi.com
#4
Opus price
~30% (account-gated)
vs official
~30%
Veridrop
🥈 96 median, 15 tests
Sig rate
93%
Cache
Yes
Channel
Official + reverse mix (disclosed)
Forum rep
Veridrop-strong, less V2EX presence
AICodeMirror aicodeMirror.com
#5
Opus price
¥259-¥1259 subscription (0.75-0.85×)
vs official
75-85%
Veridrop
100/100 ×1 test
Sig rate
100%
Cache
Yes (native)
Channel
Official only, enterprise
Forum rep
280+ days, 200+ enterprises, invoicing

Full comparison table

ProviderOpus pricevs officialVeridrop stabilitySig rateCacheChannelLink
#1 Koozhan (酷站AI)
api.koozhan.com
$1.5/$7.5 per M 30% 🥇 99 median, 120 tests 97% Yes (native) Official + multi-channel visit ↗
#2 Neko API (猫肥)
api.999555999.com
¥1=$1 (~14% at ¥7.2/$) ~14% 🥉 96 median, 47 tests 91% Yes (CC optimized) Multi-protocol, HK/Tokyo visit ↗
#3 PackyCode
packyapi.com
Official 30% / reverse ~0.4% 30% / 0.4% 96 median, 15 tests 93% Official yes / reverse no Multi-tier (you choose) visit ↗
#4 dasuapi (大苏Api)
dasuapi.com
~30% (account-gated) ~30% 🥈 96 median, 15 tests 93% Yes Official + reverse mix (disclosed) visit ↗
#5 AICodeMirror
aicodeMirror.com
¥259-¥1259 subscription (0.75-0.85×) 75-85% 100/100 ×1 test 100% Yes (native) Official only, enterprise visit ↗
listed cldapi (Claude Relay)
cldapi.com
Official × group multiplier 100% (not cheap) 99.9% (90-day claim) Yes (passthrough 90%) Official API only, no reverse visit ↗
listed Touken (拓垦)
api.touken.pro
¥29-¥299/mo (request-based) ~10% (request-billed) Not on Veridrop N/A (request-billed) Anthropic native, 300ms visit ↗
listed PinCC
pincc.ai
Max carpool (节省60%+) ~40% Not independently tested Yes (sticky sessions) Max subscription carpool visit ↗
listed Zivv
zivv.pro
$0.75/$3.75 per M 5% 99/100 ×1 100% Unknown (claims native) Anthropic Native visit ↗
listed APIKEY.FUN
apikey.fun
7% of official ~7% Not on Veridrop Unknown Sub2API core contributor visit ↗
listed PPToken
pptoken.org
0.16× multiplier ~16% Not on Veridrop Unknown GPT focus, Claude secondary visit ↗
listed Tokeness
tokeness.ai
0.23× official ~23% Not on Veridrop Unknown Price butcher visit ↗
listed RunAPI
runapi.co
50% off (Claude 3.5 $2.10) ~70% Not on Veridrop Yes Aggregator, wholesale visit ↗
listed CodeGateway
codegateway.dev
1.2-1.5× official (tiered) 120-150% 0% error in load test Yes (full Anthropic rules) Cloudflare edge, official API visit ↗
listed TeamoRouter
teamorouter.com
50% off first $25, then 20%/5% ~50-95% Not on Veridrop Yes Direct gateway, public upstream visit ↗
listed claudemax
claudemax.com
$50/mo (vs $200 official) 25% Not on Veridrop No (Max pool) Max account pool visit ↗
listed Easy Claude Code
easyclaude.com
¥499-¥2199/mo (carpool) ~34% Not on Veridrop Yes (claims) Max carpool visit ↗
listed Lion CC
codecodex.ai
¥400-¥2400/mo (carpool) ~28% Not on Veridrop Unknown Max $200 carpool, 5+ months visit ↗
listed 云雾 API (YUNWU)
yunwu.ai
Market rates varies Maintainer-verified active Unknown Mixed visit ↗
listed 柏拉图 AI (bltcy)
api.bltcy.ai
Lowest-price (Azure-backed) varies Maintainer-verified active Unknown Azure-backed, new-api fork, 1000+ models visit ↗
listed UiUiAPI
uiuiapi.com
Official channels + multipliers ~49% off claimed Maintainer-verified active Unknown Official-relay, 311 models visit ↗
listed CloseAI
closeai-asia.com
Enterprise rates varies Maintainer-verified, registered Unknown Official-relay, invoices visit ↗
avoid Aerolink (your current)
capi.aerolink.lat
$5-$200/mo subscription ~20% ❌ 8/100 FAILED 32% (degraded) No (Claude Code injected) Max carpool reseller visit ↗
avoid officesai.top
officesai.top
varies varies ❌ 'not recommended' 67% Unknown Unknown visit ↗
avoid linkai.shop
linkai.shop
varies varies 77 median 100% No (Bedrock reverse) Reverse visit ↗
✅ How to verify any provider yourself (6-step checklist)
  1. Run Veridrop test (free, 60 sec, no key stored): veridrop.org/claude — only use providers scoring 85+ with multiple tests
  2. Check /context after first message — if it shows >5k tokens used in a fresh conversation, they're injecting prompts (costs you money)
  3. Test prompt caching — send the same long context twice; second call should show cache_read_input_tokens > 0 and cost ~10% of first
  4. Trigger a 429/500 and check your bill — legitimate providers only bill successful requests
  5. Check Help AIO 24/7 monitoring: helpaio.com/transit for live uptime data
  6. Small amount only — never top up more than 1 week of usage; relay stations disappear regularly

Providers to avoid (evidence-based)

ProviderReasonEvidence
Aerolink (your current)
capi.aerolink.lat
Veridrop 8/100 (failed), 32% sig when degraded, unstableThis audit + Veridrop history (22 tests, crashed June 22-26)
officesai.top"🚫不建议任何场景使用", 67% sig, frequent severe issuesVeridrop Claude leaderboard
linkai.shopPDF analysis stripped (Bedrock reverse signature)Veridrop report — 100% sig but 77 median, capabilities stripped
Any 闲鱼 ¥9.9 拼车Accounts die in days, no recourse, payment fraud riskMultiple Linux.do + V2EX threads

Curated reference lists

awesome-ai-api-proxy

Maintainer-verified catalog of Chinese/Asian relay stations with status canaries. The most reliable public list.

github.com/howardpen9/awesome-ai-api-proxy ↗

Original list (now unmaintained): mn-api/awesome-ai-proxy

Veridrop leaderboard

1,118 Claude relay stations ranked by cryptographic thinking-signature verification. Open-source, community-driven.

veridrop.org/leaderboard/claude ↗

Source: github.com/canarybyte/veridrop

Supply Chain Deep Dive — Who & How

The cheap Claude access doesn't come from nowhere. Here's the full supply chain, the economics, the named operators, and the technical mechanism — sourced from Chinese industry exposés, GitHub projects, and community forums.

The "one fish, three meals" economic model

Per Medianama's investigation, relay stations sustain 5-10% of official pricing through three revenue streams:

  1. Markup on access — bulk-registering free-credit accounts, reselling unused quota, corporate/educational discount arbitrage, "APImaxxing" (one $200 Max plan carved among many users via tokens-per-hour quotas)
  2. Overselling — one Business account seat shared across 5-10 users (most use <2h/day). Cost fixed, revenue 5×. Gross margin 30% → 70%.
  3. Log harvesting — every prompt/response sits on the proxy server. AI coding logs contain long reasoning chains + human-verified correct outputs = ideal distillation dataset. Claude Opus 4.6 reasoning datasets already circulate on HuggingFace with no clear source.

The 4-tier source model

Tier 1 — Claude Max subscription "拼车" (carpool) · THE DOMINANT SOURCE
This is what Aerolink uses (proven by 18,319 cached input tokens + Claude Code system-prompt leakage in our audit).
Economics
Max 20x = $200/mo flat, includes ~$2,000 of API-equivalent usage. One account provides ~$1,500/mo of official quota capacity. Sliced into 5-10 user "车位" (carpool slots). Oversell 5-10× → gross margin 70%.
Account cost
闲鱼 (Xianyu) Max accounts ¥50-150 ($7-21) each from: bulk .edu email registration, US real-person KYC farms (~¥80/KYC), or "washed" recycled accounts (¥100 or less — "充三百美金第二天号没了")
Net profit
20-account pool + 1 part-time客服 = ¥30k-50k/mo ($4k-7k) net, per the aitntnews exposé
Mechanism
Real claude CLI subprocess + mitmproxy injection (see below). Anthropic sees genuine Claude Code CLI call → bills subscription quota, not API credits.
Tier 2 — Cloud-provider Claude (AWS Bedrock / Azure / Vertex) · "一方合作渠道"
Enterprise volume discounts. Cheaper than direct API, more expensive than subscription fraud. Stable, full capabilities, real prompt caching. Relay stations scoring 95-99/100 on Veridrop often run on this.
Reference price
¥0.85-1.5 per $1 of usage (~10-15% below official)
AWS loophole
Per dashenk.com: find internal contacts, use overseas entity to apply for startup-support credits (¥4000 free), package as legit business. Small package = 85% of official, large package = 75% (requires ¥2M/yr usage)
Stability
High — cloud providers have SLAs. Community reports "降智概率较低" (low intelligence-degradation probability).
Tier 3 — "Reverse" / 逆向 channels · Kiro, Cursor, Windsurf, Warp
Reverse-engineered APIs from third-party Claude-fronting apps. Very cheap but degraded.
Reference price
¥0.1-0.3 per $1 of usage
Kiro
Was most stable until 131+ update banned China. May 1, 2026: Claude models fully removed. Drops thinking signature (Bedrock simplified path doesn't implement signature generation) → Veridrop catches instantly
Cursor
Reverse-engineered; "称400实200" (claims $400, actually $200 of value) because CacheRead is charged unlike official CC
Defects
Fixed injected prompts (降智), broken tool calls, 200k context instead of 1M,断流 (stream drops). sechub.in guide: "综合能力: Max~=bedrock>AG>cursor>>kiro"
Tier 4 — Free trial / promotional credit abuse
Bulk-register accounts for free credits. Extremely unstable, accounts die in days. The "¥300 Max account, recharge $300, account gone next day" scam tier.

The technical mechanism — mitmproxy CLI injection

Projects like WoulderX/claude-subscription-proxy and zhangbinhui/claude-max-proxy document it openly. This is exactly why we saw Claude Code text leaking in every probe — it's not a bug, it's the required disguise.

Why not just forge the request? Anthropic uses 10+ fingerprint signals to distinguish subscription vs API quota: system[0] billing header, User-Agent, anthropic-beta, x-stainless-*, complete tools[], metadata, etc. Running the real CLI is the only reliable way. The injection flow (per WoulderX docs): 1. Each account runs a real claude CLI subprocess in a PTY 2. mitmproxy intercepts the CLI's outbound /v1/messages call 3. User's request body is merged into the CLI's request — keeping the CLI's identity fingerprints (User-Agent, anthropic-beta, x-stainless-*, system[0] billing header, metadata) 4. Anthropic sees a genuine Claude Code CLI call → bills subscription quota, not API credits 5. cache_read_input_tokens > 0 confirms subscription billing (the injected ~18k-token Claude Code system prompt hits the cache) Body merge rules (src/mitm/addon.py:_merge_body): messages / model / max_tokens / tools → user wins (business input) system[0] (billing header) + user system → mixed (keep identity + user instructions) User-Agent / anthropic-* / x-stainless-* → claude CLI original (identity fingerprint) Why Aerolink's Haiku was slower than Opus — the Claude Code orchestration layer + subscription rate-limiting + pool rotation overhead inverts the natural speed profile. A clean API would show Haiku fastest.

The wholesale pyramid

Per the aitntnews exposé: "能追溯到源头的就七八家大号池" (only 7-8 traceable big account pools). Same article: a ¥198/mo carpool seat costs ¥89 at source — the ¥109 difference is split across 3-4 middlemen.

UPSTREAM (sources of cheap Claude access) ├── 卡商 (card merchants) — virtual/overseas payment cards ├── 号商 (account merchants) — bulk Max accounts ¥50-150 │ ├── 教育邮箱批量注册 (bulk .edu email registration) │ ├── 美国本土真人代实名 (US real-person KYC farms) │ └── 洗号 (washed/recycled accounts) ├── IP代理 (residential IP sellers) — dodge Anthropic risk scoring └── 逆向方 (reverse engineers) — ¥30-50k/mo salary MIDSTREAM (the relay stations — Veridrop's 1,118 entries) ├── 源头 (sources, ~7-8 big pools) — the real account-farm operators ├── 二道贩子 (middlemen, 3-4 layers) — resell the source's capacity └── 终端中转站 (terminal relays) — what users actually buy from DOWNSTREAM ├── Claude Code / Cursor developers (end users) └── 二次分销商 (sub-distributors like Aerolink)

Named operators (publicly visible)

Naming individual underground account farmers would be irresponsible — they operate via 闲鱼 DMs, WeChat handles, and Telegram groups, identities easily faked. The publicly-branded services below are fair game because they've chosen to be public.

Tier A — Vertically integrated (account-farm + public relay)

OperatorEvidenceLinks
AiYa
api.aiyahmm.com
Posted on V2EX (2026-03-16) openly: "本身做卡商和号商,手里有大量海外支付卡资源和账号资源" / "卡和号都在自己手里,不依赖上游,封了就补" — explicitly sells cards/accounts to other relay operators. Handles RPM 300+ for ToB clients.site ↗
PackyCode
packyapi.com
Sponsored Sub2API. Per l1i1/ai-router-reviews: "国内上游供应商", 1.5+ years, 4 QQ groups near full. makerjackie: "PackyCode 等早期玩家曾是部分站点的上游" (was upstream for some stations). Multi-tier channels: 官方/AWS-Q reverse/CC-dedicated.site ↗ · docs ↗
PinCC
pincc.ai
Official hosted service of Sub2API (25K★, by Wei-Shaw, same author as claude-relay-service 12K★). Official domains: sub2api.org and pincc.ai. Sits at center of 拼车 ecosystem.site ↗ · shop ↗
酷站AI / Koozhan
api.koozhan.com
Veridrop 🥇 #1 (120 tests, 97% sig). Markets "原生协议直连" with multi-channel priority routing + auto-failover — language implying owning the pool. 200ms TTFT, ¥10 min.site ↗
大苏Api / dasuapi
dasuapi.com
Veridrop 🥈 #2 (15 tests, 93% sig). Publicly discloses mixed official+reverse channels.site ↗
Neko API
api.999555999.com
Veridrop 🥉 #3 (47 Claude tests, 91% sig). Multi-protocol breadth suggests large underlying pool. 2,000+ developers.site ↗

Tier B — The "Big 7-8 pools" (mentioned but not fully named)

Intentionally invisible

The aitntnews exposé states only "七八家大号池" exist at the true source layer. They never appear on Veridrop because they don't sell to end users — they sell via WeChat/闲鱼 DMs, Linux.do "招代理" posts, and word-of-mouth. makerjackie names PackyCode as one former source. The others are documented only as quotes: per dashenk, "山东有一家上游渠道很硬" (one Shandong operator with very strong AWS partner channels).

Tier C — Sub2API sponsors (publicly visible middlemen)

From the Sub2API README sponsor table — publicly-operated middlemen running on the Sub2API stack. Not necessarily sources, but the visible part of the pyramid.

ServiceDomainClaim
PinCCpincc.aiOfficial hosted Sub2API
PackyCodepackyapi.com"稳定高效的API中转服务商"
APIKEY.FUNapikey.fun"低至官方原价的 7%"
AICodeMirroraicodeMirror.com"官方价 38%/2%/9%"
BmoPlusbmoplus.comAccount merchant — sells ChatGPT Plus/Pro/Claude Pro accounts at "10% of official"
PatewayAIpatewayai.com"100% from official providers"
PPTokenpptoken.org"0.16× rate multiplier, ~2.2% of official pricing"
RunAPIrunapi.co"OpenRouter平替, 150+ models, 低至1折"
Unity2unity2.ai"日均承载超300亿token" (300B tokens/day)
Tokenesstokeness.ai"价格屠夫" (price butcher), Opus at 0.23× official
BestproxybestproxyResidential IP supplier — "one-IP-per-account" (the anti-risk-control infrastructure layer)

How Aerolink fits in

Aerolink is a downstream distributor, not a source

India-based distributor (Tier C equivalent, but for the Indian market) that almost certainly buys capacity from one of the Tier A/B Chinese pools and resells with INR pricing. Evidence:

Additional context — enforcement & risks

Anthropic enforcement timeline

  • 2025-09: Anthropic bans China-majority-owned entities from Claude
  • 2026-03: Major封号潮 (ban wave) — 50% of surveyed accounts banned per Linux.do poll
  • 2026-04: Expanded identity checks for Claude API
  • 2026-06: Embedded covert code in Claude Code to mark Chinese user routing info — per 163.com report
  • 2026-07: Anthropic reports proxy networks ran distillation campaigns with 20,000+ fraudulent accounts, 16M+ Claude exchanges — per winbuzzer

Risks if you use a relay

  • Data exposure — the relay is a MITM; every prompt, code snippet, file, and API key passes through their servers. Per HTX Insights: "Users may unknowingly surrender prompts, code, business documents, customer data, and even full project contexts."
  • Log harvesting — your coding sessions may become distillation training data sold to Chinese model developers
  • Account bans — Anthropic enforces against pool accounts; service can vanish overnight
  • Payment fraud — 闲鱼 sellers using stolen credit cards; "chargeback后整批号消失"
  • Runaway (跑路) — prepay model, sites vanish with balances. Per V2EX: "某P站至今退款难,甚至起诉用户"

Open-source tools in the ecosystem

ProjectStarsRole
QuantumNous/new-api39K+The dominant Chinese LLM gateway software (fork of one-api). Runs most relay stations. This is what Aerolink uses.
songquanpeng/one-api35K+The original. NewAPI's parent.
Wei-Shaw/sub2api25K+Subscription-to-API gateway. The "拼车" reference deployment.
Wei-Shaw/claude-relay-service12K+Self-hosted Claude Code mirror with account-pool management. Same author as Sub2API.
WoulderX/claude-subscription-proxyDocuments the mitmproxy CLI injection mechanism used for Tier 1 reselling.
zhangbinhui/claude-max-proxyAnother Max-subscription-to-API proxy with tool-name mapping and CCH signature calculation.
zxc123aa/cc-proxy-detectorFingerprinting reference: tool_use id prefixes, msg_id formats, thinking signatures by source (Anthropic/Bedrock/Vertex).
canarybyte/veridrop154The open-source relay-station detector. Cryptographic thinking-signature verification. AGPL-3.0.
mintesnot-teshome/llm-verify9The tool used in this audit. 32 forensic prompts, behavioral fingerprinting.
labring/sealosThe AI-native Kubernetes PaaS that hosts Aerolink's gateway.

Infrastructure Fingerprint — Reverse-Engineering the Gateway

How the gateway was identified as NewAPI via three source-code-level fingerprints, plus the hosting layer, mesh proxy, and the full chain from client to Anthropic.

Method — non-intrusive introspection

No scanning, no DoS, no intrusion. Only deep introspection of what the endpoint already exposes to a paying key holder: /v1/models response shape, HTTP headers, error messages, DNS/TLS/WHOIS records, and response ID formats.

Three fingerprints that proved NewAPI

All three match NewAPI's source code exactly. Confirmed by independent third-party integrations (CherryHQ/cherry-studio, lobehub/lobe-chat, can1357/oh-my-pi).

Fingerprint 1: supported_endpoint_types: ["anthropic"]

This field does not exist in the standard Anthropic or OpenAI /v1/models response. It is a field NewAPI invented to advertise which wire protocols each model supports.

Source-code proofQuantumNous/new-api controller/model.go:

oaiModel.SupportedEndpointTypes = model.GetModelSupportEndpointTypes(modelName)

Third-party confirmation:

Fingerprint 2: created: 1626777600 (all 7 models)

NewAPI hardcodes this Unix timestamp (2021-07-20) for every model in its static list. It's not the real creation date of any Claude model — it's a code constant.

Source-code proof — same file, init() function:

openAIModels = append(openAIModels, dto.OpenAIModels{
    Id: modelName,
    Object: "model",
    Created: 1626777600,   // hardcoded for every model
    OwnedBy: channelName,
})

GitHub issue confirmationissue #2648: "现在默认时间是1626777600... newapi 也是硬编码的 1626777600". LobeHub's code even comments: "AiHubMix incorrect timestamp is 1626777600".

Fingerprint 3: Chinese error messages + msg_gwhb_ ID prefix

Requesting a non-existent model returned: "你请求的模型 \"X\" 暂不支持。可用模型:claude-opus-4-7 / claude-haiku-4-5-20251001 / claude-sonnet-4-6 / claude-sonnet-5" — a custom Chinese model-not-found message (NewAPI is Chinese-developed).

Non-streaming response IDs use a custom msg_gwhb_ prefix (e.g. msg_gwhb_mrhixug5-94fba1474a69), while streaming responses pass through real Anthropic IDs (msg_011Ccwqb1JZVy1iwixyD7TEw). NewAPI regenerates IDs when buffering non-streaming responses; streams pass through upstream IDs unchanged.

The hosting layer

DNS chain

capi.aerolink.lat
  → CNAME: kmoxknduoxjs.cloud.sealos.io
    → A: 35.197.149.75  (AS396982 Google LLC, Singapore)
    → A: 34.87.110.152  (AS396982 Google LLC, Singapore)
    → A: 34.143.149.171 (AS396982 Google LLC, Singapore)
    [+ 5 more GCP Singapore IPs]

All 8 IPs are *.bc.googleusercontent.com (GCP). The CNAME target is a Sealos Kubernetes cluster.

HTTP server fingerprint

server: istio-envoy
req-cost-time: 1235
req-arrive-time: 1783844040872
resp-start-time: 1783844042108
x-envoy-upstream-service-time: 1235

Istio/Envoy service mesh doing the actual request routing inside the K8s cluster. Custom req-*-time headers are Envoy/Istio proxy headers.

The operator vs. the software

Software (Chinese, open-source)

  • Gateway: QuantumNous/new-api (39K★, AGPL-3.0, fork of one-api)
  • PaaS host: Labring/sealos (AI-native Kubernetes)
  • Mesh: Istio/Envoy (CNCF, US-governed)
  • Apex CDN/DNS: Cloudflare (only for marketing site, not API)

Operator (India-based, NOT Chinese)

  • Domain: aerolink.lat, registered 2026-05-31 (~6 weeks old), Spaceship registrar
  • Pricing: INR-first (₹449-₹17,999)
  • Email: Hostinger MX (budget host popular in India/SE Asia)
  • Support: Telegram + Discord (not QQ groups like Chinese services)
  • Apex: custom Next.js dashboard (not NewAPI's default React/Semi-UI frontend)

The full proxy chain

Your clientcapi.aerolink.lat (DNS only; Cloudflare not in path for API) → Sealos Kubernetes cluster (GCP Singapore, AS396982) → Istio/Envoy ingress (server: istio-envoy) → Aerolink gateway app (key validation, ₹ usage ledger, rolling limits) → Claude Code session proxy (injects ~18k-token Claude Code system prompt) → Anthropic (real Claude models via Claude Code subscription) TLS cert: Let's Encrypt (self-managed, K8s-typical) Apex (aerolink.lat): Next.js behind Cloudflare Turnstile (separate from API) CT logs: only capi. subdomain exists

Claude Code injection — the smoking gun

Evidence from our audit

Veridrop history — the instability pattern

Veridrop (the open-source Chinese relay verification site) has 22 public tests of aerolink:

PeriodScoreVerdictInterpretation
June 16-2096-99/100PASSGood Max pool — cryptographic thinking-signature verification passed = genuine Anthropic passthrough
June 22-267-10/100FAILThinking signature failed 15/22 times — upstream switched to degraded/reverse channel or pool got banned
July 12 (this audit)partialRecoveringThinking signatures present again in streaming responses; quality unstable

This volatility is the hallmark of subscription-pool relays — when Anthropic bans a batch of accounts, every downstream customer sees simultaneous degradation. A direct API or cloud-provider relay would never show this pattern.

Methodology, Verification & Sources

How this audit was conducted, the tools used, how to reproduce it, and every source cited — with links that open in new tabs.

Tools used

ToolRoleLink
llm-verifyRan 32-prompt behavioral fingerprinting benchmark against all 7 models (224 probes). Identity, capability, fingerprint suites. Cross-model similarity scoring.github.com/mintesnot-teshome/llm-verify ↗
curlDirect API probing: /v1/models response, error messages, streaming SSE capture, header inspection
digDNS resolution: A/AAAA/CNAME/NS/MX/TXT records for capi.aerolink.lat and apex
openssl s_clientTLS certificate inspection (issuer, subject, SAN, validity dates)
whoisDomain registration data (registrar, creation date, expiry)
ipinfo.ioASN lookup for all 8 resolved IPs → AS396982 Google LLC Singaporeipinfo.io ↗
crt.shCertificate Transparency log search for subdomainscrt.sh query ↗
VeridropCross-referenced 22 public quality tests of aerolink from the open-source relay detectorveridrop report ↗

How to reproduce this audit

# 1. Clone llm-verify
git clone https://github.com/mintesnot-teshome/llm-verify.git
cd llm-verify

# 2. Set up environment
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

# 3. Configure .env with the suspect API
cp .env.example .env
# Edit .env:
#   SUSPECT_API_KEY=your-suspect-key
#   SUSPECT_API_BASE_URL=https://capi.aerolink.lat

# 4. Run the API server
uvicorn src.main:app --port 8000

# 5. Run deep analysis against all models (32 probes each)
curl -X POST http://localhost:8000/api/v1/analysis/deep \
  -H "Content-Type: application/json" \
  -d '{"name":"Audit","model_configs":[
    {"model_name":"claude-opus-4-8","provider":"suspect","protocol":"anthropic"},
    {"model_name":"claude-fable-5","provider":"suspect","protocol":"anthropic"},
    ...
  ],"suites":["identity","capability","fingerprint"]}'

# 6. Inspect raw probe responses
curl http://localhost:8000/api/v1/results/{run_id}

The 6-step verification checklist (for any provider)

Before paying any relay station
  1. Run Veridropveridrop.org/claude (free, 60 sec, no key stored). Only use providers scoring 85+ with multiple tests. The thinking_signature detector is cryptographic — relay stations cannot forge it.
  2. Check /context after first message — if it shows >5k tokens used in a fresh conversation, they're injecting hidden system prompts (costs you money every request).
  3. Test prompt caching — send the same long context twice; second call should show cache_read_input_tokens > 0 and cost ~10% of first. If not, the relay lacks caching and long-context use will be 5-10× more expensive than the rate suggests.
  4. Trigger a 429/500 and check your bill — legitimate providers only bill successful requests. Some relays charge for failures.
  5. Check Help AIO 24/7 monitoringhelpaio.com/transit for live uptime data across major stations.
  6. Small amount only — never top up more than 1 week of usage. Relay stations disappear regularly ("跑路" risk). Test with ¥10-50 first.

All sources & references

Open-source tools & code

Industry investigations & articles

Community threads (recommendations & warnings)

Anthropic official

Reproducibility

All raw data from this audit is preserved in the llm-verify/ working directory:

The llm-verify server can be restarted (uvicorn src.main:app --port 8000) to re-query any run's results via the /api/v1/results/{run_id} endpoint while the SQLite DB persists.