Skip to Content

The China Claude Black Market: Real-Name ID Checks, DeepSeek Distillation, & Hong Kong's Block

Inside the Underground Economy That's Reselling Claude Access at 90% Off
Sk Jabedul Haque
Sk Jabedul Haque
Jun 9, 2026 5 min read 42 views
The China Claude Black Market: Real-Name ID Checks, DeepSeek Distillation, & Hong Kong's Block
Navigation
10 Sections
    The China Claude black market emerged after Anthropic blocked Claude in China, Hong Kong, and Macau, then discovered DeepSeek, Moonshot, and MiniMax extracted 16 million exchanges through 24,000 fake accounts. Real-name ID checks introduced in April 2026 forced the underground economy to recruit verifiers in low-income countries and resell access at 90% off official pricing through proxy networks operating openly on GitHub, Taobao, and Telegram.

    What You'll Learn

    • Why Anthropic blocked Claude in China, Hong Kong, and Macau — and what triggered the April 2026 ID verification crackdown
    • How DeepSeek, Moonshot, and MiniMax ran 16-million-query distillation campaigns through 24,000 fake accounts
    • How the black market bypasses real-name checks using low-income country verifiers and proxy networks
    • Why Chinese developers risk proprietary code through grey-market API access at 90% off

    The Distillation Bombshell That Changed Everything

    On February 23, 2026, Anthropic published what would become the most consequential AI security disclosure in the industry's history. The company identified "industrial-scale campaigns" by three Chinese AI laboratories — DeepSeek, Moonshot, and MiniMax — to illicitly extract Claude's capabilities through fraudulent accounts. The numbers were staggering: over 16 million exchanges generated through approximately 24,000 fake accounts, all in violation of Anthropic's terms of service and regional access restrictions. The operation targeted Claude's most differentiated capabilities: agentic reasoning, tool use, and coding. DeepSeek alone generated over 150,000 exchanges, using synchronized traffic patterns across accounts with shared payment methods and coordinated timing — a technique Anthropic described as "load balancing" to increase throughput and avoid detection. Moonshot contributed over 3.4 million exchanges across hundreds of fraudulent accounts spanning multiple access pathways, with request metadata matching public profiles of senior Moonshot staff. MiniMax dominated the volume with over 13 million exchanges, and when Anthropic released a new model during MiniMax's active campaign, the lab pivoted within 24 hours, redirecting nearly half their traffic to capture capabilities from the latest system. Anthropic called this "industrial-scale capability theft" and warned that the threat extended beyond any single company or region. For context on how Fable 5 and Mythos 5 compare, the distillation targeted exactly the kind of frontier capabilities that make these models valuable.

    How the Distillation Machine Worked

    The mechanics of the operation reveal a sophisticated supply chain designed to evade detection at every step. Labs used commercial proxy services — which Anthropic described as "hydra cluster" architectures — sprawling networks of fraudulent accounts that distributed traffic across Anthropic's API and third-party cloud platforms. The breadth of these networks meant there were no single points of failure. When one account was banned, a new one took its place. In one case, a single proxy network managed more than 20,000 fraudulent accounts simultaneously, mixing distillation traffic with unrelated customer requests to make detection harder. The prompts themselves were carefully crafted. DeepSeek's prompts asked Claude to "imagine and articulate the internal reasoning behind a completed response and write it out step by step" — effectively generating chain-of-thought training data at scale. They also generated censorship-safe alternatives to politically sensitive queries about dissidents, party leaders, and authoritarianism, likely to train DeepSeek's own models to steer conversations away from censored topics. Anthropic traced these accounts to specific researchers at the lab through request metadata. For a deeper look at Claude's safety guardrails, the distillation attacks specifically targeted the capabilities that those guardrails are designed to protect.

    Why Hong Kong and Macau Are Blocked Too

    Here is where the geopolitics get uncomfortable. Claude is not available in China — that part is straightforward. But Anthropic has also blocked Hong Kong and Macau, despite Hong Kong having no local AI censorship laws. The reason: Anthropic treats Hong Kong under the same restriction framework as mainland China due to the National Security Law. Anthropic's September 2025 terms updated restrictions on sales to unsupported regions, citing "legal, regulatory, and security risks." Hong Kong users have been completely locked out of Claude. Real-name verification is now unavoidable, and even foreign phone numbers cannot bypass the IP-level detection. Unlike competitors who check location only at signup, Claude checks location on every session. A Hong Kong IP gets instant denial even with a foreign phone number. The Hong Kong AI Podcast documented in March 2026 that OpenAI, Anthropic, and Google all block Hong Kong from their AI services. A DoodHK analysis confirmed that "Claude is blocked in Hong Kong because Anthropic has chosen not to include Hong Kong in its supported regions list, citing legal and security concerns." Goldman Sachs even stopped bankers from using Claude in China, as reported by the Financial Times in April 2026. For developers wondering about Claude's coding superiority, the ban creates a particular pain point — Chinese programmers rely on Claude Code specifically because domestic alternatives cannot match its capabilities.

    The April 2026 ID Verification Crackdown

    On April 16, 2026, Anthropic quietly updated its user policy to require government-issued identification alongside a live selfie — checks "more commonly seen in the financial services industry." The verification requirements were severe: only passports were accepted. No domestic IDs from any country. Individuals without passports were excluded entirely. The change reverberated across China's developer community within hours. TechNode reported that "the barrier to entry has been significantly raised: individuals without passports are excluded from using Claude." The Information reported that Claude Code suddenly shut down for Hong Kong-based founders after the policy announcement. The crackdown targeted the exact vulnerability that black market operators had been exploiting: the gap between signup verification and ongoing usage. Before April 2026, a VPN and a foreign phone number were sufficient. After April 2026, every user needed biometric verification that tied their real identity to their account. For a comparison of how GPT-5.5, Claude, and Gemini handle regional restrictions, each company takes a different approach to the China question.

    Inside the Black Market Supply Chain

    The black market did not disappear after the ID crackdown — it evolved. Oxford China Policy Lab researcher Zilan Qian published an investigation in May 2026 documenting a modular supply chain where most participants handled only one or two links. The pricing tells the story: proxy services resell Claude API access at as little as 10% of the official price. These "transfer stations" operate openly on GitHub, Taobao, and Telegram. Upstream operators bulk-register Anthropic accounts by farming free API credits, exploiting corporate discounts, or subdividing $200 Max subscription plans across dozens of users. Some accounts enter the pool at zero cost, purchased with stolen credit card details. To defeat Anthropic's new identity verification requirements, the supply chain recruited real people in lower-income countries to complete verification in person. The Worldcoin biometric black market — where iris scans harvested in Cambodia and Kenya were sold for under $30 — provided the template for this approach. The German researchers at CISPA Helmholtz Center audited 17 of these proxy services and found widespread model substitution. Proxy access marketed as "Gemini-2.5" scored just 37% on a medical benchmark where the official API scored nearly 84%. Users requesting Claude Opus may instead receive responses from cheaper models such as Sonnet, Haiku, or even domestic Chinese alternatives like Qwen, with the output fraudulently relabeled. For context on Claude's pricing structure, the 90% discount exists precisely because the operators are harvesting data as their real revenue stream.

    The Real Cost: Your Code Is the Product

    Here is the part that should terrify any developer using grey-market Claude access. The proxy operators collect every prompt and response that passes through their servers. For coding agents, that means complete reasoning chains, repository context, and human-verified outputs. Several Chinese developers told Qian that the access markup is essentially customer acquisition, and that harvesting those logs is the actual business. Datasets of Claude Opus 4.6 reasoning outputs with no clear provenance already circulate on HuggingFace. Proxy-harvested reasoning data is incredibly valuable for distillation because reasoning outputs can be systematically captured and used to train competing models. But the security exposure extends beyond model training. Coding agents routinely pass contextual repo data, API structures, and authentication logic through to the model. Developers routing that traffic through an unvetted proxy are essentially sending proprietary source code to a third-party server with no data-handling obligations. Samsung encountered a version of this problem in 2023 when its fab engineers pasted proprietary source code into ChatGPT, inadvertently disclosing confidential semiconductor manufacturing data to OpenAI's servers. Proxy services create the same category of risk, but without even the baseline terms of service that major AI providers have. The Chinese grey market effectively turns every paying customer into an unwitting data supplier for the next generation of competing AI models. For developers considering switching to Claude, the grey market risk is a critical factor in the decision.

    The National Security Dimension

    Anthropic framed the distillation attacks as a national security threat, not merely a commercial dispute. Illicitly distilled models lack necessary safeguards. Anthropic and other US companies build systems that prevent state and non-state actors from using AI to develop bioweapons or carry out malicious cyber activities. Models built through illicit distillation are unlikely to retain those safeguards, meaning dangerous capabilities can proliferate with many protections stripped out entirely. Foreign labs that distill American models can feed these unprotected capabilities into military, intelligence, and surveillance systems — enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance. If distilled models are open-sourced, the risk multiplies as capabilities spread freely beyond any single government's control. Anthropic has consistently supported export controls to help maintain America's lead in AI. Distillation attacks undermine those controls by allowing foreign labs to close the competitive advantage that export controls are designed to preserve. Without visibility into these attacks, the apparently rapid advancements made by these labs are incorrectly taken as evidence that export controls are ineffective. In reality, these advancements depend in significant part on capabilities extracted from American models. For a look at how Project Glasswing addresses cybersecurity threats, the distillation problem represents a different category of risk — one that traditional cybersecurity tools cannot easily solve.

    What Happens Next

    The cat-and-mouse game continues. Each new control Anthropic introduces generates a corresponding evasion market rather than reducing overall unauthorized access. The September 2025 terms blocked any company more than 50% Chinese-owned from API access. The February 2026 distillation disclosure raised public awareness. The April 2026 ID verification crackdown forced the black market to recruit human verifiers in low-income countries. Each escalation raises the cost and complexity of unauthorized access, but the demand remains strong because Claude's coding capabilities are genuinely superior to domestic alternatives. SCMP reported in April 2026 that "Chinese developers are bypassing new ID checks as demand for Claude remains strong despite official restrictions." The underlying dynamic is simple: Chinese developers need Claude's capabilities, Anthropic cannot or will not serve them legally, and a market has filled the gap. The question is not whether the black market will persist — it will. The question is whether the security risks it creates — proprietary code exfiltration, model distillation, and the proliferation of unsafeguarded AI capabilities — will force a policy response beyond what either Washington or Beijing has so far been willing to undertake. For the latest on Claude's subscription changes, the China block adds another layer of complexity to an already complicated pricing landscape.

    Related Article Claude Fable 5 Pricing & Cost Analysis: Is It Worth $50/Million Output Tokens?
    Related Article Project Glasswing: Anthropic's Cybersecurity Defense Initiative with Mythos 5

    Last Updated: June 10, 2026

    Sources: Anthropic, South China Morning Post, Tom's Hardware, TechCrunch, Wall Street Journal (Official + Industry Sources)

    Disclaimer: This article is for informational purposes only. We do not endorse or facilitate unauthorized access to AI services.

    Frequently Asked Questions

    Anthropic treats Hong Kong under the same restriction framework as mainland China due to the National Security Law. Despite Hong Kong having no local AI censorship laws, Anthropic excluded it from supported regions in September 2025, citing legal, regulatory, and security risks. Claude checks location on every session — a Hong Kong IP gets instant denial even with a foreign phone number.
    In February 2026, Anthropic identified DeepSeek as one of three Chinese AI labs running industrial-scale distillation campaigns against Claude. DeepSeek generated over 150,000 exchanges through fraudulent accounts, using prompts that asked Claude to articulate its internal reasoning step by step — effectively generating chain-of-thought training data. Anthropic traced accounts to specific DeepSeek researchers through request metadata.
    Chinese grey-market proxy services resell Claude API access at as little as 10% of the official price. These 'transfer stations' operate on GitHub, Taobao, and Telegram. Operators bulk-register accounts using free API credits, stolen credit cards, or by subdividing $200 Max plans. To bypass ID verification, they recruit real people in lower-income countries to complete biometric checks in person.
    AICodeMirror is a relay platform that says it has more than 10,000 registered users and over 200 institutional clients. It provides Chinese developers with access to Claude despite official restrictions. After Anthropic introduced real-name ID checks in April 2026, AICodeMirror and similar platforms scrambled to find workarounds, including recruiting human verifiers in other countries.
    No. Proxy operators collect every prompt and response that passes through their servers. For coding agents, that includes complete reasoning chains, repository context, and human-verified outputs. Developers routing traffic through unvetted proxies are sending proprietary source code to third-party servers with no data-handling obligations. Datasets of Claude reasoning outputs already circulate on HuggingFace.
    Anthropic updated its user policy on April 16, 2026, requiring government-issued identification alongside a live selfie. The requirements are akin to KYC checks in financial services. Only passports are accepted — no domestic IDs. The change was designed to prevent abuse, enforce usage policies, and comply with legal obligations.
    Anthropic identified approximately 24,000 fraudulent accounts used by three Chinese AI labs — DeepSeek, Moonshot, and MiniMax. These accounts generated over 16 million exchanges with Claude. MiniMax alone contributed over 13 million exchanges, while Moonshot generated 3.4 million and DeepSeek over 150,000.
    No. Claude is not available in China, Hong Kong, or Macau. Anthropic's terms of service prohibit use in these regions. The company also blocks any company more than 50% Chinese-owned from API access as of September 2025. There is no legal pathway to access Claude from these regions.
    Sk Jabedul Haque

    Sk Jabedul Haque

    Founder & Chief Editor

    Building India's most trusted finance education platform — simplifying news, calculators, and market trends so anyone can understand and invest confidently.

    Read full bio →
    AI Geopolitics AICodeMirror Anthropic China Ban Claude API Grey Market Claude Black Market Claude Bypass Claude China Block Claude Hong Kong DeepSeek Distillation Real-Name Verification
    in Technology