Key Takeaways
- Chinese users continue routing around Anthropic’s regional restrictions through VPNs, foreign identities, and transfer station relay services
- Grey markets for Claude access are expanding despite new KYC-style identity checks introduced in April 2026
- Analyst research indicates that proxying, API relaying, and shadow IT behaviors are widespread across global cloud AI adoption
China’s enthusiasm for Anthropic’s AI models keeps pushing the boundaries of geo-enforcement. Over the last year, users across the country have layered together VPNs, foreign phone numbers, international payment cards, and a quickly growing relay infrastructure to access Claude, even as Anthropic intensifies its detection systems. The result is a large, dynamic shadow market that mirrors broader challenges faced by cloud AI providers worldwide.
Following Anthropic’s release of Fable 5 in early June, built as a safeguarded version of the Mythos model, activity on Chinese social platforms surged with user impressions. A few days later, Anthropic cut off global access due to export controls imposed by the Trump administration. The reversal did not slow the local determination to continue using the model. Chinese users have long relied on similar methods to reach OpenAI’s ChatGPT or Google’s Gemini, although Anthropic’s enforcement has proven more aggressive, with numerous reports of sudden account bans even when users attempted to mask their location.
A thriving underground economy has developed on Taobao, Xianyu, Telegram channels, and private ecommerce groups. Some vendors sell pre-configured login accounts, while others specialize in transfer stations, often described as relay hubs. These stations purchase API access from regions supported by Anthropic and then forward requests from domestic users. To the user, the interface feels like a standard Claude session. Behind the scenes, servers outside China pass requests upstream and return responses.
Industry analysts have observed similar patterns emerging across global enterprises. According to a 2024 report from Gartner, more than 65% of organizations documented employees using unapproved cloud or consumer AI services. That behavior sets the stage for informal relay channels. A separate 2024 study from IDC noted that over 70% of inference workloads were already flowing through public cloud APIs. Combined, those trends help explain why proxying and redirection often become the default response when enterprises or regions impose access controls.
Organizations reference frameworks like NIST’s AI Risk Management Framework and ISO/IEC 27018 when assessing cross-border access and customer data handling. Yet the on-the-ground reality in China demonstrates how difficult it is to apply policy guidance when enforcement hinges on IP addresses and identity checks. The 2023 ENISA work on cloud and edge security highlighted that proxying and API relaying are among the most common ways users bypass regional restrictions. That insight appears to have played out directly in the Claude ecosystem.
Developer preference shapes much of the demand. Workloads like code generation tend to reward higher model quality, and many local engineers interviewed for the WIRED report indicated they still preferred Claude over domestic open source alternatives from DeepSeek or Z.ai. Some of those developers described a noticeable six to nine month performance gap for coding tasks. When Chinese teams began experimenting with tools like OpenClaw earlier this year, their token usage surged. Heavy workloads require consistent and affordable access, which transfer stations promise, especially when they use enterprise-discounted API keys behind the scenes.
Anthropic expanded its enforcement in April 2026 by introducing identity verification. Persona, the third party handling the checks, requires government-issued identification. Accounts tied to unsupported countries risk being blocked. Once the checks rolled out, Telegram vendors shifted from selling simple login accounts to offering identities that had already passed verification. Cybersecurity investigators quickly tracked new Chinese-language groups focused on KYC bypass strategies.
The dynamic is not unique to Anthropic, yet the pace of circumvention is unusually fast in this segment of the AI market. The OECD has previously documented China’s large and active grey market for unauthorized access to foreign digital tools, with VPN-based circumvention operating as a long-standing pattern.
For Anthropic, the enforcement challenge continues to scale. Singapore now shows unusually high adoption numbers in published data, likely inflated by Chinese user traffic routed through relay operators or consistent proxy endpoints. A spokesperson for Anthropic stated that the company continues developing new detection systems and countermeasures aimed at proxy networks.
Analysts at Forrester have pointed out that multi-cloud environments make consistent geo-fencing difficult, in part because intermediaries mask true user locations. Relay stations in China illustrate that issue vividly. Traffic redirection often obscures the origin, which complicates any attempt at regional enforcement.
If transfer station infrastructure becomes entrenched, monitoring malicious activity becomes significantly harder. Prompts sent through unsanctioned tools could be logged, repackaged, or sold by intermediaries. Non-technical users also face higher risks of fraud on Telegram marketplaces. These risks underline why researchers studying AI safety have begun questioning how to manage bad actors in a distributed, proxy-heavy environment.
Whenever models are released broadly, global audiences find ways to reach them. Whether through VPNs, foreign phone numbers, or increasingly sophisticated shadow APIs, access tends to route around barriers. The tension between policy restrictions and user demand remains a persistent challenge, with the Claude market in China emerging as one of the most visible examples to date.
⬇️