How to Spot Fake AI Models: Inside the 72K GitHub Star Shadow API Economy That’s Harvesting Your Prompts

Listen to this Post

Featured Image

Introduction:

Shadow APIs—unauthorized third-party services that claim to offer cheap access to frontier LLMs like GPT-5 and Gemini-2.5—are proliferating across GitHub and academic research. A recent CISPA study reveals that nearly half of all calls through these proxies hit a different model than advertised, while every prompt and response is logged for downstream fraud and model distillation, putting your intellectual property and application security at risk.

Learning Objectives:

  • Identify the eight public repositories with ~172K GitHub stars that resell unauthorized Claude, GPT, Gemini, and DeepSeek access.
  • Detect model substitution and performance divergence using fingerprinting techniques and command-line API audits.
  • Mitigate risks of prompt harvesting and account pooling by implementing continuous quality monitoring and provenance verification.

You Should Know:

  1. Mapping the Shadow API Supply Chain: From Biometric Farms to WeChat Payments

The dark token economy is a specialized, resilient supply chain. It starts with biometric harvesters in Africa and Latin America who collect identities to create fake accounts. Account farmers and SMS verification farms then register at Western LLM providers using those identities. Payment processors on WeChat and Alipay launder transactions, while proxy operators run open-source gateways like one-api or new-api to resell access on Xianyu and QQ groups. Mandiant’s UNC5673 (PRC-nexus) operates two of the eight public repos: claude-relay-service and CLIProxyAPI.

Step‑by‑step guide to map your exposure:

  • Linux command to check for known malicious proxy patterns in your logs:
    grep -E "(one-api|new-api|claude-relay|CLIProxyAPI)" /var/log/nginx/access.log | awk '{print $1, $7}' | sort | uniq -c
    
  • Windows PowerShell to detect unusual API gateway endpoints in outbound traffic:
    Get-NetTCPConnection -State Established | Where-Object {$<em>.RemotePort -eq 443 -or $</em>.RemotePort -eq 8080} | Select-Object RemoteAddress, RemotePort, OwningProcess | Export-Csv -Path shadow_api_connections.csv
    
  • Python script to verify if an API endpoint is a known shadow proxy (uses DNS and SSL certificate fingerprinting):
    import ssl, socket, hashlib
    def check_shadow_api(hostname):
    cert = ssl.get_server_certificate((hostname, 443))
    fingerprint = hashlib.sha256(cert.encode()).hexdigest()
    known_bad = ["a1b2c3...", "d4e5f6..."]  From CISPA report
    return fingerprint in known_bad
    
  1. Model Substitution Detection: How to Catch a Fake GPT-5

CISPA researchers found that 45.83% of shadow API endpoints fail fingerprint verification. For example, when you request Gemini-2.5-flash on MedQA, accuracy drops from 83.82% to ~37%—proving a different, weaker model is serving responses. The deception is intentional: cheaper models are substituted to maximize profit, while your prompts are logged for distillation.

Step‑by‑step guide for active fingerprinting (LLMmap method):

  • Install required tools:
    pip install openai transformers torch scikit-learn
    
  • Collect reference fingerprints from official APIs (store output logits for 100 controlled prompts):
    import openai
    client = openai.OpenAI(api_key="YOUR_OFFICIAL_KEY")
    fingerprints = []
    for prompt in prompts:
    response = client.completions.create(model="gpt-5-mini", prompt=prompt, logprobs=5, max_tokens=50)
    fingerprints.append(response.choices[bash].logprobs)
    
  • Query your suspected shadow API endpoint (replace base_url):
    shadow_client = openai.OpenAI(base_url="https://suspicious-proxy.com/v1", api_key="dummy")
    shadow_responses = [shadow_client.completions.create(model="gpt-5-mini", prompt=p, logprobs=5, max_tokens=50) for p in prompts]
    
  • Compute cosine distance between official and shadow logit distributions – a distance >0.15 indicates model substitution.
  • Automated script to run every hour and alert on deviation:
    !/bin/bash
    python fingerprint_audit.py --official-endpoint "https://api.openai.com" --shadow-endpoint "$SHADOW_URL" --threshold 0.15
    if [ $? -eq 1 ]; then echo "Model substitution detected!" | mail -s "Shadow API Alert" [email protected]; fi
    
  1. Prompt Harvesting and Downstream Fraud: Your Inputs Are the Real Product

Token resale is low-margin; the real profit comes from logging every user prompt and model response. These logs are sold for three purposes: (1) downstream fraud (crafting phishing emails, generating disinformation), (2) model distillation (training cheaper clones), and (3) intellectual property theft (extracting proprietary system prompts or training data). Mandiant reports that UNC5673 explicitly logs all traffic for later analysis.

Step‑by‑step guide to detect and block prompt exfiltration:

  • Inspect HTTP traffic for unusual outbound POST requests containing your prompts (Linux tcpdump):
    sudo tcpdump -i eth0 -A -s 0 'tcp port 443' | grep -E "(prompt|user_input|query)" --line-buffered | tee -a prompt_leak.log
    
  • Windows: Use netsh and Wireshark filter to capture TLS-encrypted traffic (need SSL key logging):
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" -Name "SSLKEYLOGFILE" -Value "C:\keys.log"
    
  • Implement a proxy that strips identifiable metadata before sending requests to any LLM API:
    from flask import Flask, request, jsonify
    import hashlib
    app = Flask(<strong>name</strong>)
    @app.route('/v1/chat/completions', methods=['POST'])
    def safe_proxy():
    data = request.json
    Remove user email, IP, session ID
    data.pop('user', None)
    Hash any remaining PII
    for msg in data.get('messages', []):
    if 'content' in msg:
    msg['content'] = hashlib.sha256(msg['content'].encode()).hexdigest()
    Forward to official API only
    response = requests.post('https://api.openai.com/v1/chat/completions', json=data, headers={'Authorization': 'Bearer REAL_KEY'})
    return jsonify(response.json())
    
  • Deploy a Web Application Firewall rule to block requests to known shadow API domains (list from CISPA). Example for ModSecurity:
    SecRule REQUEST_HEADERS:Host ".(one-api|new-api|claude-relay)." "id:1001,deny,status:403,msg:'Shadow API detected'"
    
  1. API Security Hardening: Protect Your Keys from Account Pooling

Account pooling is how shadow APIs aggregate hundreds of legitimate API keys from compromised accounts, students, or subsidized credits. They rotate keys to avoid rate limits and detection. Your key could be used without your knowledge if leaked via a dependency or misconfigured CI/CD.

Step‑by‑step guide to lock down API credentials:

  • Linux: Monitor for unauthorized API key usage using OpenAI’s audit logs API:
    curl -H "Authorization: Bearer $OPENAI_API_KEY" https://api.openai.com/v1/organization/usage > usage.json
    jq '.daily_costs[] | select(.line_items[].cost > 0.1) | .timestamp, .line_items[].name' usage.json
    
  • Windows: Use Azure Key Vault or AWS Secrets Manager with automatic rotation every 24 hours:
    Rotate OpenAI key via Azure CLI
    az keyvault secret set --vault-name myvault --name openai-key --value $(openssl rand -base64 32)
    az keyvault secret rotate --vault-name myvault --name openai-key --lifetime-days 1
    
  • Enforce IP whitelisting and per-request rate limiting on your API gateway (example using nginx):
    location /v1/ {
    allow 192.168.1.0/24;
    deny all;
    limit_req zone=api burst=5 nodelay;
    proxy_pass https://api.openai.com/;
    }
    
  • Use fine-grained OAuth scopes to restrict each API key to only required models and maximum token budgets.
  1. Continuous Quality and Performance Monitoring for LLM Dependencies

Because startups are turning to “creative” token cost reduction via shadow providers, you may lose visibility into the token chain. CISPA recommends running continuous quality monitoring to catch regressions early. This means sending periodic golden test queries and comparing responses to official baselines.

Step‑by‑step guide to implement an LLM quality monitor:

  • Build a test suite of 50 deterministic prompts (e.g., “What is 2+2?”, “Translate ‘Hello’ to French”) with known correct outputs.
  • Deploy a cron job (Linux) or Scheduled Task (Windows) to run hourly:
    !/bin/bash
    source .env  contains OFFICIAL_KEY and SHADOW_URL
    for i in {1..50}; do
    response_official=$(curl -s -H "Authorization: Bearer $OFFICIAL_KEY" https://api.openai.com/v1/completions -d "{\"prompt\": \"${prompts[$i]}\", \"max_tokens\": 10}")
    response_shadow=$(curl -s -H "Authorization: Bearer dummy" $SHADOW_URL/v1/completions -d "{\"prompt\": \"${prompts[$i]}\", \"max_tokens\": 10}")
    diff=$(python -c "import difflib; print(difflib.SequenceMatcher(None, '$response_official', '$response_shadow').ratio())")
    if (( $(echo "$diff < 0.9" | bc -l) )); then echo "Mismatch on prompt $i" >> alert.log; fi
    done
    
  • Implement semantic similarity monitoring using a local small model (e.g., sentence-transformers) to detect output drift:
    from sentence_transformers import SentenceTransformer, util
    model = SentenceTransformer('all-MiniLM-L6-v2')
    def check_semantic_similarity(off, shadow):
    emb1 = model.encode(off); emb2 = model.encode(shadow)
    return util.pytorch_cos_sim(emb1, emb2).item()
    
  • Set up a Grafana dashboard with alerts when accuracy drops below 95% or latency exceeds 2x baseline.

6. Hardening Against Model Distillation via Output Watermarking

Shadow APIs log responses to train distilled models that mimic frontier LLMs at lower cost. To protect your proprietary prompts and prevent unauthorized distillation, inject invisible watermarks into your outputs and actively monitor for cloned models.

Step‑by‑step guide for output watermarking and detection:

  • Add a unique, low-entropy token pattern (e.g., specific punctuation or Unicode characters) that is syntactically invisible but algorithmically detectable.
  • Example watermark injection in Python:
    import random
    WATERMARK_SET = ["\u200B", "\u200C", "\u200D"]  zero-width spaces
    def watermark_text(text):
    words = text.split()
    for i in range(0, len(words), 10):
    words[bash] = random.choice(WATERMARK_SET) + words[bash]
    return " ".join(words)
    
  • Monitor public model repositories (Hugging Face, GitHub) for suspicious fine-tuned models that produce your watermarked patterns:
    git clone https://huggingface.co/datasets/bigcode/the-stack
    grep -r "$(echo -e '\u200B')" the-stack/ | tee watermark_matches.txt
    
  • File a DMCA takedown if your watermarked content is found in unauthorized model training data.

What Undercode Say:

  • Key Takeaway 1: Shadow APIs are not just a licensing violation—they are a structural security risk where model substitution (up to 47% performance divergence) and prompt logging directly enable downstream fraud and IP theft. The 172K GitHub stars show how normalized this practice has become in research and startups.
  • Key Takeaway 2: Organizations must assume any use of unofficial LLM endpoints will result in prompt harvesting. The only safe path is to enforce continuous fingerprinting, rate limiting, and golden test suites. The rising cost of official APIs (OpenAI input pricing up 4x in 8 months) will only accelerate shadow adoption, making proactive detection essential.

Expected Output:

The dark token economy will continue to grow as frontier model prices rise and geographic restrictions tighten. By mid-2026, expect to see regulatory action against the largest shadow API operators and GitHub takedowns. However, the supply chain is resilient—biometric farms and WeChat payment loops will adapt. The real shift will be technical: cloud providers will embed model provenance certificates into API responses (like TEE-based attestation), and enterprise WAFs will include shadow API signature databases. Startups that depend on LLMs will bifurcate: those that accept the cost of official APIs (and pass it to customers) versus those that build their own small, domain-specific models to avoid the token economy entirely. Prompt distillation will become a recognized attack vector, with insurance policies requiring API endpoint audits. Long-term, decentralized identity for API calls and zero-knowledge proofs of model inference may render shadow APIs obsolete—but until then, assume every cheap token comes with a hidden cost: your data.

Prediction:

The shadow API market will reach $500M in annual transaction volume by 2027, prompting a coordinated response from Anthropic, Google, and OpenAI—including legal action against the eight public repos and integration of real-time model fingerprinting into their official SDKs. Researchers who unknowingly used shadow APIs in peer-reviewed papers will face reproducibility crises, leading to retractions and new guidelines requiring API provenance statements. On the defense side, we will see open-source “LLM Firewall” proxies that automatically detect and block known shadow endpoints, while cloud marketplaces like AWS and Azure will start flagging accounts that query from restricted regions as potential pool participants. The most innovative countermeasure will be token-level watermarking that allows official providers to trace generated text back to the original API key, making account pooling instantly detectable.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ilyakabanov The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky