On this page

The Next AI Supply Chain Attack Starts With a Stolen Token.
11 min

The Next AI Supply Chain Attack Starts With a Stolen Token.

From Stealer Logs to Shadow APIs: The Hidden Credential Layer Behind the Gray-Market AI Economy

The AI access story is usually told as a battle over models. Frontier labs build increasingly capable systems. Developers chase cheaper tokens. Governments draw borders around access. Shadow API providers route around those borders. Competitors attempt to extract capabilities through distillation. The visible drama sits at the model layer.

The more important layer sits below it: identity.

Every gray-market AI economy needs a source of authenticated access. Some of that access comes from fake accounts, bulk signups, payment arbitrage, proxy infrastructure, and KYC bypass. A growing part of the supply can come from something far more familiar to security teams: infostealer logs.

Modern infostealers harvest the artifacts that make a user look legitimate. Microsoft describes infostealers such as StealC as pervasive cybercrime tools that silently collect passwords, cookies, and session tokens before pushing the data into attacker-controlled infrastructure. Microsoft also warns that a single infection on an employee’s personal device can expose VPN credentials, SSO tokens, and session cookies that allow attackers to bypass MFA.

That observation turns the AI access story into a credential-intelligence story. The scarce asset in the underground AI economy may look like “cheap Claude tokens” or “discounted API access.” In practice, it may begin as a stolen browser session, leaked API key, OAuth refresh token, or developer account captured from an infected machine.

The Gray Market Needs Supply

ChinaTalk’s investigation into cheap Claude tokens in China describes a transfer-station economy where intermediaries resell access to Western AI models through indirect infrastructure. WIRED reported the same pattern: users in China rely on VPNs, foreign phone numbers, international payment methods, pre-verified accounts, Telegram sellers, and transfer stations that purchase API access outside China and redistribute tokens to users inside the country.
This market is usually framed around demand. Developers want Claude Code, Codex-style coding agents, and frontier assistants for software work. Heavy users need high token volumes. Regional restrictions and payment barriers create friction. Transfer stations remove that friction.

The supply side deserves more attention. A reseller has to obtain access, keep access alive, avoid bans, route traffic, absorb failures, and preserve margins. Some resellers may rely on enterprise discounts, account pooling, cloud routing, or arbitrage between regions. Other actors can tap a darker source: already-authenticated accounts harvested from infostealer logs.

That matters because stolen access carries a different risk profile than fake access. A fake account often starts with weak trust. A stolen account starts with inherited trust. It may have billing history, normal usage patterns, connected tools, approved devices, saved sessions, and an existing relationship with the provider. From a platform’s perspective, that traffic may look like a legitimate customer suddenly using more tokens, calling from a new environment, or accessing a familiar service through unfamiliar timing.

Distillation Is an Access Problem Before It Is a Model Problem

Anthropic’s distillation report makes this clear. The company said Chinese AI labs used fraudulent accounts and proxy services to generate large volumes of Claude interactions. In one case, Anthropic described a proxy network managing more than 20,000 fraudulent accounts at once, mixing distillation traffic with unrelated customer requests to make detection harder. The campaigns targeted agentic reasoning, tool use, coding, data analysis, computer-use agents, and reasoning traces.

The common reading is that distillation is model theft. That is accurate, but incomplete. Distillation at scale begins with access acquisition. Before a competitor can extract reasoning traces or generate training tasks, it needs stable access to the frontier model. Before a proxy network can distribute extraction traffic, it needs accounts, API keys, cloud routes, and payment channels. Before a transfer station can resell tokens, it needs credentials that keep working.

Infostealers fit directly into this chain. They turn infected endpoints into access bundles. A developer’s machine can contain browser cookies, AI platform sessions, API keys in environment files, GitHub tokens, cloud credentials, local configuration files, command-line tool credentials, screenshots, and saved passwords. Microsoft notes that stolen logs may contain credentials and tokens for corporate VPN, email, cloud, and SSO accounts.

That means a stolen AI session can become a temporary inference resource. A stolen API key can become a billing instrument. A stolen GitHub token can reveal code that later gets fed into a model. A stolen cloud token can expose infrastructure context that improves attack planning. A stolen SSO token can unlock internal AI tools, internal copilots, or enterprise model gateways.

The Prompt Log Is the Prize Behind the Token

The underground AI market is often discussed through price. ChinaTalk and WIRED describe transfer stations that appeal to users seeking cheaper and more stable access to Claude-style models. Shadow API research adds another concern: users may receive something other than the model they paid for. A 2026 arXiv audit found 17 shadow APIs used in 187 academic papers, measured performance divergence as high as 47.21%, and found model-identity verification failures in 45.83% of fingerprint tests.

The hidden value may sit in the logs.

A transfer station sees the prompt, the response, the timing, the requested model, and often the surrounding metadata. For agentic coding, that data can include repository context, stack traces, design decisions, database schemas, product plans, authentication errors, customer snippets, and human accept or reject signals. For enterprise users, prompt history can reveal business strategy, legal concerns, security findings, hiring plans, M&A work, incident response details, and internal tool names.

Infostealer logs can deepen this exposure. A stolen session does more than grant inference. It may grant access to prompt history, uploaded files, project workspaces, connected apps, billing details, saved agents, API dashboards, and integration settings. The token is the first asset. The context around the token may be more valuable.

This is the overlooked economic engine. Cheap AI access can be monetized twice: first through resale of inference, then through harvesting of the data that passes through the intermediary or compromised account. The reseller sells answers. The operator captures intelligence.

KYC Creates a New Identity Market

AI labs have started strengthening identity checks in response to abuse. WIRED reported that Anthropic uses identity verification among its enforcement measures and that Chinese-language Telegram channels began advertising Claude accounts that had already passed identification checks. 404 Media’s earlier investigation into OnlyFake showed how AI-generated fake IDs could be produced cheaply and used to pass identity verification at a cryptocurrency exchange in its test.
This matters for AI security because KYC changes the price of access rather than ending demand. As verification becomes stronger, the market for verified accounts, fake IDs, rented identities, synthetic documents, selfie labor, and compromised sessions becomes more valuable. Infostealer logs can function as a parallel KYC bypass because they deliver access after verification has already happened.

A stolen session says, in effect, “this user has already passed.” A fake ID attacks the front door. A stolen token enters through a door that was already opened.

That distinction should guide security strategy. Identity verification can raise friction for new-account abuse. It can also push sophisticated operators toward session theft, account takeover, and credential laundering. The AI industry is entering the same post-authentication battlefield that banks, cloud providers, and SaaS platforms already know well.

AI Agents Increase the Value of Stolen Access

Agentic AI changes the economics of credential theft. A chatbot session is useful. A coding-agent session is a workbench. It may have access to local files, command-line tools, repositories, issue trackers, package managers, browser sessions, cloud consoles, and deployment systems.

Google’s M-Trends 2026 report states that attackers are harvesting long-lived OAuth tokens and session cookies, stealing hard-coded keys and personal access tokens, and pivoting through SaaS and downstream customer environments. The same report also observed malware checking machines for local AI command-line tools and using predefined prompts to search for configuration files.

That is the bridge between infostealers and AI abuse. The infected developer endpoint is becoming a high-value target because it contains both secrets and AI tooling. A stealer that captures local AI CLI credentials can reveal which model provider the user relies on. A stolen coding-agent token can expose source context. A stolen GitHub or cloud token can turn an AI assistant into an attacker’s analyst. A stolen browser session can unlock the AI workspace where the user already uploaded documents, prompts, and code.

The rise of AI agents creates more places where secrets live and more workflows where authenticated tools act on behalf of humans. That expands the blast radius of every stolen token.

Shadow APIs Turn Credential Theft Into Infrastructure

Shadow APIs create a clean interface over messy access. The buyer sees a simple endpoint. Behind it may sit official API keys, account pools, proxy networks, model substitutions, local models, stolen sessions, or some mixture of all of them. The arXiv paper on shadow APIs shows how this opacity damages users, researchers, and official providers because endpoint claims can diverge sharply from reality.

Infostealer-sourced access makes this opacity more dangerous. A shadow API could route some traffic through legitimate paid accounts, some through stolen keys, some through lower-cost substitute models, and some through relays in supported regions. The customer may believe they are buying clean access. The provider may see traffic from a real account. The victim may see unexplained token usage, unusual billing, or exposed prompt history after the damage has already spread.

This is credential laundering. Stolen access is abstracted behind a new endpoint and sold as a service. The buyer pays for tokens. The operator manages the credential pool. The original account owner funds the usage, supplies the reputation, or contributes the data exhaust.

The New Security Question: Which Tokens Did the Stealer See?

Traditional breach monitoring starts with exposed usernames and passwords. Modern credential intelligence needs to ask a richer question: which authenticated artifacts were present on the compromised machine, and which services did they unlock?

For AI, that means looking beyond passwords and searching for exposed model-provider credentials, API keys, cookies, session tokens, OAuth refresh tokens, personal access tokens, AI CLI configuration files, cloud secrets, GitHub tokens, package-registry credentials, and enterprise SSO sessions tied to AI tools. The question becomes less “which employee password leaked?” and more “which AI and developer workflows became portable?”

This also changes incident response. Resetting a password addresses one slice of the problem. Token exposure demands session revocation, API-key rotation, OAuth-grant review, device trust reset, cloud-access review, prompt-history inspection, billing audit, connected-app review, and log correlation across AI, SaaS, identity, and developer platforms.

The strongest signal may come from the service graph inside the stealer log. A compromised machine that touched Claude, OpenAI, Gemini, GitHub, AWS, Azure, Slack, Google Workspace, Okta, Cursor, package registries, and internal AI gateways creates a different risk profile than a machine with a single exposed consumer password. It represents a portable developer identity.

The Overlooked Article: AI Abuse Starts Before the Prompt

Most AI security conversations begin when a malicious prompt reaches the model. The deeper risk begins earlier, when an attacker obtains the authenticated channel used to send that prompt.

That channel can be created through fake identity. It can be purchased through a transfer station. It can be masked through proxy infrastructure. It can be extracted through distillation campaigns. It can also be stolen from an infected employee machine and repackaged as shadow access.

The gray-market AI economy is therefore best understood as an identity supply chain. Models are the destination. Tokens are the vehicle. Infostealer logs are one of the fuel sources.

This framing makes the next phase of AI security much clearer. The defender’s task is broader than stopping jailbreaks or detecting abusive prompts. It includes finding exposed AI credentials before they become inference inventory, mapping stolen sessions to the tools they unlock, identifying prompt-log exposure, and treating developer endpoints as high-value AI infrastructure.

The companies that understand this shift will monitor AI access the way they monitor cloud access. They will treat API keys as financial instruments, session cookies as portable identities, prompt histories as sensitive business records, and infostealer logs as early-warning signals for AI supply-chain abuse.

The next major AI abuse story may look like a model story on the surface. Underneath, it will likely be a token story.

Ran Geva
Ran Geva
linkedin
Spread the news

Check your company's
exposed credentials

Enter your work email to instantly access a free account
and see your company’s exposed credentials.