Original Author: Shao Jiadian
In May 2026, a somewhat significant "melon" surfaced in the AI circle.
A man known by the online name "Guapi," the head of an AI transit station in Shanghai, issued a shutdown statement in a tech community. According to his account and related reports, he was detained for 37 days due to some API sources suspected of being obtained through illegal technical means, and is now in a state of bail pending trial. As for whether there will be a subsequent lawsuit, how conviction and sentencing will be determined, or if it involves refunds, restitution, or fines, it should still be based on the final handling by judicial authorities.
Image Source: Screenshot of the person's shutdown statement
What is more heartbreaking is that he mentioned in the statement that this business did not make any money, and he could not afford to refund user deposits.
Once this matter emerged, many transit station heads began closing down their stations overnight. In the past, everyone thought this was a "low-cost, light-asset, profitable difference" small business. Now it suddenly became clear: this vehicle may not be heading toward financial freedom, but rather toward the police station.
So-called AI transit stations, simply put, involve bringing in overseas large model interfaces like GPT, Claude, and Gemini, wrapping them with a Chinese interface, creating a token recharge system, and then selling access to domestic users according to membership, usage, or API calls.
Users find it convenient, station heads see profit, agents see a channel, and the community feels they’ve found a bargain.
But the issue is that compliance never looks at how smart the business's packaging is.
What compliance really asks is: what exactly is this business selling, whose things are being sold, through what means, and bypassing what rules, to whom.
In the case of AI transit stations, the answer is not pretty: they are selling overseas large model services that have not completed domestic compliance, wrapped to bypass regulation, to the domestic public.
This is not token going overseas. This is token coming into the sea.
To be more straightforward, this is "sneaking" overseas models back to sell.
It is necessary to clarify the boundaries first: it is not illegal for individuals to use overseas AI tools, nor is it that all businesses using overseas APIs cannot operate. What the law really looks at is whether the platform has been providing generative AI capabilities to domestic non-specific users in its own name, whether it has obtained necessary authorization, qualifications, or filings; whether it has taken user inputs and personal information overseas; and whether it has fulfilled obligations such as security assessments, informed consent, content governance, and data protection.
If these questions have no answers, then it is not as simple as "technical transit," but rather has completely evaded a whole set of compliance responsibilities that should be borne by the service provider.
1. Why did this business once seem appealing?
Don't rush to label it illegal.
Any gray business that can operate usually does so not because no one understands the law, but because it genuinely meets a real demand.
Domestic users want to use overseas models, but there are several barriers: accounts are difficult to register, payments are inconvenient, APIs are hard to access, English documentation is unfriendly, and companies do not want to deal with too much technical configuration.
The transit station absorbed all these troubles.
Users only need to open a webpage, put in some money, buy some tokens, and they can use various overseas models. For ordinary users, it seems cheaper, more convenient, and more like a “localized product” than the official channels.
What do station heads earn?
They make money from information asymmetry, the price difference of interfaces, account pools, and traffic aggregation.
The most enticing aspect of this business lies in its seeming lightness: no need to train models, no need to buy GPUs, no cash burn to build large models, no need to bear model iteration costs. As long as there are interfaces, servers, payment gateways, and traffic channels, a business can start.
So it was once very hot. But light assets do not equal light risks.
Many times, risks are just hidden away. Hidden in interface sources, hidden in user data, hidden in payment paths, and also hidden in that most dangerous phrase: we are just a transit.
2. "Just a transit" cannot save the platform
The most common self-positioning of AI transit stations is as technical service providers.
The platform does not produce models, only does interface transportation; the platform does not generate content, only does request forwarding; the platform does not provide large model services to the public, only helps users to conveniently call overseas tools.
This set of statements sounds clever, but it does not hold up under scrutiny.
- Does the platform collect money from users?
- Does the platform open accounts for users?
- Does the platform charge based on tokens, memberships, or usage?
- Does the platform wrap overseas models as its own product interface?
- Is the platform open to domestic non-specific users?
As long as the answers to these questions are "yes," it becomes hard for such platforms to continue claiming to be just an innocent router.
This is already organizing a generative AI service directed at domestic users.
According to the framework of the "Interim Measures for the Management of Generative Artificial Intelligence Services," as long as generative AI technology is utilized to provide content generation services such as text, images, audio, and video to the domestic public, it will enter the regulatory scope of generative AI services; and organizations or individuals "providing services through programmable interfaces or other means" may also be identified as service providers.
Image Source: Official website of the Central Cybersecurity and Informatization Committee Office
Therefore, when transit stations say "the models are not trained by the platform," it does not exempt them from liability. Regulators will not only look at who owns the model’s property but also who is opening the door to users, who is collecting money, who is organizing requests, who controls the interface and billing rules, and who retains user data. In legal classification, the identity of a service provider does not depend on whether the platform is a large model manufacturer, but on whether the platform is actually providing this service to users.
More troublesome is that the sources of models for this service, data flows, qualification procedures, and responsibility assignments are often unclear.
This is what makes AI transit stations truly dangerous.
It is not simply a technical issue but a linkage issue: the source might lack authorization, the end is aimed at the domestic public, and there is also the cross-border transmission of user data in between.
Three things coming together no longer constitute just "small-time operations"
3. How does it actually operate? In fact, it’s just three steps
Stripping away the fancy language, the gray transit link is very straightforward.
Step one, scraping interfaces.
Some station heads bulk register accounts, some buy budget allocations at low prices, some obtain keys through proxy channels, and some even bypass platform risk controls, scrape interfaces, or reverse engineer. Eventually forming an "account pool" or "interface pool."
Step two, wrapping.
Set up servers, do reverse proxies, wrap overseas model interfaces into the platform’s own API or web product. What users see is a Chinese interface, but behind it is actually calling an overseas model.
Step three, selling tokens.
Promote through communities, e-commerce, mini-programs, developer communities, and charge based on tokens, memberships, packages, or API usage. The slogans are also familiar: low-cost access to overseas large models, one-stop access to multiple top models, just a few dollars for tens of thousands of tokens.
It sounds like business innovation. But if the source lacks authorization, the service has not gone through required filing, registration, or security assessment, and data is not accounted for, it is not innovation, but circumvention.
From a legal relationship perspective, these three steps will push the station head into three positions: first, they may be the actual user or reseller of overseas model interfaces and need to explain the source of interfaces and authorization boundaries; second, they may be an internet information service operator aimed at domestic users and need to clarify ICP, value-added telecom business licenses or filing issues; third, they are also the processor of user input information, usage records, and personal information, needing to explain data collection, storage, forwarding, deletion, and outbound rules.
A business stepping on three different legal relationships cannot simply use "just an API proxy" to explain itself.
4. Why did the Ministry of State Security specifically warn about AI transit stations?
This is also a signal that is very worth noting.
The Ministry of State Security recently issued a warning aimed at AI transit stations, alerting to data security risks. This warning deserves a closer look because it does not merely say "don't use overseas models," but clearly breaks down the risks associated with AI transit stations.
Image Source: Ministry of State Security WeChat Official Account “AI Transit Stations, Risks to Prevent,” June 8, 2026
The key point highlighted by the Ministry of State Security is not that "overseas models should not be touched," but that AI transit stations themselves might become black boxes for data leaks, model shrinkage, and technical backdoors.
The first type of risk is data exposure.
What users input into transit stations might not just be casual chats but could include contracts, code, client information, financial data, business plans, internal meeting minutes, and even personal identity and sensitive information.
This content first goes through the transit station before being forwarded to overseas models. The issue is, who operates the transit station? Where are the servers? Is the data encrypted? Will it be retained? Could it be used for training purposes? Could it be resold? Many users have no idea.
The Ministry of State Security's alert mentioned that some AI transit stations lack operational qualifications and have weak security protections, leading to incidents of user privacy leaks and data sales. Put simply: users think they are using models at a bargain, but in reality, they could be exposing their data to strangers.
The legal issues here are very specific. If users input contracts, resumes, identity card information, client data, code comments, chat records into a transit station that contains personal information, the transit station is not simply "passing the message," but is processing personal data; if this content is forwarded to an overseas model server, it may constitute the act of providing personal information or data to overseas entities.
At this point, at least several compliance questions must be answered: has there been explicit communication to users about who the overseas recipients are, what the processing purposes are, what the processing methods are, and what types of personal information are involved; has individual consent been obtained; has a personal information protection impact assessment been performed; when the scale reaches statutory thresholds, does it require exiting data security assessments, standard contracts for personal data outflows, or certification routes.
Many transit stations' biggest issue is not that they answer incorrectly, but rather that they lack the capability to answer at all.
The second type of risk is model shrinkage.
Many transit stations sell services under the banner of "connecting top models," but what users actually call upon may not be the advertised version of the model.
To cut costs, some platforms might use under-configured models to impersonate high-end models, or reduce computational power and disable verification functions. Users think they are using high-performance models for decision-making, but they end up with shrinked versions of the responses.
This may only result in a poor experience for general conversations; but if used in law, medicine, finance, coding, or corporate decision-making, it is not merely an issue of experience but a risk of misdirection.
The third type of risk is technical backdoors.
In more extreme cases, some transit stations might not be clean themselves. They may lack legitimate data encryption mechanisms, may harbor malicious programs, and even seize the opportunity to steal account information, keys, or cloud credentials from users’ devices.
This issue is no longer about whether "AI tools work well," but a matter of cybersecurity.
Thus, the warnings from the Ministry of State Security truly expose a key point: AI transit stations are not simply a "cheap entry" but a highly opaque third-party black box.
Users handing over data might be unaware of who it passes through, where it flows, who retains it, and who reuses it.
For corporate users, this is particularly dangerous. An employee, in an effort to save a few bucks, throws client contracts, source code, investment materials, internal proposals into a transit station, and what leaks isn't just their chat records but potentially the company's core assets.
5. Why is it not the same as compliance going overseas?
Many people confuse two concepts: Token going overseas and Token coming into the sea.
Token going overseas is selling domestic AI capabilities to overseas clients. For instance, domestic models, AI applications, computing resources, and industry solutions charge overseas clients via Tokens or API usage quotas.
This route certainly has compliance issues: model sources, data outflow, target markets, overseas payments, fund repatriation, all need addressing. But at least the direction is correct: capabilities going outward.
Token coming into the sea is the exact opposite.
It involves wrapping overseas model services and selling them back to the domestic market, targeting domestic users, with the source of capabilities being overseas models and the middle layer being a gray transit platform. The former can be designed for compliance, while the latter stands in the shadow of regulation from the beginning.
6. Lawyer's perspective: Why might this be illegal?
The most troublesome aspect of AI transit stations is that it does not just tread one line. From a lawyer's perspective, to determine why it might be illegal, one needs to look at it layer by layer, rather than concluding with a simple "uses overseas models."
It’s like a vehicle, pressuring forward on four red lines.
The first line is generative AI regulation.
As long as it provides generative AI services aimed at the domestic public, it cannot pretend it has no relation to generative AI regulation. The "Interim Measures for the Management of Generative Artificial Intelligence Services" does not look at whether the platform has trained foundational models but rather whether the platform has exploited generative AI technology to provide content-generating services to the domestic public. It also explicitly includes "providing services through APIs" within the definition of a "provider."
This implies that if a transit station wraps overseas models into its webpage, membership, or API products and opens to charge the domestic public, it may be required to assume the responsibilities of a generative AI service provider, including content safety, protection of user input and usage records, user complaints handling, illegal content management, regulatory compliance, and obligations like security assessments and algorithm filings in specific scenarios involving public opinion attributes or social mobilization capabilities.
The legal risk lies not in it "not looking enough like a large model company," but in the fact that it has been operating as a large model service provider without complying with provider regulations.
The second line is telecom business qualifications.
The platform has an account system, has top-ups, has API access, provides online services, handles data, and involves ongoing operations. Whether it’s merely standard ICP filing or if it requires obtaining an ICP license, whether it’s just an information service business or encounters EDI licensing due to top-up transactions, settlement, and other arrangements, must be assessed based on the platform's functions, transaction structures, charge objects, settlement methods, and service content.
But one thing can be established: Tokens are merely a pricing unit, not a legal classification tool. Switching from "paying in RMB for services" to "top-up to buy tokens and then consume them" does not change the essence of continuously providing internet services to domestic users.
So when the transit station interprets its business as "not an AI service, but a token limit," this defense is not solid legally. Regulatory authorities usually won't be swayed by the pricing packaging but will return to substance: what do users actually receive after paying? What exactly does the platform provide? What do the money flows and service flows correspond to in terms of operational behavior?
The third line is data security and personal information.
What users input into the AI could be contracts, code, client information, financial data, commercial secrets, and personal information. It passes through the transit station and flows to the overseas model.
Do users know? Did the platform clarify anything? Who retains the data? For how long? Will it be trained? Can it be deleted? If leaked, who is responsible? These are not merely product experience issues but rather personal information protection and data security issues.
According to personal information protection rules, personal information handling must have legitimate, appropriate, and necessary purposes, disclose handling rules, and take necessary measures to ensure safety; when providing personal information overseas, obligations for informing and obtaining individual consent must also be fulfilled, and depending on data type, quantity, subject identity, and context, it should be determined whether security assessments, standard contracts or certifications are necessary. The 2024 "Regulations on Promoting and Regulating Cross-Border Data Flows" eased some requirements for outbound mechanisms in certain contexts but did not exempt basic obligations for informing, individual consent, impact assessments, and security protections. Furthermore, the "Regulations for the Management of Network Data Security," effective from January 1, 2025, has detailed the security obligations for network data processing activities even more. As long as transit stations process user data within the territorial borders, they cannot treat their business as a "channel" without responsibility.
The biggest data compliance flaw for gray transit stations is that they often cannot clarify what data was forwarded and have no control over how the overseas recipients process that data.
The fourth line is criminal risk.
Criminal risks need to be approached more cautiously: not all administrative violations will directly turn into crimes, and not all AI transit stations will necessarily constitute criminal cases. Criminal law looks at specific behaviors, subjective intent, illegal gains, operational scale, harmful consequences, and the evidence chain.
But if interfaces come from cracking, scraping, circumventing technical measures, or illegally obtaining accounts or keys, they may encounter charges like illegally obtaining data from computer information systems or illegally controlling computer information systems; if there are further acts of deleting, modifying, adding, or interfering with system functionality, data, or applications causing serious consequences, it may further enter discussions about damaging computer information systems. If the transit station persistently organizes sales, even when aware of the anomalous interface sources, it may exacerbate the judgment of subjective malice.
If they violate national regulations, have not obtained legally required telecom or internet service licenses, and charge domestic users at a scaled level, disrupting relevant market order, reaching the threshold of "serious circumstances," they might enter the discussions around illegal business operations. Simply "not having official authorization" often corresponds more to breaches of contract, infringement, unfair competition, or computer crime clues, not directly jumping to illegal business operations. If the platform retains, resells, or illegally provides users' personal information, it might further touch on violations against citizens’ personal information.
This is why relevant incidents cannot simply be understood as "an upgraded version of platform account bans." Once a case enters criminal procedures, public security will not only look at platform service terms but also at interface sources, funding flows, user scales, illegal gains, data directions, and subjective awareness.
The most frightening aspect of AI transit stations is not "being banned by the platform," but rather one day when the knock on the door comes not from platform risk controls, but from law enforcement agencies.
Legal Conclusion: The illegality of the typical AI transit station stems not from a single isolated action, but rather a combination of "unauthorized interface sources + charging domestic public for generative AI services + lack of qualification filings + uncontrollable data cross-border transmission." Looking at any one of these alone may only pose administrative or civil risks, but when stacked to a certain scale, it may be processed by law enforcement on the whole chain.
7. In Closing: Don't Mistake Gray Fast Money for an Overseas Shortcut
What makes token coming into the sea so misleading is that it seems very close to AI token going overseas.
Both involve tokens, both have APIs, both have model calls, both have cross-border elements, both involve commercialization.
But the essence is completely different.
Compliance going overseas is selling domestic AI capabilities to overseas clients and then collecting the money back in compliance. It is difficult, but the struggle lies in building capability, designing structure, and completing procedures.
Gray entry into the sea is selling overseas model services via a detour to domestic users. It is fast, but quick because it skips authorization, skips filings, skips qualifications, skips data compliance.
What is saved is not cost but risk. Moreover, it is risk that accrues interest.
For companies genuinely aiming to commercialize AI tokens, what is worth betting on is not "how to sell overseas models back to the domestic market," but rather "how to sell their own AI services overseas."
The former profits off fast money for a while. The latter could potentially develop real business.
AI tokens can be a measurement tool for going overseas but should not be a gray ticket for coming into the sea.
This article serves as an observation on industry compliance, organized with reference to public reports and existing regulations and does not constitute legal advice aimed at any particular case; the specific facts of any case, crimes, and legal responsibilities should be ultimately determined by the competent authorities.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
