Managing the risks of LLM aggregators and AI API proxies – Kaspersky

Home AI Managing the risks of LLM aggregators and AI API proxies – Kaspersky
Managing the risks of LLM aggregators and AI API proxies – Kaspersky

Solutions for:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Kaspersky Premium Support
Learn more
Learn more
Learn more
An inside look at the inner workings and hidden pitfalls of platforms offering dirt-cheap access to top-tier AI models.
Stan Kaminsky

As organizations integrate AI into an increasingly broad spectrum of workflows, they inevitably face hurdles regarding both the reliability and cost of AI tools. These challenges run the gamut from temporary downtime driven by technical outages and regulatory shutdowns of critical models (as recently seen with Fable 5), to unexpected blocking of specific use cases (goodbye, OpenClaw) or massive budget overruns (as Uber learned the hard way earlier this year).
To avoid abandoning critical AI tools, businesses frequently explore third-party services that offer a single pane of glass to access various AI models. The workflow is straightforward: the user configures their AI agent, or points their browser to a designated address of a proxy server (an API proxy), which queries the target models on the user’s behalf and returns their responses.
Certain platforms in this space prioritize a broad selection of models, streamlined usage tracking, and load balancing across official APIs. Others build their entire marketing strategy on aggressive cost reduction. These latter providers offer services at discounts of tens of percent — sometimes even a fraction of the cost — compared to official vendors, while simultaneously promising a way to bypass any limits. Naturally, they sweep under the rug the severe risks these workarounds pose to corporate performance, reliability, and security.
According to a recent study by the Oxford China Policy Lab, the business model of these cheap intermediaries relies heavily on account farming. Providers set up accounts across scores of computers, completing identity verification using forged documents or credentials purchased from individuals in developing countries. To fuel these accounts, they leverage free trial periods or introductory, fixed-sum API credits, or purchase top-tier premium subscriptions  and split access among multiple end-users via automation.
The economics of these platforms frequently cross into outright cybercrime. Their ultra-low pricing structures are sustained not just by maxing out account usage limits, but by utilizing stolen credentials from legitimate users and purchasing subscriptions en masse with compromised credit cards. These services are highly automated; the moment an AI vendor detects and bans a suspicious account, the system seamlessly swaps the burned credential for a fresh one.
For users, the problem extends far beyond the implications of sourcing access illicitly. An API proxy gains total visibility into the traffic between the end-user and the model — capturing prompts, reasoning paths, and outputs. Crucially, the proxy also has the capability of manipulating data in both directions. Let’s review the risks this creates for organizations.
The study indicates that the true objective of many such services is to harvest high-quality interaction data from top-tier models to train third-party AI. In essence, selling cheap API access is merely a lure; the actual product is the users and their data.
Beyond client and financial information, intellectual property is at severe risk. Many companies invest significant resources into developing complex RAG architectures or unique system prompts. By routing queries through a gray proxy, they’re effectively handing over their know-how and business logic to unknown third parties.
For a corporate entity, the mere act of routing customer data through an unverified proxy service — particularly one operating out of a legally ambiguous jurisdiction — constitutes a direct violation of data privacy laws and, likely, contractual obligations to partners and clients. This exposes the organization to heavy fines and reputational damage — even if the compromised data never surfaces publicly.
Certain proxy services lower their overhead by dynamically rerouting some or all user queries to cheap open-source models instead of the premium proprietary ones requested. These downgraded responses are then relabeled as coming from the expensive LLM. Tests conducted by researchers at the CISPA Helmholtz Center revealed that while sending a complex medical query directly to Google Gemini 2.5 yields an accuracy rate of over 83%, routing the exact same query through various rogue proxies drops that figure to just 37%. These model-switching decisions are made dynamically using opaque logic to maximize the proxy provider’s profit margins.
A proxy server possesses the technical capability to execute a man-in-the-middle attack. A malicious proxy can silently inject hidden instructions into user prompts or manipulate model outputs. For instance, if an organization utilizes AI coding assistants for software development, the proxy could instruct the LLM to generate code that contains vulnerabilities or backdoors. Consequently, the users lose any assurance that their codebase is being generated by a verified, secure model that’s undergone quality and security benchmarking.
While one of the primary drivers for migrating to an API proxy is to mitigate vendor-side technical outages and enable seamless failover between different model providers, many rogue platforms suffer from poor operational reliability. These services frequently go offline entirely, cutting off access to all downstream LLMs simultaneously.
There are legitimate providers in the marketplace that offer API aggregation services in a transparent, ethical manner. These platforms clearly declare what models they use, offer flexible routing, and price their services closely in line with official vendor rates.
While OpenRouter is arguably the most recognizable platform in this space, organizations can explore alternatives such as Poe.ai (which offers a subscription-based aggregator model with unified pricing) or Hugging Face (for extensive access to open-source models), or maintain direct contracts with major AI vendors while centralizing access, reliability, and security management internally via a self-hosted API proxy built on LiteLLM.
The business case for these legitimate frameworks centers on mitigating vendor lock-in, so that, for example, if OpenAI hikes its prices or is forced to shut down their API, an enterprise can reroute its AI workflows to alternatives like Claude or Llama without rewriting a single line of code. This is a compliant mechanism for optimizing operational expenditures and ensuring business continuity.
To safeguard both your data and your budgets, adhere to the following guardrails:

Cybercriminals spend years mastering the art of manipulation to trick their targets. Here’s a look at how social engineering actually works, the exact emotions scammers weaponize, and what to do if you’ve already fallen for it.
Kaspersky Team

Why subscription owners need to prioritize personal and family cybersecurity.
Kaspersky Team

We’ve revisited our study on the crackability of real-world passwords leaked on the dark web — originally conducted two years ago. The findings are sobering: nearly every other password can be cracked in under a minute, and three out of five take less than an hour. How can we move away from insecure passwords?
Alexey Antonov

Smart sex toys and their companion apps collect and process some extremely personal data. We break down the risks involved, and ways to protect your privacy.
Alanna Titterington

Protecting a security console is more critical than one might think. Here’s the lowdown on control-layer compromise, and how to keep it from happening.
Maria Stepina

Copyright © 2026 AO Kaspersky Lab. All Rights Reserved.
Global

source

Leave a Reply

Your email address will not be published.