The AI token black market: what's being sold, and why building on GeneXus leaves less to steal

Over the last few weeks the same story keeps surfacing: there's a black market for AI "tokens." It's not a metaphor — it's literal. Stolen API keys, compromised ChatGPT and Claude accounts, and "cheap" model access through shady proxies are bought and sold. The one who pays the bill is almost always the legitimate owner of the key — who finds out when a multi-thousand-dollar invoice lands. If you work with AI in your development, it's worth understanding what's being sold, and why.
This post isn't fear marketing. It's an honest explainer, with sources: what the token black market is, how it operates according to the past few weeks' reporting, and where the way you build on GeneXus — and how KBbridge adds AI — leaves less to steal.
What an AI "token" is, and why stealing it pays
To use an AI model for real — from your code, an app, an agent — you almost always authenticate with a portable secret: an API key, a session token, or the credentials of a paid account. That secret has two properties that make it gold to a thief:
- It's money, directly. Behind it sits paid compute. Whoever holds your key can run the model at your expense, with no cap, until someone cuts it off.
- It's trivial to move. A key is text. It's copied, resold, and plugged into another machine in seconds. There's nothing else to "hack": the key is enough.
So a market formed. A stolen key sells for as little as $15 to $30 on forums and Telegram channels — while the compute that thief (or their customer) racks up on the victim can top $46,000 per day. It's one of the most asymmetric businesses out there: pennies for the seller, a fortune for the one paying without knowing it.
How it operates, per the past few weeks' reporting
The recent coverage sketches a market with several legs. They're worth seeing, because each is a different door:
- Plugins and extensions that steal your key (the angle closest to us devs). In June 2026, 15 malicious plugins were found on the JetBrains marketplace, active since late October 2025 with new versions as recent as June 10. Two of them — "CodeGPT AI Assistant" and "DeepSeek AI Assist" — each had over 25,000 downloads. They worked exactly as advertised… but the API key you entered was exfiltrated to the attacker's server (in plaintext, over HTTP). The perverse part: some had a "paid tier" that redistributed stolen keys from other victims to their customers — taking money on one side, handing out someone else's credentials on the other, while the real owner paid the bill. In parallel, two browser extensions disguised as ad blockers (with 90,000 and 10,000 users) captured your conversations with ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI.
- LLMjacking: your key, your bill. Sysdig's team coined the term in 2024 for a pattern that's now everywhere: credentials are stolen (cloud or AI), wired into a reverse proxy, and access is resold to third parties. A 2026 Cloud Security Alliance report documented victim accounts generating $46,080 per day of inference, and attacks against top-tier models exceeding $100,000 a day. Credential theft aimed at AI services grew 376% between Q4 2025 and Q1 2026, with validated keys resold across Discord and Telegram communities.
- The grey-market resale via proxies. A lot was published about transfer stations — especially in China — selling Claude API access up to 90% below the official price. How do they sustain it? Stolen credentials, model substitution (you pay for the expensive model and get served a cheaper one behind the scenes), and above all harvesting your prompts and outputs to resell as training data. The cheap price you pay with your data.
- Stolen accounts in bulk. This isn't new: back in 2023, Group-IB found more than 100,000 devices infected with saved ChatGPT credentials, ready to be sold. Today there are dark-web shops offering GPT-4 and Claude keys starting at $15.
- And note: self-hosted isn't magic. Running your own model removes the remote key, but it brings its own responsibility. Roughly 175,000 Ollama instances were found exposed to the internet with no authentication at all, across more than 130 countries. A misconfigured local model is just another open door.
The underlying pattern repeats: a secret worth money + an easy way to steal it + someone who pays the bill without noticing.
Why it happens: the root of the problem
None of this is magic, and it helps to name the root so you don't fool yourself. The token black market leans on three things stacked together:
- Access collapses to a portable secret. If all your compute power lives behind a key that is "text you can copy," stealing it is stealing money. And keys leak from everywhere: phishing, infostealers, configs accidentally pushed to a repo, and — as we saw — tools you install yourself.
- You bring it in, by installing middlemen. This is the twin of the supply-chain problem we already covered with the npm worms: a huge number of AI tools ship as packages, plugins, or extensions that execute code and handle your key. Every middleman you add is one more hand your secret passes through.
- The bill belongs to someone else. Because the cost falls on the victim and not on the abuser, the incentive to steal is enormous and the brake is minimal. The damage is found late, after the money's spent.
None of the three is a "bug" you patch. It's how access to AI is wired when it depends on a remote secret and on middlemen you didn't choose.
What it means for you, and where KBbridge leaves less to steal
Here's the honest part. No software makes you immune, and if you connect a cloud LLM, that key still has to be protected (no tool changes that). What you can choose is how much surface you expose. KBbridge is designed to expose the minimum:
- The documentation engine is 100% offline. The local MCP server holds 46,750 chunks of GeneXus documentation indexed on your machine: no API keys, no outbound network traffic, nothing to steal in that component. The part you use most depends on no remote secret.
- You choose the LLM, including a self-hosted or air-gapped one. In that scenario there's no remote token to steal and nothing leaves your network — not the code, not the KB, not the prompts. (Just remember: if you run it locally, put authentication on it — recall those 175,000 open Ollama instances.)
- Your prompts don't flow through an opaque proxy that logs and resells them. The grey market's whole business is harvesting what you type. With KBbridge you choose who you talk to directly; there's no transfer station in the middle keeping your data.
- It doesn't force you to install middlemen that handle your key. With a simple prompt, connecting Claude to KB Editor, I built an MCP server in about 6 hours, generated directly in GeneXus, with no need for Node.js or Python. You extend your AI with GeneXus itself, not with self-executing third-party plugins that pass your secret through their hands.
- Plain text in Git = every change is auditable. If a tool ever tried to leak something, you'd see it in the diff, in review, like any other change. No opaque binaries, no invisible dependencies.
The underlying idea is the same as always — the one GeneXus has defended for 30 years: your knowledge, and your access, are yours, and they should stay yours in the age of AI.
The questions worth asking
If you're weighing how to add AI to your development — with any tool — these are the questions that matter more than any demo:
- Where does my key live, and how many hands touch it? Every plugin, extension, or proxy that handles it is one more door.
- Does the tool force me to install middlemen that execute code and handle my secret? With KBbridge, the docs engine is offline and you can generate your MCP servers in GeneXus.
- Do my prompts pass through an intermediary that could log or resell them? With KBbridge you pick the direct destination, or run everything locally.
- Can I cut access and rotate fast if something leaks? Scope your keys, set spend limits and billing alerts, and rotate often. KBbridge neither stores nor proxies your key.
- Can I audit every change? Yes: with Git, commit by commit, with author and diff.
Sources
So you can read it first-hand, not through our interpretation:
- The Hacker News — Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats
- Aikido Security — Multiple JetBrains IDE plugins caught stealing AI keys
- Sysdig — LLMjacking: Stolen Cloud Credentials Used in New AI Attack
- Cloud Security Alliance — LLMjacking Evolved: Stolen AI Compute as Offensive Infrastructure
- Tom's Hardware — Chinese grey market sells Claude API access at 90% off through proxy networks that harvest user data
- CSO Online — Hottest selling product on the darknet: Hacked gen AI accounts
- Group-IB — Group-IB Discovers 100K+ Compromised ChatGPT Accounts on Dark Web Marketplaces
Want to see what working with AI on a GeneXus KB looks like while exposing the minimum? Watch the short videos on Getting Started, or try it free for 15 days, no card required, at kbbridge.com.