{"slug": "built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works", "title": "Built an API Fraud Detector After Getting Scammed — Here's How It Works", "summary": "The author was scammed by an API relay provider that substituted GPT-3.5 for GPT-4, inflated token counts, and injected hidden prompts. In response, they built API DNA, a free tool that performs quick and deep scans to detect API fraud through methods like behavioral fingerprinting, token auditing, and security header analysis. The tool has already uncovered cases of model substitution, token inflation of 2-3x, and hidden system prompts consuming extra tokens.", "body_md": "Last month, I paid for GPT-4 API access through a relay provider and got GPT-3.5 instead. The relay was charging premium prices while downgrading models. Token counts were inflated by 30-50%. And there was a hidden system prompt injected into every request.\nI got scammed. So I built API DNA — a free tool that detects API fraud in seconds.\nThe Problem: API Relays Are a Wild West\nThe AI API market has exploded with relay/proxy providers. Some are legitimate businesses. Others are not:\n• Model substitution: Selling GPT-4, serving GPT-3.5-turbo\n• Token inflation: Charging for 1000 tokens when only 600 were used\n• Hidden prompt injection: Secretly injecting system prompts that consume your token budget\n• Identity fraud: Claiming to be an official endpoint while routing through cheap proxies\nHow API DNA Works\nQuick Scan (3 seconds, no API key needed)\nEnter any API endpoint and get instant results:\nArchitecture Detection — Is it official, a legitimate relay, or an unknown proxy? We check IP/ASN records, response headers, server signatures, and error format fingerprints.\nModel Listing — We probe /v1/models and variant endpoints to see what models are actually available.\nSecurity Headers — CORS, HSTS, CSP analysis.\nPrice Audit — Compare the endpoint's pricing against official rates.\nDeep Scan (30 seconds, requires API key)\nThe full DNA test with your own credentials:\nBehavioral Fingerprinting — We send carefully crafted prompts that elicit unique behavioral signatures from different model families. GPT-4o responds differently from GPT-3.5, which responds differently from Claude, which responds differently from DeepSeek. These differences are structural, not just stylistic — they persist even when the model is told to impersonate another.\nRare Token Probing — Each tokenizer has unique rare tokens. By probing with multilingual, mathematical, and Unicode-heavy inputs, we can identify the underlying tokenizer family, which reveals the true model.\nToken Audit — We compare the token counts reported by the API against our own independent estimation. A discrepancy means someone is inflating your bill.\nSpeed Analysis — TTFT (Time to First Token), tokens per second, and chunk variance. Each model family has characteristic speed profiles.\nSecurity Audit — We test for hidden system prompt injection, context leakage between requests, tool call tampering, and identity consistency across probes.\nTrust Score — All checks are aggregated into a L0-L7 trust level with a detailed breakdown.\nReal Findings\nIn testing, we've found:\n• A \"GPT-4\" relay actually serving GPT-3.5-turbo (detected via behavioral fingerprinting)\n• Token inflation of 2-3x on popular relay services\n• Hidden system prompts consuming 50-200 tokens per request\n• Endpoints claiming official status but routing through 3rd-party proxies\nTry It Yourself\nAPI DNA is free to use, no signup required.\n• Quick Scan: Enter any API endpoint, get results in 3 seconds\n• Deep Scan: Provide your API key for full analysis in 30 seconds\nEvery scan generates a shareable report with a unique URL and downloadable PNG image.\nWhat's Next\n• Provider registry with verified endpoints\n• API for programmatic scanning\n• Continuous monitoring alerts\n• Browser extension for real-time verification\nIf you've ever used an API relay and wondered \"am I getting what I paid for?\", give it a try. I'd love to hear what you find.", "url": "https://wpnews.pro/news/built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works", "canonical_source": "https://dev.to/ti_pi_31869d13400cbe9e9a9/built-an-api-fraud-detector-after-getting-scammed-heres-how-it-works-406m", "published_at": "2026-05-20 03:08:22+00:00", "updated_at": "2026-05-20 03:34:36.714676+00:00", "lang": "en", "topics": ["cybersecurity", "artificial-intelligence", "developer-tools", "large-language-models", "cloud-computing"], "entities": ["GPT-4", "GPT-3.5", "API DNA", "OpenAI"], "alternates": {"html": "https://wpnews.pro/news/built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works", "markdown": "https://wpnews.pro/news/built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works.md", "text": "https://wpnews.pro/news/built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works.txt", "jsonld": "https://wpnews.pro/news/built-an-api-fraud-detector-after-getting-scammed-here-s-how-it-works.jsonld"}}