Leaked Anthropic API key — Claude access and the bill

Anthropic Claude API keys are scraped like OpenAI keys. The abuse pattern is similar — run inference until the spend cap trips — but Claude's higher per-token cost means a single leak can burn $5K in hours.

The next 60 seconds matter

Attacker runs Claude Opus / Sonnet inference (often for their own commercial API resale) until your key's spend cap is hit. Average damage is higher than OpenAI because per-token cost on Opus is 5-10x GPT-4o.

  • Run Opus 4.7 inference at 15 dollars per million input tokens until cap
  • Access any Claude Artifacts / threads if the key has console scope
  • Query any fine-tuned behaviours attached to the workspace

Rotation playbook

  1. console.anthropic.com → API keys → Revoke the leaked key immediately
  2. Generate a new key; update every environment
  3. Review usage at console.anthropic.com/usage for spikes
  4. If spike: open a support ticket — Anthropic honors fraud-reversal cases within 7 days

Prevent the next one

  • Server-side only — the browser never needs the Anthropic key
  • Set per-project spend limits in the console
  • Use GitHub push protection to block the pattern pre-commit
Pattern we scan for
sk-ant-api...