Skip to content
AIEnterpriseJapanInfrastructureStrategyCross-Border Business

Cheap Intelligence Cuts Both Ways: Chinese Models Now Carry 46% of US Enterprise Tokens, AI Just Ran a Ransomware Attack Alone, and Japan Is Paying ¥1 Trillion Not to Depend on Anyone

Medusa Japan
12 min read
Share

Key Takeaways

  1. 1Chinese-origin models have held at least 30% of US-originating enterprise token traffic on OpenRouter every week since February 8, 2026, peaking at 46% — up from 4.5% in the first half of 2025. In one February week they accounted for 61% of consumption among the platform's ten most-used models.
  2. 2The driver is price, not politics. Open Chinese models run 60–90% cheaper: DeepSeek V4 Flash costs $0.09 per million input tokens against $5.00 for GPT-5.5, while Zhipu's GLM 5.2 scores 74.4 on FrontierSWE versus Claude Opus 4.8's 75.1. When quality is within a point and output is thirty times cheaper, commodity workloads migrate on their own.
  3. 3The same price collapse armed the attacker. Sysdig's JADEPUFFER is the first documented end-to-end agentic ransomware operation: an LLM agent chained reconnaissance, credential theft, lateral movement, persistence, and encryption on its own, recovering from a failed login in 31 seconds. As Sysdig put it, the skill floor for ransomware has dropped to whatever it costs to run an agent.
  4. 4Japan is buying an escape hatch. On June 30, 2026, NEDO selected Noetra — SoftBank, Sony, NEC, Honda and AIST — for ¥387.3 billion ($2.4B) this fiscal year and roughly ¥1 trillion ($6.1B) over five. Its president's stated rationale is not national pride but confidentiality and business-continuity risk from foreign LLM dependence.
  5. 5You already have a model supply chain; the question is whether you manage it. Most firms cannot say which models served their traffic last month, under which jurisdiction, with what retention terms. A price-routing gateway is an unmanaged dependency — and JADEPUFFER harvested OpenAI, Anthropic, DeepSeek and Gemini credentials, which makes your API keys crown jewels, not config.

The 46% Number: Cost Gravity Has Already Rewired Your Model Supply Chain

On July 7, 2026, CNBC published an investigation into where American enterprise AI traffic actually goes. The finding is more striking than the headline: every single week since February 8, 2026, models of Chinese origin have accounted for at least 30% of US-originating token volume on OpenRouter, one of the largest neutral routing layers in the industry. The weekly peak reached 46%. For context, that share was 4.5% in the first half of 2025 and averaged 11% over the preceding twelve months. During one week in February, Chinese models represented 61% of all token consumption among the platform's ten most-used models.

The mechanism is not ideological. It is arithmetic. OpenRouter's Justin Summerville puts the gap plainly: open Chinese models run 60% to 90% cheaper than the leading Western offerings. DeepSeek V4 Flash charges $0.09 per million input tokens and $0.18 per million output. GPT-5.5 charges $5.00 and $30.00. Claude Opus 4.8 charges $5.00 and $25.00. Meanwhile the quality argument has quietly eroded: Zhipu's GLM 5.2 scores 74.4 on FrontierSWE against Opus 4.8's 75.1, and 76.8 on MCP-Atlas against 77.8. That is a gap of roughly one point. When a model is within one point on the benchmark and thirty times cheaper on output, the routing decision makes itself — especially for code generation, which grew from 11% of OpenRouter traffic in early 2025 to more than half by mid-2026, and which is the single most token-hungry, most price-sensitive workload in the enterprise.

Here is the part worth sitting with. No board approved this. There was never a meeting where a Fortune 500 CTO stood up and proposed adopting Chinese AI. What happened instead is that thousands of engineers configured thousands of gateways to route each request to the cheapest model that clears an evaluation threshold, and the aggregate of those small, individually reasonable decisions relocated a plurality of American enterprise inference onto infrastructure trained in another jurisdiction. DeepSeek alone now routes 17.6% of OpenRouter's tokens — 5.13 trillion per week — with Alibaba's Qwen at 13.9% and 2.77 trillion. This is how supply chains actually move: not by decision, but by default. Palantir's Alex Karp has been arguing that the pay-per-token model is fundamentally broken because enterprises want control rather than metered dependency. The 46% number is what happens when they don't get it.

JADEPUFFER: The Same Price Collapse Armed the Other Side

On July 1, 2026, Sysdig's threat research team published its analysis of JADEPUFFER — by their account, the first documented ransomware campaign executed end to end by an AI agent. The distinction matters. This was not AI-assisted intrusion, where a human operator asks a chatbot for a script. Sysdig classifies JADEPUFFER as an agentic threat actor: an operator whose entire attack capability is delivered by the agent rather than by a human toolkit. The agent gained initial access through an internet-facing Langflow instance via CVE-2025-3248, an unauthenticated remote code execution flaw, and from there conducted reconnaissance, harvested credentials, moved laterally, established persistence, escalated privileges, and encrypted the target's production database.

The operational details are what should worry a security team. The agent pivoted through a Nacos authentication bypass using CVE-2021-29441 — a vulnerability years old. It enumerated MinIO storage buckets using the default credentials minioadmin:minioadmin. It installed a crontab beacon calling home to 45.131.66[.]106:4444 every thirty minutes. When one of its logins failed, thirty-one seconds elapsed between the failure and a working multi-step corrective payload that diagnosed and fixed a subprocess PATH problem — the kind of adaptive recovery that used to be the defining signature of a competent human intruder. It then encrypted all 1,342 Nacos configuration items using MySQL's AES_ENCRYPT() with an ephemeral key, deleted the originals, and wrote a README_RANSOM table containing a Bitcoin address and a Proton Mail contact. Notably, among the credentials it harvested were API keys for OpenAI, Anthropic, DeepSeek, and Gemini. The attacker was shopping the same model supply chain as the victim.

Sysdig's own summary is the sentence to carry into your next security review: the skill floor for running ransomware has dropped to whatever it costs to run an agent. Read that against the previous section and the symmetry becomes uncomfortable. The 60-to-90-percent price collapse that let a lean startup afford production-scale inference is the same price collapse that let an operator with no deep expertise in any single stage of the kill chain rent a competent intruder by the hour. Cheap intelligence is not a business trend that happens to your industry. It is an ambient condition that changes the cost structure of every activity, including the ones aimed at you. There is one consolation, and it is a real one: agents narrate themselves. Sysdig notes that self-narrating payloads are a genuine detection opportunity, because an agent reasoning aloud in its own execution logs leaves evidence a human operator never would. And note what actually let it in — an unpatched developer tool and a default password, not a zero-day. The defensive advice is boring and it works: patch Langflow, harden Nacos, strip provider credentials out of application environments, IP-restrict database admin access, and enforce egress controls.

Japan's Answer: ¥1 Trillion to Not Depend on Anyone Else's Model

On June 30, 2026, Economy Minister Ryosei Akazawa announced that NEDO had selected Noetra to build Japan's national AI foundation model. The consortium's founding members are SoftBank Corp., Sony, NEC, and Honda, partnered with the National Institute of Advanced Industrial Science and Technology, with roughly forty additional companies targeted across manufacturing, autos, electronics, logistics, telecom, IT, and finance. The funding is ¥387.3 billion — about $2.4 billion — in this fiscal year alone, and roughly ¥1 trillion, or $6.1 billion, over five years. The model is explicitly multimodal, built to fuse data, images, video, audio, and physical properties for recognition and reasoning in robotics and physical AI. Its target deployments are unglamorous and specific: eldercare, disaster response, factory floors, and the decommissioning of Fukushima Daiichi. It sits inside a wider frame of ten million AI-equipped robots by 2040 and ¥10.5 trillion of public-private AI investment, and it arrives the same week Micron broke ground on a ¥1.5 trillion ($9.3 billion) expansion of its Hiroshima plant to produce high-bandwidth memory.

The rationale offered by Noetra's president, Hironobu Tanba, deserves to be read as written rather than filed under nationalism. Dependence on overseas LLMs, he said, carries concerns of confidential information transfer and serious business continuity risks. Those are not slogans. They are the two classic categories of procurement risk — confidentiality and continuity — applied to a component that most companies do not yet think of as a component. Read alongside CNBC's 46% figure, Tanba's sentence stops sounding defensive and starts sounding like the only board-level articulation of the problem anyone has offered this year.

Be clear-eyed about what Japan is and is not buying. It is not buying a frontier lab. ¥1 trillion over five years is on the order of a single quarter of one American hyperscaler's capital expenditure; Noetra will not top a general benchmark leaderboard and does not need to. What it buys is an option: a domestic model that is good enough for the class of workloads that can never leave the country — a robot decommissioning a damaged reactor, a megabank's internal ledger, a hospital's patient records, a defense supplier's drawings. Sovereignty at this budget purchases sufficiency, not supremacy, and sufficiency is the right target. The contrast with the West is the whole point of this article. American enterprises drifted onto foreign inference infrastructure by accumulating cheap defaults; Japan is spending six billion dollars to make sure the drift has a floor. One of those is a strategy. The other is a routing table.

What This Means for Cross-Border Operators

Start by treating the model layer as a supply chain with a bill of materials. Most companies cannot currently answer four basic questions: which models served our traffic last month, at what share, under which jurisdiction, and with what data-retention terms? If your gateway routes on price, you have an unmanaged dependency, and its composition changes every time a vendor cuts a promotional rate. The remedy is not a ban. It is an inventory followed by a tiering policy: commodity workloads — drafting, classification, bulk translation, internal summarization — route to the cheapest model that passes your evaluations, and the savings are real and worth taking. Regulated, confidential, or customer-identifying workloads pin to named models under contractual terms you have actually read. The point is never 'avoid Chinese models.' The point is knowing which model saw which data.

Second, promote your AI credentials to crown-jewel status. JADEPUFFER harvested API keys for four major model providers alongside cloud platform credentials and cryptocurrency wallets, and that ordering is not accidental — an inference key is now simultaneously a weapon, a data-exfiltration channel, and an uncapped billing liability. Vault them, scope them to the narrowest possible permission, rotate them on a schedule, and never let them sit in an application environment where a remote code execution bug in an unpatched developer tool can read them off the process. That is precisely the path the agent walked.

For companies operating between Japan and Europe, this is a compliance seam and not merely an engineering one. The EU AI Act's transparency and general-purpose-AI obligations, Japan's APPI rules on cross-border personal data transfer, and a routing layer that quietly dispatches a customer record to whichever inference endpoint was cheapest at three in the morning do not coexist comfortably. This is the work we do with clients at Medusa Japan: building the model bill of materials, writing jurisdictional routing rules that a compliance officer can defend, and designing localization pipelines where a cheap model does the first pass at volume while a pinned model and a human native speaker do the pass that actually reaches the customer. Cheap intelligence is a genuine gift — it has made things possible for small teams that were unaffordable two years ago. Ungoverned cheap intelligence is a liability, and this month it acquired a Proton Mail address.

Frequently Asked Questions

Should we stop using Chinese-origin AI models?

A blanket ban is the wrong instrument, and for most companies it would simply raise costs without reducing risk. The correct move is classification. Sort your workloads by data sensitivity and regulatory exposure. Drafting, classification, internal summarization, and bulk translation are commodity work where a 60–90% cost reduction is a genuine competitive advantage and the sensitivity is low. Anything touching personal data, regulated records, trade secrets, or customer-identifying information should be pinned to a named model under contractual terms you have read, in a jurisdiction you can defend to a regulator. The failure mode is not using a Chinese model. The failure mode is not knowing that you are.

Does JADEPUFFER mean AI-driven attacks are unstoppable?

No, and the details argue the opposite. The agent did not discover a zero-day. It walked in through an internet-facing Langflow instance with an unpatched remote code execution flaw, pivoted using a Nacos vulnerability disclosed years earlier, and enumerated storage buckets protected by the default credentials minioadmin:minioadmin. Every step of that entry sequence is closed by ordinary hygiene: patch management, credential rotation, removing default passwords, IP-restricting database administration, and enforcing egress controls. What changed is throughput, not sophistication — the agent recovered from a failed login in 31 seconds, so your detection and response windows compress. Sysdig also identifies a defender's advantage worth exploiting: agents narrate their own reasoning in execution logs, which gives you a detection signal a careful human intruder would never leave behind.

Is Japan's Noetra a realistic competitor to OpenAI or Anthropic?

No, and it is not trying to be — which is the most commonly missed point about sovereign AI programs. Roughly ¥1 trillion over five years is on the order of a single quarter of one American hyperscaler's capital expenditure. Noetra will not lead a general benchmark leaderboard. Its mandate is narrower and more defensible: a multimodal model tuned for robotics and physical AI, serving workloads that genuinely cannot leave Japanese soil — Fukushima Daiichi decommissioning, eldercare, disaster response, factory floors, and the confidential systems of banks and hospitals. Measured against 'beat GPT-5.5,' it will look like a poor investment. Measured against 'guarantee we can still operate if a foreign provider changes its terms, raises its price, or is cut off,' it is insurance with a clear premium and a clear payout.

What is the single first step for a company that has never thought about this?

Build a model bill of materials, and give yourself two weeks to do it. Pull the logs from every AI gateway, SDK, and third-party SaaS feature in your stack, and produce a single table: model name, provider, country of origin, share of your monthly tokens, the data classes it processed, and the retention terms in its contract. Most teams find at least one surprise — an embedded vendor feature quietly routing customer text to a model nobody in the company chose. Everything else follows from that table: the tiering policy, the credential vaulting, the jurisdictional routing rules, and the conversation you will eventually need to have with your regulator or your largest customer. You cannot govern a supply chain you have never inventoried, and at Medusa Japan this inventory is the first thing we build with cross-border clients.

Ready to Transform Your Brand?

Medusa Japan combines AI innovation with Japanese design principles to create extraordinary digital experiences.

Get in Touch

How ready is your business for Japan?

Take our free 5-category scorecard and get a personalized readiness report.

Take the Scorecard
Medusa Japan

Medusa Japan

Medusa Japan is a creative agency and AI product studio based in Osaka, specializing in cross-border business strategy between Japan and global markets.

Related Articles

AITechnology

Data Centers in Orbit, Factories on the Moon: Why Betting Against SpaceX and xAI's Space-Compute Plan Is the Easy Wrong Call of 2026

In 2026 SpaceX absorbed xAI, filed to launch up to a million satellites, and unveiled the AI-1 — an orbital data center that draws roughly the power of a single NVIDIA rack and spans wider than a Boeing 747. The plan stacks higher from there: a one-terawatt-per-year chip foundry called Terafab to feed every project, a Gigasat factory targeting a gigawatt of orbital compute a year by late 2027, and a manufacturing base on the Moon that flings finished satellites to space with an electromagnetic catapult. LinkedIn thought leaders and YouTube explainers have already declared the whole thing impossible — the same verdict the same crowd reached on reusable rockets, on Starlink, and on electric cars. Here is the case for why the serious objections are about timeline and economics, not physics, and why dismissing the company that launched two-thirds of all active satellites is the easiest wrong call a decision-maker can make.

AIAgentic AI

The Agentic Gap: Why Enterprises Adopt AI Agents but Can't Ship Them — and What Japan's Pragmatic Robots Teach About Closing It

In 2026 almost everyone has an AI agent pilot, and almost no one has agents in production. Surveys put adoption near 79% while only about 11% of organizations actually run agents at scale — a gap that defines the year. The bottleneck is not model quality; it is deployment, governance, and trust. This week's launches — Itential's agents acting on live networks with no irreversible change allowed, Google's Gemma 4 agentic models, MiniMax's far cheaper long-context M3, and Anthropic's vulnerability-hunting Project Glasswing — share one new theme: brakes are now a feature. Meanwhile Japan offers a quietly working counter-model. Faced with an unavoidable labor shortage, it deploys AI — especially physical AI — against a concrete bottleneck, in a bounded role, with humans still managing: Japan Airlines is trialing humanoids at Haneda, a third of Japanese firms are using or weighing robots, and METI wants 30% of the global physical-AI market by 2040. The lesson for cross-border decision-makers is simple and uncomfortable: stop chasing autonomy as a headline and start deploying it against a real problem, with bounded scope and governance from day one.