The Legal Status of Temporary SMS Relay Services in China
Aiding Criminal Activity, Grey Markets, and Legitimate Use

🚪 A developer's darkest hour: It's 6:30 a.m. on a Thursday. A team of officers from the local public security bureau arrives at the apartment of a 26-year-old developer named Li. They have a warrant. He is taken in for questioning — not for hacking, not for stealing data, but for the SMS relay API he built six months ago. "I only wrote code to receive text messages," Li tells the officers, his voice shaking. "How could that be a crime?" The answer to that question — where the boundary lies between a tool and a criminal instrument — is what this article is about. Technology itself is not guilty. But the distance between "innocent code" and "aiding information network criminal activity" is far shorter than most developers understand.

The legal framework: Article 287-2 of the Criminal Law

Article 287-2 of the PRC Criminal Law, the "Aiding Information Network Criminal Activity" offence — commonly known as Bang Xin Zui (帮信罪) — states:

Whoever, clearly knowing that another person is using an information network to commit a crime, provides internet access, server hosting, network storage, communication transmission, or other technical support, or provides advertising, payment settlement, or other assistance, where the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention, and/or a fine.

This offence has three core elements. All three must be satisfied for conviction — but what unsettles many developers is how broadly each element can be interpreted.

Element 1: Subjective knowing — "clearly knowing"

The law requires that the defendant "clearly knows" the recipient will use the help to commit a crime. In practice, this does not require the defendant to know the exact nature, time, or victim of the underlying crime. Courts apply a doctrine of "generalised knowing" (概括明知): if a reasonable person in the defendant's position should have known that the service would likely be used for crime, that is sufficient. According to the July 2025 Opinion jointly issued by the Supreme People's Court, Supreme People's Procuratorate, and Ministry of Public Security, "knowing" must be determined by examining the timing, manner, frequency, and tools of the assistance provided, whether the conduct violated prohibitive laws and regulations, whether the defendant evaded supervision or investigation, and the amount of illegal profit — all assessed against the defendant's cognitive capacity, professional background, and prior experience.[reference:0]

The 2025 Opinion further specifies three new circumstances that support a finding of knowing:

This is the critical point for developers: the first circumstance — "illegally providing platforms that offer bulk receipt and transmission of SMS verification codes" — directly captures the operational model of an SMS relay platform. If you built and operated such a platform, a court may find that you "knew" — even without direct evidence of your knowledge of a specific underlying fraud — based solely on the nature of the service you provided.

Element 2: Act of assistance

The act component covers providing "internet access, server hosting, network storage, communication transmission, or other technical support." An SMS relay platform — whether a website, API, or script — falls squarely within "communication transmission" and "technical support."[reference:2]

Element 3: Serious circumstances — the quantitative thresholds

The 2019 Judicial Interpretation and the 2025 Opinion establish the following "serious circumstances" thresholds relevant to SMS relay operations:

These numbers are startlingly low. Selling or renting 20 SIM cards crosses the criminal threshold. Earning just 10,000 RMB from an SMS relay operation over several months is enough. For many small-scale platform operators, these thresholds are reached quickly.

Case studies: the line between conviction and non-prosecution

🔴 Conviction Case 1: Guo Moulang and Li Mouming — "SMS Relay for Profit"

Facts: Between March 2024 and January 2025, Guo Moulang learned from an online contact that receiving SMS verification codes could generate income. He began purchasing phone cards online and receiving verification codes, helping others register QQ, Douyin, WeChat, and other accounts. He recruited Li Mouming as a downstream participant. In December 2024, a victim was defrauded of 2.167 million RMB through a fake gold-trading app whose customer-service system was registered using Li Mouming's real-name phone number — the very number he had provided for relay purposes.

Finding: The procuratorate determined that Guo and Li clearly knew others were using information networks to commit crimes, yet provided technical support with serious circumstances.[reference:5]

Sentence: Guo Moulang — 1 year and 3 months imprisonment; Li Mouming — 9 months imprisonment, plus fines for each.[reference:6]

Why convicted: Long-term operation (over 10 months), involvement of dozens of SIM cards, illegal profit exceeding 10,000 RMB (Guo's settlement amount exceeded 104,000 RMB), and direct connection to a 2.167 million RMB fraud case. Every statutory threshold for "serious circumstances" was crossed.[reference:7]

🔴 Conviction Case 2: Cai X and the Zhuji "Cat Pool" Syndicate

Facts: In 2025, Zhuji public security authorities uncovered a criminal syndicate led by Cai X that used the pretence of "door-to-door delivery of benefits" to trick elderly residents into providing their identity information for SIM card registration. The syndicate then used 7 "cat pool" devices to activate the cards in bulk, harvest verification codes, and sell them on overseas platforms — generating illegal profits exceeding 300,000 RMB. Under the Ministry of Public Security's unified command, 9 suspects were arrested and over 1,300 SIM cards seized.[reference:8]

Why convicted: Organised, large-scale operation involving fraudulently obtained SIM cards, specialised equipment (cat pool devices), cross-border conduct, and profits well above the 10,000 RMB threshold. Multiple aggravating factors aligned.

🔴 Conviction Case 3: Hong X — "I just wanted living expenses"

Facts: With no fixed residence or employment, Hong X began in October 2024 to accept tasks from QQ groups and apps, completing "SMS relay" and "real-name authentication" assignments for commission — 10 to 20 RMB per relay, 2 to 30 RMB per authentication. In January 2025, an account he had authenticated was used to redirect a victim into a fake stock-trading platform, resulting in a 910,000 RMB fraud loss. Hong X's total profit: just over 3,000 RMB.[reference:9]

Sentence: Arrested and approved for prosecution on charges of aiding information network criminal activity.[reference:10]

Why convicted: Even though his personal profit was modest (3,000 RMB), the downstream loss was enormous (910,000 RMB), satisfying the "serious circumstances" threshold. The court found he "clearly knew" the accounts were being used for criminal purposes based on the nature of the tasks and the communication context.[reference:11]

🟢 Non-Prosecution Case 1: Xia X — University Student "Tool Person"

Facts: In May 2024, Xia X, a recent high-school graduate about to enter university, encountered a fraud syndicate member on a video platform. He was taught "telephone bridging" techniques and, knowing others were committing telecom fraud, provided communication technical support to overseas fraudsters for illegal profit, enabling a fraud to succeed.[reference:12]

Non-prosecution reasoning: Upon review, the procuratorate identified multiple mitigating factors: the crime was relatively minor, Xia voluntarily surrendered, pleaded guilty and accepted punishment, acted as an accomplice rather than organiser, and was a current university student. Applying the "education first, punishment second" principle for students and minors, the procuratorate convened a public hearing and all hearing officers agreed on a conditional non-prosecution disposition.[reference:13]

Why not prosecuted: The 2025 Opinion explicitly provides that for minors and current students, where the circumstances are minor, non-prosecution or exemption from criminal punishment should generally be applied. This policy created space for prosecutorial discretion that was not available in the Guo Moulang case.[reference:14]

🟢 Non-Prosecution Case 2: Zeng X — "Borrowing Money, Not Committing Crime"

Facts: In July 2024, Zeng X, a man approaching 60, provided his bank card and cooperatively changed his bound phone number in an attempt to secure a loan. His bank account was subsequently linked to 13 fraud cases involving over 670,000 RMB in fraudulent funds. He was criminally detained.[reference:15]

Non-prosecution reasoning: The defence lawyer presented evidence that Zeng X had been exploited while attempting to obtain a legitimate loan, his subjective knowledge was ambiguous (he did not clearly understand the funds would be used for fraud), he was a first-time and occasional offender, he truthfully confessed, accepted punishment, and compensated victims to obtain their written forgiveness. The procuratorate determined that criminal punishment was not necessary and issued a non-prosecution decision.[reference:16]

Why not prosecuted: The critical variable was the finding that his subjective knowledge was ambiguous — he was genuinely seeking a loan, not knowingly assisting fraud. This contrasts sharply with Guo Moulang, who actively communicated with fraudsters about "how to make money from receiving codes."

The key variables: what separates conviction from non-prosecution?

Variable Conviction factors Non-prosecution factors
Source of phone numbers Illegally purchased, fraudulently obtained, or bulk-collected SIM cards Own SIM cards used for personal testing, no bulk acquisition
Degree of subjective knowledge Active communication with fraudsters; understanding of the criminal nature; awareness of evasion techniques Genuine belief in a legitimate purpose; ambiguous or no understanding of downstream crime
Downstream use Accounts used for fraud, money laundering, or other criminal activity No evidence of downstream crime, or defendant unaware of it
Profit motive and scale Organised profit-seeking; exceeding 10,000 RMB; operating as a business No profit or minimal incidental profit; personal use
Whether evading regulation Using technical means to bypass platform security; prepared counter-investigation scripts No evasion; open, transparent use
Defendant profile Career operator; repeat offender Student, first-time offender, elderly, showing remorse and compensation

The grey zones: three scenarios that confuse developers the most

Grey Zone 1: "I'm just using it to register alternate accounts for myself"

The scenario: A developer uses a public or paid SMS relay platform to receive verification codes for registering a few extra accounts — no resale, no profit, no serving third parties.

Analysis: This sits in the lighter grey zone. Without providing assistance to others, without profit, and without downstream criminality, the three elements of aiding criminal activity are not met. However, if the accounts registered are used for platform abuse, review manipulation, or other violations, separate legal risks arise under platform terms of service and the Cybersecurity Law. The practical risk is low for truly personal, small-scale use — but the moment you share the method or scale up, the calculus changes.

Grey Zone 2: "I'm a developer writing a script to run automated tests"

The scenario: A developer builds an SMS relay script using temporary numbers to test their application's registration flow during development. No commercial purpose; purely functional testing.

Analysis: This is the most commonly encountered grey zone. The distinction between "learning and research" and "providing tools" matters enormously. If the script is used only by the developer on their own project, with a limited number of test accounts, the risk of criminal liability is low. But if the script is published on GitHub, shared with colleagues, or — worse — sold, the behaviour shifts from "personal use" toward "providing technical support to others." If a downstream user of that script commits fraud, the original developer could face scrutiny. The safe approach: use licensed SMS service provider sandboxes for testing environments, not public relay platforms.

Grey Zone 3: "The company told me to run SMS relay tests"

The scenario: An employee is instructed by their employer to use or build an SMS relay system as part of product development or QA testing.

Analysis: This is a professional-compliance issue as much as a criminal one. The key question is: does the company have documented compliance procedures? The employee should insist on written authorisation that specifies the scope, purpose, and lawful basis of the SMS relay activity. If the company is using grey-market SIM cards or relay platforms to bypass platform verification policies at scale, both the company and the supervising employee could face liability. The 2025 Opinion specifically identifies telecom and internet industry practitioners who exploit their professional position to commit crimes as an aggravating factor warranting heavier punishment.[reference:17]

The risk spectrum: find your position

[WHITE] Using your own SIM card for testing ──→ Self-hosting with own SIM card ──→ Self-built gateway + company compliance testing (with written authorisation) │ [LIGHT GREY] Using paid relay platforms for personal projects (no bulk, no profit) ──→ Sharing a self-built gateway with colleagues (no fees charged) │ [DARK GREY] Long-term use of free relay platforms for bulk registration ──→ Providing relay services to others for payment ──→ Publicly selling relay scripts │ [BLACK] Providing relay services knowing the recipient is committing fraud ──→ Organising others into a relay operation chain ──→ Supplying relay channels to online fraudsters and paid influencers

The boundary between light grey and dark grey is the line most developers risk crossing without realising it — and it is crossed the moment the service is offered to others, monetised, or scaled beyond personal use.

The five-question self-assessment checklist for developers

Before writing a single line of SMS relay code, ask yourself:

  1. Where do the phone numbers come from? Are they SIM cards registered in your own name, purchased from licensed carriers? Or grey-market cards of unknown origin? The latter path leads toward the 20-card threshold fast.
  2. Who will use this service? Only you? Your team? Strangers on the internet? The broader the user base, the higher the probability that at least one user is committing fraud — and that probability translates into your criminal exposure.
  3. Am I charging money? Monetisation transforms the legal character of the activity. Once fees are charged, the "service provider" relationship is established, and the obligation to verify the legitimacy of users increases dramatically.
  4. Am I bypassing platform security measures? Does your tool circumvent CAPTCHAs, device fingerprinting, or rate limits? The more security measures you bypass, the stronger the inference that you "knew" the activity was improper.
  5. Do I have written authorisation and a compliance framework? If this is for work, is there a documented scope, purpose limitation, and data protection assessment? If not, you are personally exposed even if the task came from your manager.

How to satisfy technical curiosity — legally

Genuine technical interest in SMS protocols and telecommunication systems is valuable and legitimate. Here are the safe, legal paths to explore it:

  • Licensed SMS service sandboxes: Providers like Twilio, Alibaba Cloud SMS, and Tencent Cloud SMS offer developer sandboxes with test numbers and simulated delivery — no real SIM cards, no relay platforms, fully compliant.
  • SMPPSim: An open-source SMPP protocol simulator for testing SMS applications. It emulates the SMSC side of the protocol without touching a real network. This is the tool many professionals use to learn SMPP safely.
  • RFC documentation: Read the actual protocol specifications — SMPP v3.4, v5.0, SS7 MAP, GSM 03.40 — to understand the architecture without building operational systems.
  • Academic or authorised research environments: If hands-on experimentation is essential, do it within a university lab or a corporate research environment with explicit legal oversight and isolated networks.

For those who need to run SMS verification in a production testing environment, refer back to the self-hosted Docker-based SMS gateway approach covered earlier in this series — a solution that keeps the data and the SIM under your own legal identity and control, rather than relying on grey-market intermediaries.

The bottom line

"The code ran successfully" is not the same as "the law permitted you to run it." These are two entirely different tests, and passing the first does not excuse failing the second. The 2025 legislative and enforcement environment makes this clearer than ever: bulk SMS relay platforms are now explicitly identified as a basis for inferring criminal knowledge, the "serious circumstances" thresholds have been lowered and clarified, and enforcement coordination between prosecutors, police, and telecom regulators has tightened significantly. Yet the door is not closed on legitimate exploration — the law reserves its harshest penalties for organised, profit-driven operators and those who knowingly serve fraud, while carving out space for rehabilitation in cases involving students, first-time offenders, and those who acted without clear criminal intent.

“Technology is neutral. Your intent may even be neutral too. But the law judges not only what you built, but what a reasonable person in your position should have known it would become.
A single moment of technical curiosity should never become a permanent stain on your life.”