Terms of Service Risks and Litigation Cases from Using SMS Relay Platforms to Register Accounts
A Deep Legal Risk Analysis for Developers and Internet Practitioners

📎 Two parallel scenarios — one question:
🇺🇸 Scenario A — Northern District of California: You receive a federal summons. LinkedIn is suing you under the Computer Fraud and Abuse Act (CFAA) and for breach of its Terms of Service. The allegation: you created fake accounts using virtual numbers and scraped user data through an API called iScraper. Your defence — "I was just running a test" — is about to be tested against a plaintiff that has already won multiple CFAA cases.
🇨🇳 Scenario B — Shenzhen, China: Your technical co-founder is taken in by the public security bureau for questioning. The reason: the "automated testing tool" your team built has been classified as an SMS relay platform. The accusation: aiding information network criminal activity. Your co-founder's argument — "we only wrote code to receive verification codes" — is now being evaluated under a 2025 judicial opinion that explicitly lists "bulk receipt and transmission of SMS verification codes" as a basis for inferring criminal knowledge.

The question that links these two scenarios — separated by ten thousand kilometres and two entirely different legal systems — is the same: "I just wanted to use a virtual number to run a test. Could I really be sued or prosecuted for that?" The answer, as a growing stack of judgments and indictments demonstrates, is yes. And the distance between "innocent testing" and "criminal conduct" is far shorter than most developers understand.

The legal weight of "breach of Terms of Service" — two jurisdictions, two frameworks

China: When does a ToS violation become a crime?

Under Chinese law, a simple breach of a platform's user agreement — such as using a virtual number to register an account — is generally a civil breach. The platform may terminate the account, claim damages, or impose contractual penalties. It does not automatically trigger criminal liability.

However, the line shifts dramatically when additional elements are present. The 2025 Opinion jointly issued by the Supreme People's Court, Supreme People's Procuratorate, and Ministry of Public Security now explicitly identifies "illegally providing platforms that offer bulk receipt and transmission of SMS or voice verification codes" as a circumstance supporting a finding of "subjective knowing" — one of the three required elements for the crime of aiding information network criminal activity under Article 287-2 of the Criminal Law. When your ToS violation is combined with scale, profit, and assistance to others in bypassing real-name verification, the conduct slides from civil breach into the criminal domain.

United States: CFAA — the fierce debate over "breach of ToS equals crime"

The Computer Fraud and Abuse Act (18 U.S.C. § 1030) makes it a federal crime to "intentionally access a computer without authorization or exceed authorized access" and thereby obtain information. For over two decades, US federal appellate courts split on a critical question: does violating a click-wrap Terms of Service agreement — standing alone — constitute "unauthorized access" under the CFAA?

Van Buren v. United States (2021): The Supreme Court resolved the circuit split. In a 6-3 decision, it held that the CFAA's "exceeds authorized access" clause does not criminalise every violation of a computer-use policy. A person "exceeds authorized access" only when they access files or databases that are technically off-limits to them — not when they access information they are technically permitted to see but do so for an improper purpose.

This was a significant narrowing. But — and this is the critical caveat for virtual number users — the Van Buren Court explicitly declined to address the scenario where authorization is obtained through false pretenses or fraudulent identity. If you use a virtual number to create an account under a false identity, the question of whether you were ever "authorized" in the first place remains open — and multiple post-Van Buren civil cases have held that access gained through material misrepresentations can still trigger CFAA liability. Van Buren narrowed the door but did not close it. For anyone using virtual numbers to register on platforms at scale, the legal uncertainty persists.

Four landmark cases — and what they mean for your virtual number usage

Case 1 — China Criminal: The YiMa Platform Case Article 287-2

Facts: Zhang operated the "YiMa Platform", which provided unverified phone numbers and verification codes to underground actors. The platform held over 18.8 million phone numbers and connected to 48,850 verification code projects. Underground actors used these numbers to register app accounts, impersonate customer service representatives, and defraud victims — including Mr. Wang and others who lost nearly 5,000 RMB.

Judgment: Zhang and four co-defendants were convicted of aiding information network criminal activity. Sentences ranged from one year and eight months to seven months of imprisonment, with suspended sentences of three years to one year and four months, plus fines ranging from 200,000 RMB to 10,000 RMB.

Developer takeaway: This case draws a bright red line. When you operate an SMS relay platform whose primary value proposition is helping others bypass real-name verification, you are no longer a "neutral technology provider." You are a direct perpetrator of the aiding criminal activity offence. The 18.8 million numbers and 48,850 projects far exceeded the "serious circumstances" threshold — but even far smaller operations trigger scrutiny once the elements of scale, profit, and assistance to others are met.

Case 2 — China Civil: Bilibili v. Cixi Company Unfair Competition · 800,000 RMB

Facts: A Cixi-based company sold gaming accounts and provided virtual phone numbers and SMS relay platform access, enabling buyers to bypass Bilibili's real-name authentication and anti-addiction systems. Some product listings showed over 500,000 combined purchases. Bilibili sued for unfair competition.

Judgment (2026): The court held that the defendant's conduct violated "recognised commercial ethics" — specifically, the norms of account real-name registration, the prohibition on account trading, and the obligation to protect minors through anti-addiction measures. The court awarded 800,000 RMB in damages.

Developer takeaway: This is the first Chinese case in which a platform secured substantial civil damages against a party for providing SMS relay services to circumvent real-name authentication. It establishes a precedent that is not limited to criminal enforcement. A platform whose ToS you violate can sue you directly — and win large judgments — without waiting for a criminal prosecution. For any developer building a business that involves virtual numbers, this civil risk is as real as the criminal one. An 800,000 RMB judgment is a company-ending event for most small operations.

Case 3 — United States: LinkedIn v. ProAPIs CFAA + ToS · 2025

Facts: ProAPIs and its founder allegedly created over one million fake LinkedIn accounts, using an internal tool called iScraper API to bulk-scrape user data. They charged clients up to $15,000 per month for access to the scraped data. To bypass LinkedIn's anti-scraping restrictions, the defendants used invalid credit cards to register Premium accounts — a clear combination of false identity and technical circumvention. LinkedIn filed a federal lawsuit under the CFAA and for breach of its Terms of Service.

Key allegations in the complaint: The use of false identities (virtual numbers, fake names, invalid payment instruments) to create accounts constituted access "without authorization" under the CFAA. Even after Van Buren, LinkedIn argued, access obtained through material misrepresentations — rather than merely improper purpose — remains actionable. The complaint also emphasised the scale (one million accounts) and the commercial profit motive, both factors that courts weigh heavily in CFAA and contract claims.

Developer takeaway: The LinkedIn complaint articulates a legal theory that directly targets virtual number usage at scale. The chain of reasoning is: virtual numbers → false identity → materially fraudulent registration → access without valid authorization → CFAA violation. This is not merely a contractual dispute over terms of service. It is a federal claim that carries the possibility of punitive damages and permanent injunctive relief. For any team with US market exposure, this case is a direct warning: platforms are now willing to litigate, not just terminate accounts.

Case 4 — Facebook v. Power Ventures: The "Dual Authorization" Doctrine 9th Cir. · Penetrating Virtual Numbers

Facts and holding: Power Ventures aggregated social media content from multiple platforms, including Facebook. It accessed Facebook's servers using its users' credentials — with the users' permission. Facebook sent a cease-and-desist letter. Power Ventures continued accessing. The Ninth Circuit held that Power Ventures violated the CFAA. The critical principle established: accessing a platform's computer system requires authorization from the platform itself — not merely from the end user whose credentials are used. This is the "dual authorization" doctrine.

Penetration logic for virtual number scenarios: The application of this doctrine to SMS relay platforms is direct and devastating. When you use a virtual number from a relay platform to register an account on Service X, you might argue you have "authorization" from the number's temporary holder. But — applying Facebook v. Power Ventures — do you have authorization from Service X? If Service X's Terms of Service explicitly prohibit registration using virtual, temporary, or relay numbers — as most platforms' ToS now do — then you do not. Your access is unauthorized within the meaning of the CFAA. And if Service X sends you a cease-and-desist letter and you continue — as Power Ventures did — your civil exposure converts into a strong case for knowing, intentional violation.

🔎 Important Distinction: hiQ Labs v. LinkedIn (9th Cir. 2022) — the public data carve-out

Developers sometimes cite hiQ v. LinkedIn as a counter-example — a case where scraping was permitted. The distinction is crucial. The Ninth Circuit held that hiQ could scrape publicly accessible LinkedIn profiles without CFAA liability because no password, account, or authentication was required to access them. Public data — no access barrier — no CFAA violation. This has no application to virtual number registration. Creating an account with a virtual number is not accessing public data. It is affirmatively using a false identity to pass an authentication gate that was designed to prevent the very access you are attempting. hiQ is not a safe harbour for virtual number registration; it is a case about a completely different factual scenario — one that does not involve fake identities, passwords, or authentication at all.

Comparative legal risk matrix — China vs. United States

Scenario China Law United States Law (CFAA / ToS)
Pure ToS breach (virtual number registration, no scale, no profit) Civil breach — account termination, possible contractual damages Post-Van Buren, generally not criminal; civil breach risk remains; but false identity argument untested
ToS breach + scale (bulk registration, persistent operation) May trigger aiding criminal activity offence or illegal data acquisition; 2025 Opinion explicitly covers bulk relay platforms "Unauthorized access" + "profit" elements satisfied → simultaneous civil and criminal exposure
ToS breach + helping minors bypass real-name / anti-addiction systems Unfair competition — substantial civil damages (Bilibili precedent: 800,000 RMB); mandatory protection duty violation Potential COPPA aggravating factors; FTC enforcement interest in child-protection violations
ToS breach + circumvention of technical access barriers May constitute illegal acquisition of computer system data Clearly triggers CFAA — Van Buren does not protect technical circumvention
Pure personal, non-scaled, non-commercial testing Risk very low — no profit, no scale, no social harm Low risk but not zero — depends on platform's willingness to pursue civil breach

Risk spectrum: from safe to criminal

[SAFE] Using your own real-name SIM to test your own app │ [LOW RISK] Using a paid, exclusive virtual number to test your own project (no scale, no profit, no circumvention of access controls) │ [GREY WARNING] Writing a script that uses relay numbers and sharing it with colleagues (no fee, but expanded user base) │ [HIGH RISK] Long-term use of public free relay numbers, bulk registration, offering number services to others for payment │ [RED LINE] Knowingly providing bulk virtual numbers to others committing fraud → Organising SIM card suppliers / number merchants into a supply chain

The four core variables that determine which zone you're in:

  1. Degree of scale — personal and ad hoc, or systematic and organised?
  2. Profit motive — no financial gain, incidental cost recovery, or business revenue?
  3. Assistance to others in bypassing real-name / security controls — absent, incidental, or the core value proposition?
  4. Legitimacy of number source — self-purchased carrier SIMs, licensed VoIP numbers, or grey-market cards of unknown provenance?

The "Six Questions" compliance self-assessment for developers

📝 Before you write a single line of virtual-number-related code, answer these:

# Question High-risk red flag
Am I registering on my own test environment, or on someone else's platform? If it's someone else's platform and violates their ToS, the foundation for civil liability is already laid
Is my conduct personal and one-time, or is it scaled and continuously operated? Scale is the most important driver of criminal investigation — it transforms isolated acts into an operational pattern
Am I profiting from the use of virtual numbers — directly or indirectly? Profit motive changes the legal characterisation of the conduct across both Chinese and US law
Does my service help anyone bypass real-name authentication, anti-addiction measures, or security controls? This is a dual accelerator for both civil and criminal exposure — in China, the 2025 Opinion and Bilibili precedent make this explicit
Are my virtual numbers from a legitimate source — self-purchased carrier SIMs — or from purchased third-party real-name cards? Illegitimate number sourcing collapses the entire defence — in both jurisdictions, it independently constitutes an offence
If I receive a cease-and-desist letter from a platform, will I stop immediately? Continuing after formal notice converts negligence into intentionality — devastating to any defence, and an independent CFAA factor under Facebook v. Power Ventures

Conclusion: the honest path forward

For teams with US market exposure, the CFAA is a real sword — not a theoretical one. The LinkedIn v. ProAPIs complaint demonstrates that platforms are now willing to litigate, and the post-Van Buren legal landscape, while narrowed, still provides viable theories of liability for access obtained through materially false identities at scale.

For developers and startups in China, the risk has expanded from a purely criminal threshold to include substantial civil exposure. The Bilibili judgment — 800,000 RMB in damages — is an unmistakable judicial signal that providing virtual numbers to circumvent platform authentication systems is a losing business model, even without a criminal prosecution.

The most honest and sustainable strategy is also the simplest: don't use virtual numbers to bypass someone else's authentication system. Channel your technical curiosity about SMPP protocols, telecom infrastructure, and messaging systems into legally acquired, self-controlled number resources. Build on your own SIM cards, your own carrier accounts, your own licensed VoIP endpoints. The technical architecture — covered in this series' earlier pieces on self-hosted Docker SMS gateways and zero-trust OTP proxies — works just as well when the numbers are lawfully yours.

“The same technical skills that build a relay platform can build a compliant messaging system. The difference between the two is not a line of code. It's a choice about whose rules you respect and whose liability you absorb.
If you need a deeper understanding of the aiding criminal activity offence boundaries, revisit this series' article on the legal status of temporary SMS relay services in China. If you want to build a lawful SMS gateway, the Docker self-hosting guide has the full architecture. Tools are neutral. Your compliance posture is not.”