3
GitHub permanently banned my account for using Actions to validate VPN nodes
I'm a 20-year-old veterinary student from Russia developing anti-censorship tools. On March 17, 2026, GitHub permanently suspended my account citing Terms of Service violations related to GitHub Actions.
THE PROJECT
Raccoon Squad VPN — an Android VPN client based on Xray-core with DPI bypass for Russian users. Supports VLESS, VMess, Trojan, Shadowsocks, Hysteria2, TUIC. Built entirely with AI assistance over several months.
Source: https://gitlab.com/shray77/rsquad
WHAT THE ACTIONS DID
I had repositories that aggregated and validated free VPN nodes from public sources:
- hpp: Python scraper — fetched node lists, filtered by SNI for VLESS XTLS, validated format, TCP ping. Every 6 hours, ~30 min runtime.
- node-filter: Go L7 checker — connected via Xray, verified handshake, downloaded 2MB test file, measured speed. Every 1 hour, ~30 min runtime.
- loshad-scoc: Scout for new sources — 50+ GitHub dork queries, 15 PAT tokens with rotation, HuggingFace API validation.
- zhopa-bobra: SNI popularity analyzer.
Key facts: No mining, no password cracking, no heavy computation. Nodes from public raw.githubusercontent.com lists. Standard CI/CD validation for network software. ~1 hour Actions runtime per day total.
TIMELINE
Feb 26: Suspended for "suspected compromise" — restored. Feb 27: Suspended for "spam flag" — restored. Feb 27: Suspended for repository rsquad — asked to make private. Feb 27: Suspended for raccoon-release — COULD NOT COMPLY: locked out. Mar 2: GitHub demanded I delete repos. I still couldn't log in. Mar 17: Filed formal legal appeal (7 pages), CC'd legal@github.com. Mar 17: ~70 minutes later — permanent ban.
THE CATCH-22
GitHub demanded I delete repositories to resolve the suspension. But the account was suspended, preventing login. I informed support multiple times. No resolution.
THEY ARE HOLDING MY CODE HOSTAGE
I have no access to my repositories. No export. No backup. GitHub is effectively holding my intellectual property hostage. Under GDPR Article 20, I have an unconditional right to data portability. GitHub is refusing to comply.
This is, de facto, theft of intellectual property. The code I wrote is locked behind their wall with no legal basis for retention.
GDPR VIOLATION
Article 20 grants right to data portability. I'm locked out with no export option. DPO request unanswered beyond automated ticket.
CURRENT STATUS
- FTC complaint filed - DPO contacted — only automated ticket number - Project migrated to GitLab: https://gitlab.com/shray77/rsquad
I'm sharing this because enforcement was arbitrary, the process lacked transparency, and developers have no recourse when platforms make automated decisions.
Were you a paying GitHub user? Doesn’t sound like it.
You were scanning remote servers without written authorization using GitHub Actions bandwidth rather than hosting your own workers? “Scout for new sources”? I expect GitLab to ban you next.
[flagged]
I don’t agree that your usage is harmless, nor with your deferral of the expenses associated to first GitHub and now GitLab.
[flagged]
They haven't violated GDPR.
You are not a European citizen, you do not reside in the EU, GDPR only applies to those physically within a country within the EU. Same is true for EU citizens if they reside outside of the EU, a European living in America using an American service does not get the rights the GDPR provides
[dead]
> Under GDPR Article 20
Why GDPR. Didn't you say you're from Russia?
> DPO request unanswered beyond automated ticket
GDPR allows companies 30 days to answer, or telling you they need more time to answer.
> FTC complaint filed
Why FTC. Didn't you say you're from Russia?
> Filed formal legal appeal (7 pages)
I'm guessing the pages were largely AI generated?
> This is, de facto, theft of intellectual property.
At this point I'm laughing and wonder which AI lawyer gave the confidence to suggest that.
> No export. No backup.
Having no backups is hardly the provider's fault.
> Project migrated to GitLab
That sounds like you have the code at least and can recreate the data.
> Why GDPR. Didn't you say you're from Russia?
GitHub is a US company that processes data of EU residents. They're subject to GDPR. I've been in cybersecurity since I was 14 — data protection laws aren't new to me.
Additionally, California BPC § 17200 applies since GitHub is California-based.
> GDPR allows companies 30 days to answer
Correct. I filed the DPO request on March 17. The 30-day window hasn't expired. I'm sharing this now because the permanent ban came 70 minutes after my legal appeal with no review of the actual arguments.
> Why FTC. Didn't you say you're from Russia?
FTC accepts complaints from anyone regarding US companies. GitHub is US-based. Their business practices affect international users.
> I'm guessing the pages were largely AI generated?
I used AI to help with English phrasing — it's not my first language. The legal framework and arguments are mine. I've been interested in cybersecurity, privacy, and cryptography since I was 14. I considered getting into cypherpunk circles at one point. GDPR Article 20 isn't exactly obscure knowledge for someone in this field.
> theft of intellectual property
Fair point on the wording. More accurately: GitHub is refusing to provide data portability as required by GDPR Article 20. I retain copyright but am being denied access without due process.
> Having no backups is hardly the provider's fault
You're right I should have had backups. But GDPR Article 20 grants an unconditional right to data portability. "You should have backed up" doesn't exempt a company from legal obligations.
> That sounds like you have the code at least
I had a local copy of the VPN client (rsquad) from March 2. I lost: - Other repositories (hpp, node-filter, loshad-scoc, zhopa-bobra) - All issues and pull requests - Wiki content - Release packages - Account settings, SSH keys, GPG keys
> GitHub is a US company that processes data of EU residents. They're subject to GDPR.
You aren't located in the union in any way.
> I've been in cybersecurity since I was 14 — data protection laws aren't new to me.
Great, then you should be familiar with Article 3 of the GDPR:
> This Regulation applies to the processing of personal data of data subjects who are in the Union [...]
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union [...]
And Article 20 does actually have several conditions, it's not unconditional.
...
> Additionally, California BPC § 17200 applies since GitHub is California-based.
What does this have to do with "unfair competition"?
[dead]
[dead]
[dead]