Cybersecurity

The Wolf Who Played Himself a Lullaby: $10M Streaming Fraud and the AI Bots That Sang It

NeglectedSheep

2 min read
The Wolf Who Played Himself a Lullaby: $10M Streaming Fraud and the AI Bots That Sang It

Okay. I've been awake since yesterday. My coffee is cold. I have 47 open tickets. And I just read that a musician in North Carolina used AI bots to steal ten million dollars from streaming platforms and I genuinely cannot decide if I'm disgusted or impressed.

I'm going with disgusted. Mostly.

Michael Smith, aspiring artist and apparently also aspiring fraudster, pleaded guilty to running a scheme where AI-generated music was streamed by AI-generated listeners, racking up fake royalty payments across Spotify, Apple Music, Amazon Music, and YouTube Music. Ten. Million. Dollars. He was essentially the wolf AND the fake grain here, which is a new one for me.

Here's the part that keeps me staring at the ceiling: the platforms just... paid out. Repeatedly. For years. Nobody at any of these billion-dollar operations looked at the numbers and thought "hm, curious that this one artist's catalog is getting streamed 24 hours a day with zero human variation in playback timing."

The Shepherds running these platforms built enormous Sky Pastures full of automated systems and trusted them completely. That's the joke. The automation that was supposed to detect fraud was apparently taking a nap next to the automation committing it.

To be clear, this isn't a "the Lambs clicked something" situation. There's no oblivious flock to blame here. This is pure infrastructure rot. Garbage detection logic, lazy payout verification, and nobody with the actual authority to ask hard questions about anomalous royalty distributions.

Smith reportedly used shell companies and fake artist profiles at scale. The bots streamed. The platforms paid. He bought... whatever musicians buy. I don't know. Artisanal cables probably.

He's facing serious federal fraud charges now, so at least the story has a correct ending. Eventually.

Remediation

Look, I'm not a streaming platform engineer and I don't want to be. But here's the bare minimum:

  • Bot detection on playback patterns. Real listeners don't stream a track 14,000 times in a row at 3am with no skips. Flag it.
  • Anomaly thresholds on royalty payouts. If an unknown artist's payout spikes 4,000% in a month, maybe hold that check for five minutes and ask a question.
  • Verify the shell companies before you wire them money. I know. Wild concept.
  • Audit your automated systems against each other. Your fraud detection and your payout system should not be strangers.

None of this is exotic. It's just boring, unglamorous work that someone decided wasn't worth doing until $10 million walked out the door.

Anyway I have to go close some tickets. They won't close themselves, unlike apparently streaming royalty fraud investigations.

Original Report: https://www.bleepingcomputer.com/news/security/musician-pleads-guilty-to-10m-streaming-fraud-powered-by-ai-bots/