The Music Streaming Fraud No one Talks About Is Already Happening to Indie Artists

Photo by Bermix Studio

Have you opened your music streaming platform, looked up your favorite artist, and cranked up their new track hoping for an enjoyable experience but instead were so shocked by how off it sounded that you were utterly perplexed? The music sounds stylistically different, the song title is strangely unfitting, and the artwork does not resemble the artist’s style. It’s almost as if someone created music using the artist’s name. And in some cases, this is exactly what is happening as threat actors try an innovative way to make money on the back of the music industry.

Now imagine you are that artist, casually checking your streaming stats only to realize someone has impersonated your alias and released music under your name. Frantically, you log in to your email and social media accounts to find your fans are just as perplexed as you and searching for an explanation to what they are listening to.

While this sounds like every artist’s worst nightmare, it is a very real and well-executed fraud scheme ravaging through the indie musician scene.

So how does this scam work and who benefits from it? There are two types of streaming fraud. One scheme has been discussed in the media and involves the inflation of play counts. The music industry often artificially inflates play counts of songs to boost an artist’s reputation and popularity. Malicious actors game the system, too, and make money using a network of fake artists who might receive bot traffic to generate income from streaming platforms.

The other type of streaming fraud, as described above, has a greater impact on unsigned and indie artists and occurs when an unauthorized party uploads a song pretending to be the artist, and enjoys the streaming profits to that song. The majority of indie artists use third-party digital distribution services, such as Tunecore or DistroKid, to get their music on digital platforms. Authentication is not required when creating a digital distribution service account. The threat actor only needs to find a digital distribution service where the artist is not registered, follow the registration process, and upload the song on behalf of the artist’s name. This is a much easier process than impersonating a major label artist, as these labels enjoy direct relationships with streaming platforms to upload music, and would require an attacker to social-engineer his way into imitate the artist.

This is why some indie artists — who are successful, or moderately successful, with a solid fanbase that allows them to have a high influx of plays in the first days of a song’s release — may become worthwhile targets for threat actors.

Worst of all, the artist has little insight into which digital distribution was used to upload the music and no way to find uploader’s identity, as the artist must navigate through each platform’s cumbersome takedown submission process.

Most streaming platforms take 30-to-90 days from the moment new music is released to the digital distributor before sales are reported. However, there is no known process in which accounts impersonating artists are taken down in the digital distribution level. This leads me to assume that in the majority of cases, the threat actor does earn money out of the streams of the fraudulently-uploaded song. Additionally, during the weeks the track is online, and heard by the majority of the artist’s audience, the damage to the artist’s reputation is not easy to recover from.

It’s hard to blame digital distributors or streaming platforms despite their seeming failure to address this issue immediately. The medium of online music consumption is rapidly evolving. We are still learning, and adapting as we go. But what can be done from this point on? We need to have a decentralized registration system for artist names, much like the registration process of internet domain names. Once you register ‘Taylor Swift’, it cannot be registered again until it becomes vacated. This could be executed in the form of a protocol agreed upon and enforced by the major players in the market, such as streaming platforms, distribution services, and major labels. Alternatively, the regulation can be oversight by a multi-stake non-profit endeavor, much like ICANN is to the internet.

Another solution could be the generation of a unique artist token which is given to an artist upon registration to a digital distributor, and expected by stream services when uploading new songs. Without the authorization token it would be impossible for anyone to upload songs on behalf of the artist. Unless this problem is dealt with, this fraud scenario will be yet another stone in the already worn-and-torn shoes of indie artists.

Alex Karlinsky is a senior cyber-intelligence expert with over a decade's worth of hands-on experience researching Cybercrime threats and trends.