AI-Generated Music Fraud: How Bots Siphoned $10M in Royalties

Michael Smith, a 52-year-old musician from Cornelius, North Carolina, has pleaded guilty to charges related to a massive streaming fraud operation. According to BleepingComputer, the scheme involved the use of artificial intelligence to generate hundreds of thousands of songs which were then “listened to” by a vast network of thousands of bot accounts. This coordinated activity allowed Smith to collect over $10 million in royalty payments between 2017 and 2024.

Detecting Automated Streaming Fraud Botnets: Technical Analysis

Smith’s operation represents a sophisticated example of automated platform abuse. The defendant utilized a massive infrastructure of approximately 10,000 bot accounts. These accounts were not merely static; they were programmed to simulate human behavior across various platforms, including Spotify, Amazon Music, Apple Music, and YouTube Music. The management of these accounts required a significant investment in identity obfuscation. Smith utilized VPN services and a vast array of fake email addresses to register and maintain these accounts without triggering immediate security flags.

When organizations focus on detecting automated streaming fraud botnets, they must account for the distributed nature of the attack. Smith did not stream from a single IP address; instead, he used decentralized infrastructure to make it appear as if thousands of distinct users were engaging with the content. At its peak, the operation was generating 661,000 streams daily, which translated into roughly $1.2 million in annual royalties without any legitimate human listeners.

AI-Generated Asset Production

One of the core challenges for any streaming fraudster is avoiding the detection of repetitive patterns. If a single song is streamed millions of times by a small set of accounts, platform algorithms flag the activity as suspicious. To circumvent this, Smith turned to AI-generated music royalty exploitation. By collaborating with the CEO of an AI music company and a music promoter, he generated hundreds of thousands of unique tracks.

This high volume of content allowed him to distribute the bot-driven streams across a vast library, ensuring that no individual song triggered “stream-thresholding” alerts. This volume-based Supply Chain Attack on the platform’s content catalog illustrates how generative AI can be weaponized to create noise that masks illicit activity. He even created fake band names and song titles, such as “Zygotic Washstand” and “Zymotic Chondrule,” to further simulate a diverse ecosystem of content.

Analyzing Michael Smith Streaming Fraud TTPs and Infrastructure

When analyzing the Michael Smith streaming fraud TTPs, security researchers note the reliance on legacy identity verification methods. The TTP involved automating the streaming process so that the accounts would “listen” to his AI-generated tracks around the clock. The ability for a single actor to maintain 10,000 accounts suggests a failure in rate-limiting and behavioral fingerprinting on the part of the service providers.

From a SOC perspective, detecting this type of fraud requires moving beyond simple IP-based blocking. Since the attacker used VPNs and decentralized accounts, the IoC profile is fragmented. Instead, defenders must focus on behavioral heuristics—such as the probability of a user listening to music 24 hours a day without interruption or the statistical likelihood of thousands of accounts following the exact same playback patterns across disparate AI-generated tracks.

Mitigation and Detection Strategies

To prevent similar exploits, digital service providers must implement multi-layered defense strategies that move beyond traditional authentication.

1. Behavioral Analysis: Implement machine learning models to identify non-human listening patterns that deviate from standard user engagement metrics, such as impossible listening durations or repetitive playlist cycles.
2. Enhanced Identity Verification: Require more than just a verified email address for account creation. Integrating device fingerprinting can help detect bulk account management originating from single workstations or clusters.
3. Content Integrity Checks: Platforms should monitor for sudden influxes of large volumes of content from single distributors that lack a verified artist history or social presence.

Smith faces up to 20 years in prison for each of the two counts he pleaded guilty to: wire fraud conspiracy and money laundering conspiracy. The success of this $10M scheme highlights the necessity of evolving fraud detection to keep pace with generative AI. As attackers find it easier to produce synthetic assets, the burden of verification shifts to the platforms to distinguish between legitimate creative output and automated garbage designed for financial exploitation.