A recent US criminal case has exposed how a combination of AI-generated music, large-scale bot traffic and cloud infrastructure can transform a legitimate music royalty model into a highly profitable fraud scheme. North Carolina musician Michael Smith, 54, has pleaded guilty to conspiracy to commit wire fraud after fabricating streams worth more than $10 million on major platforms.
How the AI-driven music streaming fraud operated
According to the US Department of Justice, from 2017 to 2024 Smith systematically manipulated royalty payouts on Spotify, Apple Music, Amazon Music and YouTube Music. Importantly, the scheme did not rely on hacking user accounts or breaching platform infrastructure. Instead, it abused the economic logic of per-stream royalty payments.
Smith worked with an unnamed music promoter and the CEO of a company specializing in AI-generated music. Through this partner, he acquired hundreds of thousands of automatically composed tracks – inexpensive to produce, yet legally “original” in copyright terms. These tracks were uploaded at scale under different artist names and labels, creating a vast, low-profile catalog.
Botnets, VPNs and behavioral camouflage
Once the catalog was live, a controlled network of bots took over. Smith operated more than 1,000 automated accounts that simulated real listeners: playing tracks, switching playlists and building realistic listening histories. To bypass basic fraud filters, bot traffic was routed through VPN services and cloud providers, distributing requests across many IP addresses and geographic regions.
In messages to partners, Smith described the core obfuscation strategy: he needed a “huge volume of songs with a small number of plays on each.” Instead of a few obvious “hit” tracks suddenly exploding in popularity, the scheme generated modest but steady plays across a massive catalog. This long-tail pattern is harder for anti-fraud systems to flag as anomalous.
The economics of fake streams
Internal financial records cited by prosecutors show the scale. In 2017, Smith calculated that 52 cloud accounts running 20 bots each could generate about 661,440 streams per day. At an average royalty rate of roughly $0.005 per stream, this translated to approximately $3,307 per day – over $99,000 per month and more than $1.2 million per year.
By 2024, shortly before his arrest, Smith boasted that his tracks had amassed more than 4 billion streams since 2019, generating around $12 million in royalties. Prosecutors emphasize that these were largely fabricated popularity metrics, diverting money from the shared royalty pool that should have gone to legitimate artists and rights holders. Smith now faces up to five years in prison and the forfeiture of $8,091,843.64.
Why music streaming platforms are vulnerable to bot and AI abuse
The business model of music streaming is based on micropayments: each play is worth a fraction of a cent, but at global scale, those fractions add up to significant revenue. This makes streaming fraud conceptually similar to click fraud in online advertising, where automated clicks drain ad budgets and distort performance metrics.
Streaming services also operate under strong usability constraints. Anti-fraud systems must distinguish between malicious automation and legitimate edge cases such as heavy users, shared devices or atypical listening habits. Schemes like Smith’s exploit this tension by carefully imitating human behavior, smoothing activity over time, devices and regions to avoid sudden spikes that trigger alerts.
The use of VPNs and cloud infrastructure further complicates detection. IP addresses may belong to reputable data centers or mass-market ISPs, not obvious anonymization services. At the same time, thousands of low-visibility AI tracks with modest but consistent traffic are much less conspicuous than a single track experiencing an abrupt, viral surge.
Cybersecurity lessons for the digital music industry
How streaming platforms should strengthen anti-fraud defenses
The Smith case illustrates that protecting streaming platforms is now a core cybersecurity task, not just a business challenge. Effective defenses require a layered, data-driven anti-fraud strategy that includes:
- Advanced behavioral analytics to profile normal listening patterns, session duration, skip behavior and playlist transitions at user and catalog level.
- Deep IP, device and network correlation, with specific scrutiny for traffic originating from cloud providers and known VPN ranges.
- Machine-learning models for detecting network-wide and behavioral anomalies, rather than relying only on static rules.
- Stronger controls on bulk content ingestion, including KYC-style vetting for aggregators, distributors and high-volume uploaders.
- Regular audits of royalty distribution and retrospective investigation of suspicious streaming patterns and outlier accounts.
Risks and recommendations for artists and rights holders
For legitimate artists, labels and publishers, streaming fraud results in direct financial loss: the overall royalty “pot” is finite, and every fake stream reduces the share available to genuine creators. Artificially inflated metrics also distort recommendation algorithms and charts, pushing fraudulent or low-quality AI content ahead of authentic works.
Rights holders should closely monitor royalty reports for anomalies in geography, device types, time-of-day patterns and growth curves. They should also avoid “promotion” services that promise fast, guaranteed increases in streams. Most major platforms explicitly prohibit artificial manipulation in their terms of service; involvement in gray-market schemes can lead to catalog removal, account bans and loss of income.
The case of Michael Smith underscores that digital music fraud is not merely unethical conduct; it is a prosecutable cyber-enabled crime. As AI-generated content and automation tools become more accessible, the potential impact of such schemes will continue to grow. The resilience of the digital music economy will depend on how quickly platforms, distributors and rights holders invest in robust anti-fraud capabilities, share threat intelligence and treat streaming manipulation with the same seriousness as other forms of cybercrime.
