Darknet Diaries - 171: Melody Fraud
Episode Date: March 3, 2026What if the music charts you see aren’t real? What if the numbers that define success can be manufactured? We talked to Andrew, a man who has spent his career on both sides of this battle. ...He once profited from the loopholes in streaming platforms, but now, his job is to close them. This episode will change the way you understand music streaming platforms from now on.SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from Adaptive Security. Deepfake voices on a Zoom call. AI-written phishing emails that sound exactly like your CFO. Synthetic job applicants walking through the front door. Adaptive is built to stop these attacks. They run real-time simulations, exposing your teams to what these attacks look like to test and improve your defences. Learn more at adaptivesecurity.com.This episode is sponsored by Meter, the company building networks from the ground up. Meter delivers a complete networking stack - wired, wireless, and cellular - in one solution that’s built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments, and runs support. Learn more at meter.com.
Transcript
Discussion (0)
I've always liked the idea of fake it till you make it,
or you act like someone you want to be until you become them.
This sometimes comes with imposter syndrome,
but I think the antidote to that is just more experience.
But how do you go from being a total beginner to confidently doing something?
I often turn to the bookstore to help me there.
But you know a book that's always bothered me?
It's those for dummies books, like the C programming for dummies,
or the complete idiots guide.
Even if I don't have a clue where to start, I would never buy one of those books because I don't consider myself a dummy or an idiot.
Because I want to fake it till I make it and I don't want to fake being a dummy.
I want to be a great programmer.
So a dummy's guide to programming is not the direction I want to be going.
I think what those books failed to do is they seem to target who you are now, not what you want to become.
And that was their failure, at least for me.
I've bought tons of how-to books, but I will never buy one of those books.
to me the key to success is in the aspiration.
I would instantly buy books that were titled
How to Be an Amazing C-programmer
because that is what I want to become.
And the book could contain the exact same words
as the other book that's C-programming for dummies,
but it would have an entirely different impact on me.
Every time I saw the title,
I'd feel like I'm becoming more and more
like the person I want to be an amazing programmer.
And that would give me that false sense of greatness
which is exactly what it's like to fake it till you make it.
Because it's not about who you are today.
It's about who you aspire to be tomorrow.
It's about embracing the journey of transformation
and allowing your actions to shape your destiny.
So go ahead and fake it.
You can lie to yourself if you want
because sometimes the greatest lies are the ones
that propel us towards our truest selves.
These are true stories from the dark side of the internet.
I'm Jack Recyder.
This is Darknet Diaries.
This episode is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning,
leaving your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
And that's the power of Threat Locker, Zero Trust, Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber security.
Threat Locker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
This least-privileged strategy mitigates the exploitation of trusted applications and ensures 24-7-365 protection for your organization.
The core of Threat Locker is its Protect Suite, including Application Allow Listing, Ring Fencing, and Network Control,
additional tools like the Threat Locker Detect EDR, Storage Control, Elevation Control, and Configure.
manager, enhance your cybersecurity posture, and streamline internal IT and security operations.
To learn more about how Threat Locker can help mitigate unknown threats in your digital environment
and align your organization with respected compliance frameworks, visit Threatlocker.com.
That's Threatlocker.com.
This episode is sponsored by Adaptive Security, one of the first cybersecurity companies backed by OpenAI.
You've prepared your security teams to deal with DDoS attacks, to prevent SQL injections,
to constantly be monitoring who has access to your systems, but AI has changed the game.
Bad actors don't need to break into your system.
They just need to break into your trust.
Deep fake voices on a Zoom call, AI written fishing emails that sound exactly like your CFO,
synthetic job applicants walking through the front door.
Adaptive is built to stop these attacks.
They run real-time simulations, exposing your teams to what these attacks look like to test and improve your defenses.
And now with their AI content creator, you can take breaking threats or compliance docs and instantly turn them into interactive, multilingual training, no design team required.
Trusted by Fortune 500s and backed by Andresen Horowitz and Open AI, Adaptive is building the defenses we need for the AI era.
Learn more at Adaptivesecurity.com.
That's Adaptivesecurity.com.
Today, I'm talking with Andrew.
Yeah, I'm Andrew, baby.
Andrew has a really unique job that I can't wait to ask him about,
but first, we should learn about how he got there.
So I started on Facebook when it was still E-D-U-based,
and then I was one of the first 50 beta advertisers on Twitter
and learning to kind of misuse their system.
Misuse their system.
These systems are huge and complex, algorithms, likes, follows,
and a whole ad network.
He wondered if he could manipulate any of that to his benefit.
Same thing with YouTube.
I used to be able to break anything into the front page of YouTube.
And I guess I quickly became the guy that you would go to if you wanted to sort of like gray hat, black hat, some stuff.
Gray hat and black hat and white hat.
Let's talk about that.
That's going to come up a lot in this episode.
And we'll start with White Hat.
White Hat is doing something that's 100% legal and safe, such as hacking your own computer.
Nobody is going to come arrest you for that.
Black Hat is doing something that's illegal, such as hacking you.
your ex's lawyer to see what they're plotting against you.
Grey hat is somewhere in between.
Maybe it's technically not legal,
but you're hacking into something only for research,
but not to cause harm.
But these terms also apply to marketers.
Someone who follows the rules,
such as paying for ads,
a normal way,
that's a white hat marketer.
But someone who uses bots, for instance,
to artificially create a bunch of five-star reviews for something,
that would be a black hat marketer,
in my opinion,
because they are lying and cheating with their so-called marketing
and run the risk of being thrown off the very platform that they're trying to grow on.
At least, this is what I think these terms mean going into this episode,
but my definitions might change as we go further.
So, in my opinion, Andrew was a black hat marketer.
He was trying to promote certain products or people
by tricking people or systems to artificially inflate something's popularity.
My favorite thing at the time was like jacking.
It was a weird time period because it was before,
fan pages. So initially when Facebook first launched, you could only friend request somebody and there was a 5,000 person limit. And what you used to do is you would hide the request friend request button or when fan pages launched the fan follow button. But you would hide it in the pixels. I don't know if you've come across that. Yeah, I have. People who want to become popular on social media might do it. Like an up and up and coming band who wants as many likes and follows as possible. If others think you're good, then you're probably good. And so you might show up in more people's feeds because of that too.
and Facebook made it so you could add a like button anywhere you wanted,
like on your own webpage or blog.
But if you were sneaky, you could trick people to clicking on that like button
when they didn't know they were clicking it.
And that's what click jacking is or like jacking.
In our case, we ended up using a lot on video or photo sharing websites.
So when people were clicking like Next or going through video or photo carousels,
every time they were clicking, we sort of trained our users to double click.
And we started buying these websites that were high volume websites.
And then eventually we started doing web development for other sites and then putting these in there.
And what would happen was our hypothesis was that people did not log out of their Facebook.
It's cashed in their browser.
So what we would do is just hide that pixel inside of other websites.
And so we could drive millions of fans to things.
Man, how clever.
They bought a popular video and photo sharing.
and as the users clicked next or play,
it wasn't the next button.
It was the Facebook like button.
And the users had to click twice
because the first one was just liking the photo
and then the second one was going to the next photo.
And so what Andrew would do is he'd advertise
that he can get your Facebook page,
5,000 followers and thousands of likes,
and people would buy his service to promote their bands.
And he'd artificially grow someone's Facebook account.
And so that's kind of where we started a lot.
Another thing we did in the early days
was kind of an ad arbitration.
At the time, for example, when you charge an advertiser, they cared about time on site and sort of CPMs,
but they didn't care that much about the actual click-through or engagement with the ads.
They just weren't aware.
I know that seems obvious now, but back in the 2000s, like no one really knew that those
are metrics to look at, like traditional advertisers.
So what we would do is we had these high-traffic volume websites, and we would, for example,
have a $5 CPM, let's say.
but we could buy traffic for like a dollar.
And so we would blend enough garbage traffic in
that we didn't really ruin our overall sort of time on site or user stats,
but we would be able to sort of print money.
Oh, so he'd sell ads on his website,
but then pay fake visitors to click it,
making it look like a lot of people click that ad,
and then he would just collect the money for it.
But really, it was just paid traffic?
Huh.
And another one that we did that was really interesting,
thing at the time was around YouTube.
So we figured out that you could basically,
there were these pop under ads back then,
and you could, most people recognize them
from the sort of like penis enlargement ads
and things like that.
You click out of a website and there'd be like
the annoying little open browser underneath it.
We would load it with YouTube videos on mute
and we were able to rack up, you know,
hundreds of thousands of plays to a YouTube video quickly.
and if we could get 3 to 400,000 views quietly in the background,
we could basically break into the algorithm on the front page.
And back then, people would go to the front page of YouTube to see what was trending.
So we would be able to break a bunch of different content pieces onto the front page of YouTube.
And at that point, they had to sink or swim.
You basically had to have good content that people liked or not.
But pretty quickly, it was evident.
You either went viral or you were trash and you're removed quite quickly.
So we could get you there, but the question was whether or not you'd stick.
Geez.
Now, see, to me, this is all black hat marketing.
You aren't bringing real customers to your site or video page.
Instead, it's all fake.
It's not quite bots.
It's real people clicking things, but they're tricked into clicking things,
and they don't know they're clicking it.
The stuff they're viewing is invisible to them,
but it's playing in the background.
And so I call this black hat marketing,
because if YouTube found out that you manipulated your weights,
the front page, they probably ban you.
But I also think if you have a bunch of fake followers,
then that's not real marketing either.
That's cheating and lying and manipulating.
Now, when you say we, what was this?
Where's we?
I had a couple partners that we did this with.
Was this like a black hat marketing firm?
You know, that term wasn't really a thing then.
I would say we all considered it marketing,
but we didn't, I mean, yes, it's black hat.
But I wouldn't say that that's what we visualized it as.
at the time. At the time, we really felt like we were just a marketing firm using all the possible
channels we could to give a brand an opportunity to take off. What I got known for at the time was
we launched an artist on Facebook, and he had no label, no major label, like nothing. He was found
at a bonfire in Antucket. So it was kind of like an interesting thing. When we went to the labels back
in and try to convince them that you could use Facebook for launch an artist, everyone laughed at us
and said, you know, Facebook's for kids, we have a website, we do email lists, we do paid marketing,
this isn't part of our mix. No one believed it was possible until we did it. And then after we did it,
everyone wanted to pay us to do it. And the hardest thing was trying to like continue to perform
because then, you know, everyone that finds a vein that works, everyone starts copying you. And then
you have to find a new way. It's like you're constantly on a treadmill for finding new innovative
ways that you can break an artist or that you can just get attention. And I think from our view,
that's the, that's the art of marketing. It's less, it doesn't, I think for a lot of us, it doesn't
feel like black hat because we're just using a technique or a tool that might only last for two
months or three months until we have to find something else. And we all safeguard it. When we learn
something, we don't tell people. So like, when we learned about like jacking, which was the
hypothesis we had, we definitely didn't tell anybody because we didn't want anyone copying us.
We didn't want people to know how we could drive a million fans to something, and they were all
real fans. So it was just kind of a, I think in that view, it's just a different era.
And I would also say that no one even called it social media at marketing.
At the time, there was digital marketing, like new media was a term.
Like, there wasn't even a term for growth hacking wasn't even a term.
Like, no one even used the word growth hacking.
But this was not a thing at that moment.
So it is interesting to see how the whole thing's evolved.
I do think that if you asked us point blank is what you're doing violating terms and services,
for sure we would have lied and told you.
We would have told you no.
But we all knew, like we weren't drinking the Kool-Aid.
Like everyone in the company knew we were violating terms and services.
I think the thing we thought was, who cares?
like if a real user likes what we have to do,
like what we're presenting them,
we're not like faking the genuine product market fit.
We're just trying to get in front of those eyeballs
and see if we are a product market fit.
That one's a stretch as well.
But I agree with you that I think a good marketing campaign
is one that actually, because I think most people are like,
I hate marketers, I hate ads, I hate all this stuff.
But do you, when a product lands in front of you,
And it's the perfect thing.
It's your new favorite song.
And you're like, holy cow, I can't believe I just found this.
Then you don't hate it, right?
And so if you can match that person who needs this product with this thing,
and that is a marketing move that you've done,
then that is fantastic marketing.
And I wish that's how all marketing was,
is to actually find the person who needs it and then focus on them.
Unfortunately, marketing has a lot of wasted eyeballs looking at it.
For sure.
I mean, even back then, I remember seeing this thing in probably like 2011, I feel like,
where there was this report that came out in like an advertising sort of research report
that only 8% of people who saw an ad online were real.
Like it was just technically a machine connecting with another machine presenting the ad.
But there wasn't a real person on the other end.
And that was 15 years ago.
Like, I can only imagine how much worse it's gotten.
Yeah. When you were doing this black hat stuff, did you have any success stories of people that you made or products that you launched well and just like huge success with these techniques?
Yeah, I don't want to throw them under the bus, so we definitely did win a lot. We took a brand in action sports that was like 17th in their spot, moved into like third in the market.
And what was crazy is at the time you start doing these big activations.
So when you start winning, all the big brands pile in.
All of a sudden, they all want to do a collaboration or some deal with you.
So you end up doing really big brand partnerships or brand collaborations with really established companies once they all perceive you as the winner.
And so the snowball sort of takes off.
And then it becomes less black hat and more traditional sort of project management.
and release schedules and just creative, less like hacky.
Yeah, so one sports brand went from 17 to third.
What else?
Yeah, we had a musician that we launched
that went number one iTunes, number seven, Billboard with no label.
Okay, number one iTunes, number seven, is that fake numbers?
Is that fake numbers?
That's the crazy part.
That's what I'm saying.
I don't feel like it was black hat because we got in front of all the,
to your point, we got in front of people who decided they really love
this artist.
And because they really love that artist,
and we sort of had an 18-month plan.
So as we were building this artist
with all these techniques,
we were providing them with content
to get them more and more hooked
and engage with the artist.
And when we released that artist's EP,
that artist went number one,
over everybody.
Like, I remember we beat DJ Khalid as an example.
Like, we beat everybody.
And no one could believe it.
I mean, we were called out.
People thought we faked numbers.
We didn't fake anything.
Like it was all real.
We just sort of met the consumer at the point, we were in front of the consumer at the right moment when they, quote, unquote, discovered this artist and then thought they really liked it.
And so, again, the techniques allowed us to engage and have a real product market fit, but the techniques we used were definitely not approved.
Yeah, I mean, when I first started this podcast, I was like, all right, let's market it.
and you start noticing some of these black hat marketing techniques.
And I had to really sit and look at myself in the mirror and be like,
am I a guy who is going to cheat my way to success?
Like, fake it till you make it.
And I had a long debate about it.
And I'm like, no, I'm a hacker.
Of course, I'm going to use every chick in the book, right?
This is great.
Let's try it all.
And then I was like, no, this is not honest.
This is unethical and all that sort of stuff.
So I landed, this is funny.
I landed on no black hat marketing,
but I'm totally for guerrilla marketing.
marketing, which is unsanctioned marketing, right?
So if I go to a conference and there's an empty booth where a vendor didn't show up,
I might sit down at that booths, put like a little banner up that says, hey, this is Darknet
Tirees.
And I didn't pay $10,000 for that booth until the people come and say, hey, is this, did you
pay for this booth?
No, okay, we'll get out.
All right, cool.
And so I'll put stickers on places that aren't supposed to be stickers and all kinds of stuff
like that.
So that, to me, is guerrilla marketing.
No, I agree.
I think that's definitely, and I have some examples that, like,
we launched an app in 2013 called Hater app.
It was an Instagram for everything you hate.
And our logo was a giant thumbs down.
And we went to South by Southwest,
and we just started putting stickers on people's backs as they were walking.
And there were thousands of people walk around with these stickers.
And it went by, we got, like, so many downloads.
The downside was we built this thing totally crappy just to see if it would work as an MVP.
and it went, like, we had hundreds of thousands of downloads, like, overnight,
and the app was not functional.
It was a complete mess.
But it was, like, such an interesting moment where I remember doing interviews with, like,
we did interviews with, like, Wall Street Journal and everyone.
And it was like the huge story at the time because we basically did this guerrilla approach
and it kind of worked.
And I guess to your point, I always viewed the stuff I did online.
I mean, maybe I'm just justifying it now, you know, like hindsight.
I revisionist history.
But I remember you really feeling like the things we were doing online
was the guerrilla version of what we did in person,
you know, for like these types of techniques.
Something I noticed on the podcast world
is that people can fake their way to the top on Apple podcast charts,
but most of them fall off a cliff
as soon as they stop paying their blackout marketer.
Totally.
And so like I haven't, there's an artist I know who I won't throw into the bus
who is a major artist now.
They were up for a Grammy.
bunch of things.
Their entire first album was fake.
Okay, I know who you're talking about.
Check this out.
I saw this article last week.
Spotify accuses Drake of forging billions of fraudulent streams.
That's not who I was talking about.
That's all so interesting.
Okay, so that's what Andrew was busy doing for a while.
He was living in Los Angeles,
and he wasn't just doing Black Hat Marketing,
launching people's careers,
but also building websites and tech companies.
and buying and selling them.
He was solidly tuned in to the internet
and saw it in a way that not many did.
And one of his friends is Morgan,
and they liked to go into football games together.
Back in the day, we had tickets to the L.A. Rans.
So we would go to the games every week,
every, you know, eight times a year or whatever.
We'd go to the games all together.
We had ten seats together.
So it was Morgan, me,
and a bunch of music exec guys that we'd known
and just randomly together.
So anyway, we were there all the time.
And around, I was everyone's weird crypto friend.
I started mining in 2011 and sort of I've been really interested in the sort of technology and how it could be used.
But I, it, anyone who goes back to that day will understand anyone who was in this, but maybe you were in that back then.
But like, it was weird because pure tech people really didn't like blockchain people.
Like there was this weird.
If you were like a crypto guy, you kind of got like the scarlet letter put on you when it came to tech.
And it really did feel like at the moment
if people found out you were the crypto guy
that you would just get pigeonhole and lose opportunities.
So I was very careful to keep building tech
and keep the blockchain crypto stuff entirely separate.
And in around 2017, that sort of whole world merged together,
all of a sudden, people in suits started showing up to crypto events.
And like next thing you know, bankers are around
and everyone's talking about how it can be used for enterprise.
And it really felt like the industry colloquy.
And the music people came to us and said,
hey, could you use blockchain to track the number of times songs are played?
And the reason is, until today even, the streaming services give the labels a CSV that says,
Snoop Dog, 100 million plays.
No one actually, there's no receipts behind that.
It's literally just a cell, like the artist's name and the next sellover number of plays for the month.
Like there's no receipts for usage.
Usage is the number one driver
to how much money you should be making every month.
So it's really weird there's no receipts there.
So the way that it typically worked when streaming took off,
the music industry just adopted what they'd always done for physical,
and that was always an audit period after three years.
So every three years, they go and audit the partner.
To do a usage audit, though, a forensic audit,
not where I'm tracking the contract, not where I'm tracking revenue coming in,
but how many times this long was actually,
they played, that could take them up to two years to complete. So you're talking about five years
later, figuring out that five years ago, you should have been paid a million more dollars for this
artist and two million for that artist, and that adds up to a lot. But all that money's been paid out.
So you don't have this ability to sort of recapture that money from the streaming services
because it's gone. So they came to us and said, we believe blockchain could be a solution.
You're our weird crypto friend that also understands music, and we trust your whole team here.
Morgan, my co-founder, had been a lobbyist on behalf of a lot of the majors for copyright protection, extending copyright law.
And Poria was a really gifted machine learning AI engineer.
But at the time, we were doing a lot of crypto stuff together.
And so they said, we believe your team could solve this.
Will you build a real-time tracking tool?
The question we were trying to answer at the time was how many times does every song actually played?
Because you can't rely on the CSVs to just that they hand over.
They're always wrong.
What we learned from the offline audits where they pulled the usage logs in like 50 different audits
was on an average anywhere between 20 and 31% discrepancy, always undercounted.
So imagine you're perpetually being paid 20 to 30% less than you thought you should have.
That is where we started, and we built one of the fastest blockchains at the world at the time.
We did 10 million transactions per second per region in a private permission chain.
We have over 40 patents in seven countries filed, probably 30-something.
issued and we built this technology.
And when we went live is when we accidentally discovered fraud.
This discovery would ultimately make him abandon this very blockchain company that he just
built and take his life in a whole new direction.
We're going to take a quick ad break here, but stay with us because you'll never believe
the fraud he discovered.
This episode is sponsored by Meter, the company building networks from the ground up.
If you employ and work with IT engineers, you're going to know how hard it is.
is for them to do their job well.
What your business needs is performant, reliable, secure networking infrastructure.
But what you get is IT resource constraints, unpredictable pricing, and fragmented tools.
What you and your engineers need is a modern platform you can all trust to support your
business.
Enter Meter.
Meter delivers a complete networking stack, wired, wireless, and cellular in one solution
that's built for performance and scale.
Alongside their partners, Meter designs the hardware, writes the firmware,
builds the software, manages deployment, and runs support.
That means less time your employees spend writing to multiple vendors
and more time working and improving your IT systems.
Meeter's full-stack solution covers everything from first site survey to ongoing support,
giving you a single partner for all your connectivity needs.
Thanks to Meeter for sponsoring this show.
Go to meter.com slash darknet to book a demo now.
That's spelled M-E-T-E-R, meter.com slash darknet.
And go book a demo.
So Andrew and his co-founder, Morgan and Poria built a tool to track how many times the song is played.
Since the music labels wanted him to do it, they were also helping him get in touch with these music streaming services
to try to work out a way for Andrew to see the real-time streaming data they have.
So they made deals with these streaming platforms that they were able to see the play counts
for the few music labels that they were dealing with.
And their goal was simply to count the plays and make sure the artist got paid for what was played.
But little did they know, counting plays was not accurate at all.
We started seeing these weird clusters of users, like 8,000 users playing the exact same sequence of songs 63 times on a Sunday.
Or users suddenly getting play counts in 17 different countries in the same week.
Like, how is that even possible?
So we started noticing these discrepancies, and we went back to the labels in the streaming servers and said,
we think you have a fraud problem.
And if we're supposed to be the leader or the sort of,
the sort of trusted source of truth of how many times a song is played,
and we're just telling you a song was played.
We're not actually telling you the intent behind the play,
and if it should still be counted.
Like, you can't actually pay this out
because there's a bunch of fraud happening here that should be removed.
And so until we can solve the fraud problem,
we don't think we can solve audit.
Like, that was the summary we came to after two and a half years,
and it was a real challenging moment for the company
because it's like you've been building this entire tool
believing this is the one problem, and then you get there and realize someone said,
hold my beer, and you have a totally different problem you have to solve with a completely
different skill set. I'm still shocked at the point that the streaming services didn't have
this capability to detect this sort of thing. In podcast world, we have the IAB, which is a,
it's actually a certifiable way of measuring metrics for podcast listens, and they have a whole list.
They're like, okay, you know, if a user starts on their phone and then switches to their computer,
is that considered two listens or one?
If they have to download for over a minute before they can actually be considered a listen,
you know, if it's streaming on the watch, the watch does things to grab MP3s very differently
than how a computer might.
And so it looks like 500 listens when you come in from a watch.
So you have to adjust for that sort of thing.
And there's, and there's, you can look it up on how to measure podcast, which is very complex,
complicated downloads.
And I just can't imagine these bigger streaming services not wanting to have accurate download
numbers, especially with paying before that.
They must have had a whole team of people trying to figure this out.
And you're saying, no, they didn't.
It was you that figured it out.
They didn't.
Like, at the time, major streaming services, enter your streaming service, had less than half
a person dealing with this.
Like, it was probably some data scientists, and they were mostly using rules-based anomaly
detection. So like, did a song get played more times than literally possible? Like, did someone
play a song 10,000 times this week? Well, that's really eye-opening or fascinating. It's hard to
believe because when you're dealing with money, you have to pay accurately and it's crazy.
And like I said, IAB is a certifiable thing. You can actually pay them to come audit your
monitoring, your statistics, and they'll confirm it. And then sponsors will be more
likely to pay those numbers because you can say, no, it's been, you know, confirmed that
where I be certified.
100%.
Because when I've done podcast advertising, I always ask for the certs because I don't trust any
of the numbers to be real.
So I understand 100 because especially in the early days of podcasting, I feel like it was
just like reading tea leaves.
Like nothing seemed to make sense.
So this became Andrew's pivot.
He was able to go to the music streaming services and convince them, look, you have some major
fraud happening.
Here's proof.
And they didn't believe him at first.
So he had to really show them how much fraud there was.
And they eventually said,
okay, instead of monitoring just those music labels that you're supposed to,
do you mind looking at all our stream music and see what else you can discover?
And that just snowballed.
One streaming provider turned into two,
and he kept getting full unfettered download data for many online streaming platforms.
Yeah, we're definitely the leader.
We're the market.
You are such a unique position.
I don't imagine there being even two companies.
that have this access compared to you're like we have more data access than anyone in the music industry
no i mean i mean there's no other person like you who's measuring like that they don't they don't
say oh yeah let's let's open this up to 500 companies to come watch our stats and make sure that
we're accurate you're probably the only one for these companies we are the only one yeah we're
the competition here is zero for you yeah totally 100 percent and it was and in a lot of ways you
felt like we made the market, you know, because at the time, I remember going back to the
labels and streaming service and saying, I think you have a fraud problem. And literally,
they laughed at us. They thought, especially the major labels thought it was less than 1%.
Because keep in mind, their artists aren't cheating. So what they see is only their data,
and they're like there's no anomalies here. But to them, it just looked like the independent
market was growing. I would actually argue that most of the independent music growth has been
from fraud, not from true independent market share in cruising.
Okay.
Yeah, you gave me taste of a few of these things that you were noticing, right?
People playing things that are humanly impossible to play that much,
and a group of people playing in different regions all at the same time.
This suddenly sounds to me, because I come from cybersecurity world,
this suddenly sounds to me like not exactly threat intelligence,
But yeah, it sounds like you're looking at a security incident tool and trying to build signatures to detect when there's a security incident.
And just the one that comes to mind for me is if I had 50 connections from some office, all go to the same IP address somewhere from different computers internally.
Why did that happen?
There might be a botnet in our company that suddenly said, oh, all.
all phone home at the same time, you know, get new instructions.
And so I would immediately flag those 50 computers to be like, can someone do an antivirus
on those to see what's going on there?
And I was right.
There was a pod net on that computer.
And so I was like, okay, we've got a, you know, a way to detect when a botnet happens
just by how in the world did this happen in the same millisecond, right?
And so I imagine that's kind of the tools or the signatures.
How do you look at this?
100%. We're building, you know, we have probably close to 700 models looking for different things and it's constantly changing.
So to give you examples, we found one where somebody had hacked a major artist delivery feed.
So imagine, like, it's very common to have multiple registration numbers for the same song because it may be part of an album, a single, a deluxe version.
It could have been done multiple times of different people in the supply chain.
So what ends up happening a lot of times is a streaming service will concatenate that.
pick one parent and a bunch of child sort of numbers,
but that way they're all grouped together.
So in this case, someone had hacked the feed,
put their version in, but the metadata for that,
the payee was different than the actual label.
So in this case, it looks like the same song,
it sounds like the same song,
has the same artwork as the same song,
but who the finance team pays is different,
and they were able to promote their version as the parent
and then manipulate those, you know, the payout.
So in that case, they stole millions of dollars from that artist over an eight-month period.
And when we found it, we found it by some of the ways that they manipulated the streams.
Like, how do you become the parent to your question?
Like, why did this happen right at the beginning?
We found the manipulation early and then it stopped.
And we were able to identify that there was something wrong in their data because of their manipulation.
And then when we found that, we then built a model to find other artists that happened to.
we found 1,700 other artists that had been hijacked the same way
over a course of a couple years.
And so, again, like, they're constantly being creative.
Another one we found, like, a little over a year and a half ago
was a device we'd never seen.
So why all of a sudden is this very specific device running up a bunch of streams?
Like, we would normally see what, you know,
for example, the Android system you're on,
like what the operating system, what the device is, etc.
This is a device we'd never seen.
and it turned out it was owned by the Department of Corrections,
and someone had hacked the prison system
and turned all the prison tablets into a streaming farm.
Wow.
Tell me more about that.
How did that happen?
I don't know how they hacked it,
but the net effect was that they had turned,
I think it was like 400,000 devices
into a streaming farm where they were manipulating streams
from streaming players.
And so I guess I didn't even know, to be honest,
that prisoners had devices.
But in a lot of states,
they have,
you sort of pay,
I think by the minute
or whatever,
you pay for these devices.
And there's a handful of applications
that are approved.
It turns out most of them are runs
or slash owned by a private equity company
or a couple private equity companies.
And someone had just simply hacked the devices.
And we're able to use them all in sort of a bot network
that we hadn't expected at the time.
And how did you spot?
that. Because the device type was something new and different. Like we'd never, because we get all
these different. So why all of a sudden, in context, it seems small, but we have all these types
of community clustering techniques that are looking for different parameters and features.
So let's say that we get, I don't know, 500 fields. Like we'll get gyros, at this point now from
streaming services, we get all kinds of stuff, gyroscopy, battery life, orientation of phone, everything
you've done in an app. Like, we're catching a lot of different data anonymized, but in
individual, like, but hash.
The streaming service app is collecting that, and then you're seeing that as well.
We're seeing an anonymized version, generally hash data so that we don't have any PII ever.
But that's, yes, we're seeing all of the stuff and then triangulating it and saying,
why are all these exactly the same?
And we've never seen this unique device.
So what's happening here?
And then it just turned out that that one device is specifically made for the Department of
Correction, then no one else buys it.
So it leads you to sort of one vendor, which then allows you to sort of like unravel to rest.
So that was like a very interesting case.
And then what do you do with that?
Do you say, okay, streaming service, here's a device type that we should just not.
We demonetize it all.
Yeah.
So we don't pay any of those streams out.
But you block that, I mean not block, but you demonetize that device type.
You can do that granular or?
Yeah, for sure.
We can say these don't get paid.
I mean, at the end of every month, what happened is we have three sort of primary checks.
We check daily to see what fraud were catching so that it gets removed out of product level stuff.
So recommendation engines, algorithms, et cetera, we sort of downweight anything we see that's fraudulent, so we don't make the problem worse.
The second thing we do is we do weekly updates for charts.
So if we see anything on the charting side, you're allowed to update the charts weekly.
So we'll update the charting information.
That's way less common because, again, most big artists aren't cheating, at least on the streaming side.
But again, we sort of just safeguard that.
And then the last one, which is the real one, is the money payout.
So at the end of every month, we do the check for the entire month.
And because there's stuff we'll catch right.
Like the really obvious fraud will catch day one.
But there's some fraud that takes us along, like you need more of a longitudinal view to see how they're interacting over the course of a week, two weeks, three weeks.
there's all kinds of cases, for example, that when we first started, we would catch it no longer happens anymore.
So in the early days, I'm guessing as engineers were lazy or it's just easy.
Like, how do you deal with checking for anomaly detections for months where they have different days of the month?
So what we often are, you know, that 29 days, 28 days, 30 days, 31 days.
So a lot of times what they would do at the end of the month is pull the first 28 days.
And I don't know how fraudsters figured this out,
but starting in day 29, they would jam all their fraud through.
So you see massive numbers, 29, 30, 31.
And so they would end up getting a large percentage of the pro rata pool,
but they only ran their fraud at the end to sort of like get away from whatever was being checked
because a lot of the sort of anomaly detection checks initially in the early days were the first 28 days,
just to simplify it.
So again, we find all these weird sort of,
techniques that they would use and we would shut them down or demonetize them.
In some cases, the streaming services, when we return the data back, they take action.
So sometimes the streaming service will decide to completely remove all the content,
just say this is all fraudulent.
So in this case, for example, really obvious stuff.
So less than 100 real users have streamed this.
99.99% of all of their streams historically are from fake accounts.
like, you know, maybe they have less than a total of 2,000 streams total.
Like, whatever it is.
Like, they're going to have these sort of rule sets we have in place to make sure it's only the worst of the worst fraud.
And then the streaming service will just straight remove that content.
They'll take it off the platform entirely.
That seems to be incredibly effective because the fraudsters realize they're caught and they just stop on that or go to different services.
So I think our approach has been less, like, we.
I'm not naive enough to believe we'll always stop fraud.
I think historically you can look at all fraud and say that's never the case.
There's always going to be smart people and they're going to try different techniques.
But I think we can make it so difficult that they just go to other industries.
It's so interesting for me to listen to him talk because this isn't a cybersecurity story.
Yet everything he's saying is exactly what happens in cybersecurity land.
You set up monitoring tools.
You build rules to detect problems.
And then you make it harder for people.
to exploit those things again.
And they did it all from scratch.
We all know in cybersecurity,
you can never stop hackers,
but what you want to do is make it so hard for them
that they move on to an easier target.
That's something I've heard again and again,
yet that's what he's doing in this world.
And some people always reach out to me
and complain that when I do an episode
that's not cybersecurity related,
that they get upset.
But listen, this show is about the dark side of the internet.
And to me, that encapsulates way more
than just cybersecurity.
it's about all the hidden stuff that you never see or experience.
I want to shine a light on that shady, dark, gritty underground aspect of our digital life.
The fraud and the manipulation of algorithms, the websites and technology, the people who abuse it.
And of course, hacking and cybersecurity too.
I was trying to find a link I had a long time ago.
I've actually seen many Reddit posts where people are saying,
hey, what's up with my Spotify account?
It suddenly shows that I've played
a whole bunch of these artists that I've never
ever even heard of, much less
played. I don't understand why my
Spotify is showing that I've played these, and it's
recommending all this other stuff.
Totally. Accounts takeover. That's a huge percentage
of what we see now. If you think about,
I mean, you're in cyber, so
imagine it's a giant arrow back to you.
If all of your bots look the same, it's easy
to cluster them. If they're
behaving the same way, it's easy to cluster
them. If they are
all streaming one artist specifically,
it's like a giant arrow back to that artist.
If they're all streaming from one distributor,
is a giant arrow back to the distributor.
So you need to hide the needle in the haystack.
And the easiest way today to do that,
or like what we've sort of,
I'd say for the last three years,
put a lot of R&D in to catch,
is account takeover.
So they'll log in as you,
play a song five or six times and then leave.
Then all of the stuff you do naturally
just hides whatever they did.
So they don't have to create that.
They don't need to make differences.
You don't need to sort of program in artificial changes in your bots.
You just basically log in as somebody, play five streams and hope they don't notice.
And I would say that that's really common these days.
That's the number one growth area for fraud that we catch as account takeovers in general,
or adding devices to family plans.
So we'll see a device that's an iOS that's legit, a Tesla that's legit,
and then an Android that's all fraud.
Wow.
Okay.
So what I don't understand is how they're taking over the accounts.
You say it's one of the biggest things you're seeing.
How are they getting so many Spotify accounts or whatever streaming service?
So there's a couple ways.
The simplistic ways are, you know, like 90% of internet logins are just people trying different data breach passwords and usernames.
And I would say that most streaming services are not high on people's priority list for protecting.
So, you know, and there's a sort of product question about how much friction do you add into a service to make it difficult for users.
because it hinders growth, right?
So I think there's an interesting friction point there
between how secure do you make a streaming service on the user end
and how much do they actually care?
And do they really care if their account was used to play a song 10 or 20 times?
I don't think they're realizing how much damage it does in aggregate.
So there's that issue, I would say.
I mean, you've been on the whole series.
It's called Darknet Diaries.
Like you get on the Darknet and download these accounts,
quite easily. I think at one point, to prove a point, you know, we went on and downloaded and
showed people some executives that I could get 100,000 accounts on every single streaming service
immediately. It gives you the infection date and the last login date. You can even get, if they
have malware on the actual device, you can even get sort of all of the browsing history, too.
So if you want to like warm up the IP before you use it, you can kind of mimic their behavior
before you log in.
There's lots of this stuff existing.
There's also an API that we found in the dark,
in the dark net,
where they own like tens of millions of these accounts,
and they will spin them up for you.
So you basically tell them the parameters of the types of plays you need,
and they make sure that no single account is overused or indexed too hard,
and they actually create the fraud for you.
So they, like, it is a fully professional,
industrialized supply chain for fraud at this point.
Wow.
Seriously, wow.
He's shown streaming service execs
that he can get 100,000 accounts on their platform instantly
because after a data breach,
there's communities of people who are parsed through those usernames
in the data breach and pluck out all the streaming service accounts
or even try to use those usernames and passwords
on a streaming service to see if they reuse passwords.
And from that, they build these giant,
list of users for each streaming service, and that list is valuable because if you can manipulate
the streams, then you can get paid by these streaming services. I'm just astonished because
when I hear how bad the problem is like this and how easy it is for people to get access to
our stuff, it's like a cold, wet slap in my face. I kind of go through this process again and
again when making the show. At the beginning of this episode, I'm like, ooh, these are some interesting
techniques, maybe I'll try one of these on my show.
But by this point of the story, I'm so mad that these companies aren't protecting our data,
and it's just exposed on the dark web only for fraudsters to use to make money for themselves off my account.
Because it's our data.
It's not some nameless victim out there.
It's yours and mine that these people are gaining from.
And I've done this show long enough to know that there is no way from keeping our data from getting leaked.
Which makes me blackmailed, right?
And like, okay, I'm giving up.
Oh, well, my data's out there.
I might as well just assume I have no privacy anymore
because it's out there like all over the place.
And I just totally get about protecting myself.
But I don't like feeling hopeless.
I'm not someone who gives up forever.
I'm an optimist.
I'm a fighter.
And I don't mind hard work.
So then I get this surge of ideas.
And it makes me white-pilled.
Because then I realized, wait a minute,
who's the ding?
Dong who told them my address and gave them my password and username and telephone number and all
that stuff.
I am.
Hell no.
No more am I telling these companies my real name or phone number.
I am not going to reuse passwords or even reuse email addresses anymore.
It's a war out there.
And I've got to take care of my own data since no one else will.
Okay, anyway, the name of the company that Andrew co-founded was called Beat Dap in order to
analyze music streams to detect fraud.
And he abandoned the original idea of using.
the blockchain to help these labels get paid properly.
And he focuses on this now, pretty much entirely working for streaming services now.
Yeah, well, I guess what I'm wondering is you almost need a black hat person who knows
that the cheating industry who's been there to actually sit down and look for these,
so look for things you haven't found yet, right, to find new signatures.
Fully agree.
I think I'm that guy, probably.
Yeah.
Yeah, like, you know, the music industry will often say, I'm their hacker now.
You know, like I've switched sides.
And I think the side switching is mostly industries.
I would say for me, the difference is that users no longer have to actually engage with the content for that artist to get paid.
What I did back in the day, I really believe was in service of the artist.
If the artist is good, the people will listen, consume, and adopt it.
If the artist is not, they will let you know right away that it's trash.
And I think that has changed in a sense that you can be a trash artist that manipulates lots of stream and gets paid without actually being good or having real users or being able to sell 10 tickets to an event.
So I just think they're now stealing from other artists.
Yeah.
So you're saying it's now more of a financially driven thing and not so much a let's try to market this person and get them to break out.
But I pushed back at you because you did that ad arbitrage where you're like,
hey, we could print money by charging this much CPM and then actually just paying for somebody to come here.
So you were financially driven in some aspects as well.
It wasn't always, oh, let's just market someone.
I regret that and thank God that the statute of limitations has passed because it was definitely not my proudest moment for sure.
What I didn't realize is that musicians don't get paid.
per stream on these platforms.
Instead, they get paid a percentage
of what advertising revenue came in for that month,
which means fraudsters are stealing money from real artists.
Okay, so the way the music industry works is that there's one,
I'm going to simplify this because it's a little more nuanced,
but generally speaking, there's one pool of capital.
Every month, a streaming service makes money from advertising revenue
and subscription fees.
Now, this money goes into one plot,
and it's paid out every month based on play count.
So if you're a artist and you make, you did, let's say, 100,000 streams, and that streaming service did a million total streams that month, you get 10% of that pot.
You get your percentage of streams for the whole entire streaming ecosystem you're in of the revenue.
So it's a performance pro rata.
What happens is you could release a song in November and do a million streams.
and get paid $3,000.
And that's correct.
You could release the same song
and do a million streams in February
and get paid, I don't know, $500.
And that could also be correct.
The reason the numbers could be different
is that month, the advertising might be smaller
because they'd spent, like, especially in February or January,
they'd spent a bunch of money for Black Friday and holidays
and advertisers weren't spending as much in January, February.
You could have less subscribers.
you could also have a major release.
So like say a Taylor Swift released a track or an album
and all of a sudden the majority of streams
are going to Taylor Swift,
then your pro-adda goes down.
So you could actually have wildly different amounts of money you make
for the same general performance
because it's a performance-based relative to the entire industry.
So if you do one at 10 streams, you get 10%.
If you do 1 in 20 streams, you get 5% and so on.
So why that matters and how you steal
is that fraudsters will load millions of songs onto streaming services.
As if they're independent artists,
they'll create different independent artist names,
different independent artist labels,
they'll put them in different parts of the world.
So it just looks like they're from different people,
different regions, different companies.
They will load those direct, do-it-yourself like DIY
to streaming services through distributors.
So the distributor is an aggregator who, you know,
if you're an independent artist,
you upload to like a distro kit or a tune core,
or a symphonic or whatever.
And they basically do put all the data together
and all the pieces together
and upload it to the streaming services for you.
So they do it in one shop for you.
So instead of you going and uploading
to 100 different streaming services,
you go to this one provider
and they aggregate it
and put it on to all the stores for you.
So these fraudsters will create fake artists, fake labels.
They'll use 15 or 20 different distributors
so there's not one point of failure.
They'll upload, so they'll get millions of songs
on the streaming services.
And then here's the key.
key. They will play a bunch of these songs small amounts of times. They do not want to get noticed. You
don't want an artist that charts that's not real. You want to generate, you know, thousand,
3,000, 4,000 streams, but you don't actually, like, no one notices the song with 3,000 plays.
So if you create small number of streams across a large number of artists, then your aggregate
pro rata, like the amount that you actually have of all of the pools for that month, can dramatically
increase because you're stealing pennies.
It's basically like, you know,
office space.
You're stealing pennies from all of these different artists.
They just don't realize it, but in aggregate,
it's a large amount of money.
And so the way that it works today is about $3 billion worth
is stolen from real artists because it's going to people
that are not real artists.
Wow, $3 billion is go into fraudsters
who are manipulating these streaming platforms.
That's incredible.
It's apparently very profitable to go through
all these process of making tons of songs and getting someone else to play those songs
across hundreds of thousands of accounts, it seems like a lot of work, but, man, it's really
paying off for them. And if it's paying off, then that means it's only going to grow.
So a few times you've made the hair on my neck stand up when, because I'm a big privacy advocate,
right? And I'm like crazy into it, like I'm freak about it. And so you've talked about
like some of the metrics you're getting from some of these apps, such as gyroscope and battery
life. And as a privacy person, I don't understand why I need, you need to get my gyroscope
information in order to just let me play a song. But on the other side, when I went to actually,
you know, take ads out on some of these platforms to say, hey, market, you know, a legitimate ad on
the platform, they'll ask you, hey, when do you want someone to listen to this ad? Do you want it to
listen while they're working out
while they're having sex when they're making dinner.
I'm like, how the heck do you know when someone is making dinner?
What is going on here?
And so the amount of information that these streaming platforms have on us is crazy.
I don't know what question I have,
but it just, like I said, it makes my hair stand up.
I agree, but I would say for us,
just know that in most cases they treat that data like it is the most important day.
Like, I mean, they treat it.
Having come from healthcare in the previous company,
they treated it a level way higher than healthcare.
Like crazy.
Like, HIPAA compliant time 10.
Like, they are insane with this data.
They hash everything.
They're very particular about how it gets to us, how it gets back.
We get security audited.
We have an entire internal security team.
Like, it is very, like, it's partitioned in lots of ways.
So even if you get to one piece, you can't get to the rest.
Like, we are insane because they make us be insane with it.
And again, at the end,
end of the core you're like it's just streaming data. But people are selling $3 billion a year.
So that's a massive amount of money that is going sometimes to people like terrorist organizations
and organized crime, not some kid in a basin. So the argument also is I think that there's
some large level implications for where this money goes and what happens. But I will say that the
streaming service side treats that data, whether or not you want them to have it, they treat it
like it's very, very important. I've never come across the streaming service that casually allows
data. And even then, when we decide exactly what fields we need from different streaming services,
we then reject the rest of the fields. We take the least amount that we need to do our job once we
built the models. And then if we build a new model, find a new thing that we need to do,
we re-indjust that data and build again. But we don't typically just like,
sit on all this stuff, even if it's anonymized, because we just don't want it.
And so, again, my point is, I feel they've been very responsible with it, if that makes you feel any better, even though they have it.
You said terrorist organizations.
Yeah, like, it's like, imagine that you could move money through a streaming platform without anyone noticing.
So what you do is you take dollars, you turn it into crypto at crypto ATMs, you pay the streaming farm operators in cryptocurrency to stream a certain amount of songs.
Those songs are owned by different entities globally.
So quite literally, you could move money from Columbia to Doha through the streaming service.
It'll all be washed and clean through the streaming services themselves, directly funding terrorist activity.
So the artists that they're playing is an artist that they're controlling because they're getting paid because...
They're making fake artists.
They're putting fake artists names up.
They're taking music that's not theirs.
so they might hack, for example, Dropbox accounts.
Because you figure one out of every hundred songs, typically, in artist releases.
So there's a huge back catalog of artists' songs that have never actually been distributed.
And when they're distributed is when they're fingerprinted.
So a lot of these don't have fingerprinted.
So if you upload them and there's no fingerprint,
the streaming service and the distributor feels that you are the rightful owner of that song
because they've never seen it before.
So now you can take old songs that have never been digitized,
make them your own, and then manipulate the stream.
So the first step is just getting the music.
The second step is manipulating the stream so you get paid.
If you're the terrorist organization and you build all this infrastructure,
you might have literally, let's say,
30 different music label entities around the world,
all using different distributors with, I don't know,
100 quote-unquote independent artists in each,
and then you're going to just run small numbers of streams to those
on 100 different streaming services
and slowly get paid.
But that money will be clean and end up from one location to another without you ever having to actually transport the cash.
And you think that's, I mean, looking at those numbers, how much cash do you think that they're transporting?
Hundreds of millions of dollars.
Well, I was going to guess a percentage here, right?
So like if I have $100 million and I say, and you can transfer this, 80% of it makes it?
Oh, percentage wise of the dollar?
Like 40 to 50%.
Yeah, because it's not very...
See, they're losing a ton of money in the transfer then.
But it's better than leaving it in cash.
And like, honestly, that's what typically...
How do you move this much cash?
They're going to pay someone to watch through money regardless,
sometimes 20, 25%.
They're going to pay a large amount of money anyway.
Then they still need to move that money
and sort of pay taxes on that money when it ends the other pay.
You end up losing a lot anyway.
So your other approach is just to hide it somewhere
or keep it as cash and find other fronts to move it through.
It actually ends up that over the last 10 years, the music industry, as it was growing so fast, was a really like opportunistic place to hide or wash money because no one was watching it.
Now I think I've come full circle on you saying you were a great hat because I was saying to myself, if you're breaking the terms of service, it's black hat.
And now I'm like, wait a minute, if you're breaking the law, that's black hat.
This is different than terms of service.
Yeah, that's how I feel.
Like, you know, like I didn't break laws.
I just definitely didn't agree that I wasn't allowed to do something.
Yeah, and now it's getting crazy where hundreds of millions of dollars are being sent from who?
Who's involved in this?
Well, imagine any kind of illicit activity, you can move the money to your partners.
You can send, you know, how we potentially caught one, for example, is like you'd see the exact same percentage.
Like, let's say that you have a million users all playing music.
I'm just going to use Columbia as an example.
But the beneficial, if you think about who the artists are
that's benefiting from those plays,
it would be abnormal in one case, for example,
where we saw, like, I'll give you,
I don't remember the exact number,
so I'm going to give you examples here,
like 12% always in a Hong Kong entity,
and 30% in a Canadian entity,
and 40% in a Middle Eastern entity,
and like, you know,
maybe another 10% somewhere else.
And so if all the numbers of streams are changing every month,
but the beneficial owner percentage is exactly the,
sane, it looks as if someone's moving money from one location to another location
through these other entities.
So the moving part is that they're paying bots or listens or streams.
Yeah, they're paying a streaming farm to create the streams, whether they're doing it through
account takeovers or bots or whatever.
But the end result is they've uploaded as owners under these different entities, all of these
fake artists that have songs on the streaming services.
There's roughly 100 streaming services globally.
So they're uploading it on all these streaming services,
and they're telling these streaming farms to go play those songs across all the services.
And then the person who owns that account is getting paid for their streams,
and then the money is arriving to where they need to send it.
Yeah, exactly, because now the streaming service thinks,
oh, XYZ label in Hong Kong had X percentage of the total streams.
We have to pay them out.
So it gets paid through the distributor and paid to them,
and they just get paid.
This is one of those stories that I feel like the floor has dropped out in my head of like,
oh, yeah, we, we, we have, I have a good understanding of how money laundering happens
and how things get sent here and there and how you clean money.
But then when you see, when you hear about stories like this where, oh, yeah, they're using
a streaming service to launder money and send it across the globe, suddenly my head's like,
well, you could do that with buying and selling things on the steam marketplace or, or
Roblox accounts or any, any other marketplace that has.
has money shifted here and there.
And this isn't even like a straightforward like,
here, I'm buying something from another user.
This is, oh, they'll pay us for streams.
If we can get the streams, then we can get paid.
It's such a roundabout way of, you know,
a convoluted way to launder money that it's blowing my mind.
And it just makes me think that every single place
that has money going in and out is probably getting hit with something like this.
100% agree.
And I think the more convoluted, the better for them.
Because it's so much harder for the average person
understand how the money moves.
Because, I mean, even something like Twitter is you get paid for how much engagement you have, right?
And so you can totally.
Oh, yeah.
Any of these engagement-based activities, like, especially in Web 3, anything at the time, a couple
years ago, there was like this big push with treasury tokens.
So you'd get paid every time people interacted with you on social five platforms or any of these
game-fi stuff.
Like, you could manipulate all of this stuff and then get tokens and take it to market and sell it.
It's crazy to me that there's a dark web API that has access to millions of online streaming accounts.
And if you feed it money, you can get all your songs played a bunch.
And I bet whoever runs that hates Andrew.
I mean, I've had a couple of them do crazy stuff, like reaching out or say things.
But I would say that generally, you know, we were talking once our lawyer for the company is this guy named Jim Trustee,
he was the former chief of organized crime from the DOJ.
And he told me once that the good news is they don't typically shoot the border guards.
It's kind of a gentleman sport.
So I would say that most of them just changed their tactics and changed the way they behave.
I also think the industries progressed.
In the early days, there was some real trepidation or fear around what happens
because there's a handful of people that know what's going on here.
And I would say now every single streaming service has a trust in ZADD
apartment. Every single stream, you know, label has a fraud, trust and safety person. So the industry
has changed over the last three years in a way that I would say I feel less scared about, like,
if you did something to me or my co-founders, like this is not going away at this point,
the cat's out of the bag. But I would say there was a real moment in the early, you know,
2021, 2022 where we were actually very concerned about like what happens. Yeah, I mean, especially,
especially if you've got cartels that are moving money in big ways and they're like,
like, okay, let's put a stop to these guys.
I can see them being upset with you.
I mean, that was my concern, but again,
I think we sort of like whether or not it was naive at the time,
it was more like, oh, well, they don't normally shoot the border guards.
They just find a different way to move the money, you know?
And do you ever point the feds to someone and be like,
hey, these guys are breaking a lot of laws?
Like, I don't know, Darkweb API or, you know, cartels moving money,
and be like, we've got to report this to someone more than just the streaming service.
Yeah, in some cases, when we find things that are outside the data that is given to us in privacy,
then sure, we might tell people.
But generally speaking, we report the results back to the streaming services,
and then they determine, and the distributors, for example, and the collection societies, right,
they determine then who they want to work with on the government side to prosecute.
Because that's typically a long road, three to five years,
sometimes, especially in multiple countries,
you've got to deal with Interpol
and all kinds of different activities.
And so I think I would say that's an area that's emerging,
but we provide all the evidence that they need
and help them package it to whoever agency they're going to.
But typically they are the ones that are the ones
actually determining whether or not they're going to pursue it.
Okay, I'm now changing my mind.
What Andrew did when he was younger,
I used to say was Black Hat Marketing,
but now I'm going to say he was doing Greyhap Marketing,
gray hat marketing. Aside from the ad arbitrage stuff, all he did was violate the terms of
use on websites like Facebook and YouTube by artificially inflating the numbers. Coming into this,
I would have said that's black hat, but not now. Now I think these cartels or terrorist
organizations that are moving hundreds of millions of dollars through these streaming platforms,
that's black hat marketing. That's some real dark stuff. Anytime these streaming services
have to call the authorities on someone, that's what I think.
is black hat marketing at this point. And I suppose because now that I've seen such an extreme
side of this marketing, I'm no longer so judgmental about somebody having a bunch of fake
followers on their account to help them break out. Because really, the fake followers and algorithm
manipulation can only go so far. If they're a bad musician or whatever it is they're creating,
they'll never take off no matter how many fake streams they get. But if they are great,
and people really love them, then that was just a growth hacking technology.
to kickstart their journey.
And after they break out,
there's no longer a need for all the fake followers.
You do run the risk of getting banned off those platforms,
so I don't recommend doing it.
But now that I think about it,
banning users is really tricky.
Because suppose Twitter has a way to detect
when there are fake followers, right?
And they automatically ban someone
if they have like 60% of their followers are fake.
Well, then imagine someone gets millions of fake followers to follow Elon
And he gets kicked off for having a majority of fake followers following him.
You see, you can use these bans as a weapon to get someone else banned that you don't like.
So banning users for having a bunch of bots following them is really, really tricky.
And maybe you can't even do it.
With all this information you have, you've got to have probably some sort of restriction on what you're allowed to say.
Because if there is, I mean, you can see who the top artist of the day is.
You have so much data.
You can see how many streams are getting, you know, and all this sort of stuff.
And, you know, magazines like pitchfork, I don't know, pitchfork, but, you know,
whoever is the music industry magazines would love to know who is the top, you know,
streamer of the day or a week or month or something like that.
And a lot of this stuff is kept quiet.
I mean, we get to see some statistics of what's how many downloads a song has,
but we don't see very much of, you know, that.
And you could have such an outstanding.
blog of like, here's what's going on today.
And people would just flock to it.
It would be huge.
But you're probably not allowed to share that kind of information.
It's our core promise to all of our vendors.
Like, you give us your data.
We do not monetize it in that way.
So we provide your results back as a true financial tool and trust and safety tools.
We do not monetize it in any kind of marketing, any type of market reports.
Like, we will not monetize the data they provide us.
They pay us an annual.
service fee so that we aren't incentivized to find more fraud than there is.
If there's not a lot of fraud, we tell them. If there's a lot of fraud, we tell them.
Like, we are just a trusted source of truth, but we do not, we don't monetize that data anyway.
Yes, we could probably build a massive company, but I'm not sure they would trust us in the same way.
And I think that's why a lot of these marketing level companies that do aggregate data,
they get very limited data sets because they, you know, the biggest fear for these services
is the state of being public or going other places. So we are, we're allowed.
We are privileged enough to handle it because we've built a large and strong level of trust with all of our partners.
And they know that we would never violate that trust.
Yeah.
At first I was thinking as well of like, oh, you're saving all these streaming companies money by saying,
hey, don't pay these people because they're not doing it.
But at the beginning, you told me, no, there's a big pool and a percentage goes out to whoever gets the streams.
And so I don't think you're saving these streaming companies any money at all because they have to pay out 100% every month or whatever.
And whether it goes to the right person or the wrong person.
Okay.
We're a cost of doing business for them.
I would say in some cases they save money.
So this is where it gets nuanced.
Like what I've been talking a lot about is what's called interactive streams for people get to choose what's on this into.
But in cases where it's non-interactive, like think of it like online radio, they have to pay a set rate out.
there's a rate card that's sent.
So when you remove the fraud from those,
they actually do save money.
So in some cases, in some areas,
they'll save money.
But I would say generally across the board,
they're probably not making money off of us
if they're interactive.
So if they offer a service where you get to choose
what you listen to,
they're probably not making money off of us.
But they also, if I'm being honest,
don't want to be the executive
who's perplocked for funding terrorism.
So there is,
There is an existential risk, and also you figure the major labels are huge victims here.
Keep in mind, if you're a major label, you own and distribute probably over 80% of all revenue-generating content.
Not just all content, but revenue-generating content, like royalties, are coming primarily from the major labels
or the independent labels they distribute as a major.
So when you look at it as a whole, if you're a streaming service, and 80% of the things people are listening to are controlled by these three parties,
and they're saying we're tired of being victims.
If you do not have a service like this,
you cannot have our content.
It moves a lot of needles.
Wow.
Well, so much of this was so illuminating to me.
I did not know about this world much at all.
I mean, I told you what I do know,
and there was a few things here and there.
But, man, there is so much I've learned here.
Thanks so much for coming and telling me all this.
Yeah, thanks for having me on.
It's been really fun.
Again, I appreciate you making a time for me.
This show is created by me.
hashed brown, Jack Recyter.
Our editor is our friendly cis-admin, Tristan Ledger,
mixing done by Proximity Sound,
and our intro music is by the mysterious breakmaster cylinder.
Well, I don't know about you,
but the next time someone makes fun of me
for the music I listen to,
I have the perfect excuse.
No, no, my account's been hijacked.
It plays random stuff, I swear.
I can't stand this band.
You kidding me?
This is Darknet Diaries.