What impact did this fraud have on the music industry?

The scheme diverted substantial royalties from legitimate artists and rights holders, undermining the integrity of streaming platforms and their compensation systems.

What measures can prevent similar AI-driven frauds?

Implementing advanced fraud detection systems, monitoring for unusual streaming patterns, and enhancing verification processes for uploaded content can help mitigate such risks.

Unveiling the $10M AI Bot Streaming Fraud by Michael Smith

Discover how musician Michael Smith exploited AI and bots to defraud streaming platforms of over $10 million in royalties.

Published: March 21, 2026

Share this on:

Executive Summary

Between 2017 and 2024, North Carolina musician Michael Smith orchestrated a massive streaming royalty fraud scheme, generating over $10 million in illicit earnings. Smith acquired hundreds of thousands of AI-generated songs, uploaded them to major streaming platforms like Spotify, Apple Music, Amazon Music, and YouTube Music, and employed automated bots to artificially inflate play counts by billions. To evade detection, he utilized virtual private networks (VPNs) to mask the bots' activities. This operation not only defrauded the platforms but also diverted substantial royalties from legitimate artists and rights holders.

This case underscores the growing misuse of artificial intelligence and automation in perpetrating sophisticated financial frauds. As AI technologies become more accessible, industries reliant on digital metrics must enhance their fraud detection mechanisms to prevent similar schemes that exploit automated systems for illicit gain.

Why This Matters Now

The increasing accessibility of AI tools has enabled sophisticated fraud schemes, highlighting the urgent need for enhanced detection mechanisms to protect digital platforms and rightful content creators.

Attack Path Analysis

The adversary initiated the attack by creating AI-generated songs and uploading them to streaming platforms. They escalated their capabilities by developing and deploying AI bots to stream these songs, thereby inflating play counts. The bots moved laterally across multiple streaming services to maximize the fraud's impact. Command and control were maintained through the bots' continuous operation, often utilizing VPNs to evade detection. The exfiltration phase involved collecting fraudulent royalty payments based on the inflated streaming data. The impact was significant financial loss to legitimate artists and rights holders, amounting to over $10 million.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

The adversary created AI-generated songs and uploaded them to various streaming platforms.

Confidence:

High

MITRE ATT&CK® Techniques

Resource Development

T1588.007

Obtain Capabilities: Artificial Intelligence

Impact

T1656

Impersonation

Initial Access

T1566

Phishing

Defense Evasion

T1078

Valid Accounts

Command and Control

T1090

Proxy

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Incident Response Plan

Control ID: 12.10.1

The fraudulent streaming activities indicate a lack of effective incident response mechanisms to detect and address unauthorized access and misuse of systems.

NYDFS 23 NYCRR 500 – Cybersecurity Program

Control ID: 500.02

The incident reveals deficiencies in the organization's cybersecurity program, failing to prevent and detect fraudulent activities leveraging AI and bot technologies.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of AI-generated content and automated bots for fraud highlights inadequate ICT risk management practices within the organization.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The use of valid accounts and proxies to evade detection underscores weaknesses in identity and access management controls.

NIS2 Directive – Security Measures

Control ID: Article 21

The incident demonstrates insufficient implementation of appropriate technical and organizational measures to manage security risks posed by AI and automated systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Entertainment/Movie Production

AI-generated content fraud threatens royalty distribution systems, requiring enhanced streaming platform security and authentication mechanisms to prevent automated exploitation schemes.

Music

Direct financial impact from fraudulent AI bot streaming diverts legitimate artist royalties, undermining industry revenue models and requiring robust fraud detection capabilities.

Computer Software/Engineering

Streaming platforms vulnerable to AI-powered bot networks exploiting content delivery systems, necessitating advanced anomaly detection and egress security policy enforcement measures.

Financial Services

Payment processing systems exposed to wire fraud schemes involving AI-generated content monetization, requiring enhanced transaction monitoring and compliance validation controls.

Sources

Musician admits to $10M streaming royalty fraud using AI botshttps://www.bleepingcomputer.com/news/security/musician-pleads-guilty-to-10m-streaming-fraud-powered-by-ai-bots/
Verified

North Carolina Man Pleads Guilty To Music Streaming Fraud Aided By Artificial Intelligencehttps://www.justice.gov/usao-sdny/pr/north-carolina-man-pleads-guilty-music-streaming-fraud-aided-artificial-intelligence-0

Verified

North Carolina Musician Charged With Music Streaming Fraud Aided By Artificial Intelligencehttps://www.justice.gov/usao-sdny/pr/north-carolina-musician-charged-music-streaming-fraud-aided-artificial-intelligence

Verified

Frequently Asked Questions

Smith uploaded AI-generated songs to streaming platforms and used bots, masked by VPNs, to artificially inflate play counts, resulting in over $10 million in fraudulent royalties.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the adversary's ability to exploit cloud environments by enforcing strict segmentation and identity-aware policies, thereby reducing the blast radius of such fraudulent activities.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Implementing Aviatrix CNSF could likely limit unauthorized uploads by enforcing strict identity-based access controls, thereby reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation could likely limit the bots' ability to escalate privileges by enforcing least-privilege access and segmenting workloads.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security could likely limit lateral movement by monitoring and controlling inter-service communications, thereby reducing the spread of malicious activities.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the adversary's ability to maintain command and control by providing comprehensive monitoring and control over multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic, thereby reducing unauthorized data transfers.

Impact (Mitigations)

Implementing Aviatrix Zero Trust CNSF could likely limit the financial impact by reducing the adversary's ability to exploit cloud resources, thereby protecting legitimate stakeholders.

Impact at a Glance

Affected Business Functions

Royalty Distribution
Content Integrity
Fraud Detection

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: $10,000,000

Data Exposure

n/a

Recommended Actions

• Implement AI-generated content detection mechanisms to identify and flag synthetic media uploads.
• Deploy anomaly detection systems to monitor for unusual streaming patterns indicative of bot activity.
• Enforce strict access controls and monitoring to prevent unauthorized use of streaming services.
• Utilize VPN detection and blocking techniques to identify and mitigate evasion tactics.
• Establish comprehensive auditing and reporting processes to detect and respond to fraudulent activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Unveiling the $10M AI Bot Streaming Fraud by Michael Smith

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Obtain Capabilities: Artificial Intelligence

Impersonation

Phishing

Valid Accounts

Proxy

Potential Compliance Exposure

PCI DSS 4.0 – Incident Response Plan

NYDFS 23 NYCRR 500 – Cybersecurity Program

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Security Measures

Sector Implications

Entertainment/Movie Production

Music

Computer Software/Engineering

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads