How Artist Imposters and Fake Songs Sneak Onto Streaming Services

When songs leak on Spotify and Apple Music, illegal uploads can generate substantial royalty payments—but for whom?
leaker wearing a playboi carti mask
Illustration by Drew Litowitz, Playboi Carti photo by Edward Berthelot/Getty

Last December, new music from Beyoncé and SZA appeared out of nowhere on Spotify and Apple Music. Released under the names “Queen Carter” and “Sister Solana” respectively, these full-length projects initially seemed like surprise drops with a twist. Soon fans realized that something wasn’t right: Many of the Beyoncé recordings came from old sessions, and the SZA songs sounded like unfinished demos, which the singer later confirmed. Neither Beyoncé nor SZA had anything to do with the releases, in fact. It wasn’t the first time a big artist’s music had been uploaded illegally to Spotify and Apple Music, and it wouldn’t be the last.

In the most troubling of these scenarios, fake releases have crept up the streaming charts. In March 2019, when a fake Rihanna album called Angel was uploaded to iTunes and Apple Music under the name “Fenty Fantasia,” it made it as far as No. 67 on the iTunes worldwide albums chart before being yanked off the platform. Then, in May, a leak of Playboi Carti and Young Nudy’s “Pissy Pamper / Kid Cudi” was uploaded to Spotify as “Kid Carti,” under the artist name “Lil Kambo.” Two million-plus streams later, “Kid Carti” topped the service’s U.S. Viral 50 chart before being removed. Ironically, “Pissy Pamper / Kid Cudi” was never released officially because of sample clearance issues involving Mai Yamane, the singer-songwriter whose 1980 song “Tasogare” serves as the basis for its beat. Ultimately, none of the involved artists—Yamane, Carti, Nudy—saw a dime from streams of the song.

The related artists on Lil Kambo’s page revealed even more Playboi Carti leakers, as well as “artists” who were masquerading as Juice WRLD and Lil Uzi Vert. Given the prevalence of impersonators, it came as no surprise when “Pissy Pamper / Kid Cudi” made its way up the Spotify Viral chart again, under a different name, a month after the first fake was removed. By the end of June, five more unreleased Playboi Carti tracks appeared on the rapper’s official Apple Music page. Fans celebrated the leaks, which made headlines on music sites like Genius and The Fader before being removed from Apple Music the following day.

Suspicious bootlegs and fraudulent uploads are nothing new in digital music, but the problem has infiltrated paid streaming services in unexpected and troubling ways. Artists face the possibility of impersonators uploading fake music to their official profiles, stolen music being uploaded under false monikers, and of course, simple human error resulting in botched uploads. Meanwhile, keen fans have figured out where they can find the illegally uploaded, purposefully mistitled songs in user playlists.

Here’s how the process works: Artists who use independent distribution companies such as DistroKid or TuneCore get paid royalties for their streams and typically cash out via services like PayPal. TuneCore states that their royalty calculations typically operate on a two-month delay, while DistroKid has a three-month delay on payments, meaning that royalties accrued from streams in January may not be available to cash out until March or April. Distribution companies generally stipulate that users must agree not to distribute copyrighted content that they do not own, and streaming services similarly specify that copyright-infringing content is not allowed. However, it’s easy for leakers to simply lie and upload infringing music, which may or may not be caught by the distributors’ fraud prevention methods. By abusing the limited oversight in the digital supply chain, it’s possible that leakers can make significant amounts of money off music they have zero rights to.

One leaker told Pitchfork that they were paid upwards of $60,000 in royalties this year by DistroKid and TuneCore, after uploading unreleased tracks by artists including Playboi Carti and Lil Uzi Vert onto Spotify and Apple Music. The leaker, who spoke under the condition of anonymity and provided various transaction records and withdrawal receipts, said that they released the songs in order to please “eager fans” of the artists. And while much of the music was later removed, the documents viewed by Pitchfork indicate that royalties were still paid out, as much as $10,000 at a time.

Pitchfork reached out to representatives at DistroKid, TuneCore, Spotify, and Apple Music for comment regarding the possibility of royalties generated by copyright-infringing music being paid to an illegal uploader.

A spokesperson for Spotify said: “We take the protection of creators’ intellectual property extremely seriously and do not tolerate the distribution of content without rightsholder permission. As with any large digital services platform, there are individuals who attempt to game the system. We continue to invest heavily in refining our processes and improving methods of tackling this issue.”

TuneCore Chief Communications Officer Jonathan Gardner said:

“In addition to subjecting all uploaded material to a detailed content review process before it is delivered to any digital music service, it is also TuneCore’s policy to respond expeditiously to remove or disable access to any material which is claimed to infringe copyrighted material and which was posted online using the TuneCore service. By agreeing to TuneCore’s Terms of Service, each user also agrees, among other things, that, in the event that TuneCore is presented with a claim of infringement, TuneCore may freeze any and all revenues in the user’s account that are received in connection with the disputed material. While we cannot comment on any specific claims, we can say that TuneCore is committed to preventing our services from being used in connection with infringing or otherwise deceptive behavior.”

DistroKid founder and CEO Philip Kaplan did not directly address the claims and instead offered this:

“DistroKid recently launched DistroLock, which is an industry-wide solution to help stop unauthorized releases. Any artist, label, or studio can register their music with DistroLock, for free, to preemptively block it from being released by distributors and music services. We made DistroLock available for free to our competitors and other music services because by working together, we can help protect legitimate artists from fraud and infringement.”

When reached by Pitchfork, a representative for Apple Music declined to comment.

Screenshots of a user-generated Spotify playlist full of leaked songs by artists including Lil Uzi Vert, Playboi Carti, and Travis Scott, all listed under false aliases; and an algorithmically-generated Spotify playlist for the fake artist YungGen, featuring leaked music by Playboi Carti, Lil Uzi Vert, Lil Mosey, and more.

Graphic by Drew Litowitz

To understand how leakers could game the system on paid platforms, it’s important to understand the huge amount of control held by digital distribution companies. Artists are unable to directly upload their music onto streaming services like Spotify or Apple Music (versus YouTube or SoundCloud, which are often thought of as less “legitimate”), so they must go through some sort of distributor. Last year, Spotify experimented with allowing artists to upload their own music directly, but the function was recently nixed so that the service could focus on “developing tools in areas where Spotify can uniquely benefit [artists and labels].”

The biggest record labels often oversee their own distribution, but there are independent digital distributors of all sizes out there. Artists who are just starting out typically depend on distributors with a lower barrier of entry, like DistroKid or TuneCore. There are scores of these companies, their main appeal being that they charge little to nothing to upload a song to streaming services. Uploads are generally vetted to varying degrees of thoroughness by algorithms, human beings, or a combination of both, depending on the company.

In the case of the Beyoncé and SZA leaks, the leakers distributed the tracks to Spotify and Apple Music via Soundrop. Zach Domer, a brand manager for Soundrop, says he believes the leakers used the service because it does not require an upfront fee for distribution. “It’s like, ‘Oh cool, I don't have to pay DistroKid’s $20 fee to do this fake thing,’” he said. “You can’t prevent it. What you can do is make it such a pain in the ass, and so not worth doing, that [leakers] just go back to the dark web.”

Domer told Pitchfork that Soundrop relies on a variety of systems to vet the legitimacy of their content, including “audio fingerprinting” systems similar to those powering the music identification app Shazam, as well as a small content approval team of three to four people. The team reviews any submissions that come back flagged, either because the songs triggered the fingerprinting system or have suspect metadata; an example of the latter would be the use of an existing artist name, which explains why these leaks typically don’t use artist’s official names. Though rudimentary, Soundrop’s vetting process is more extensive than some of their competitors’. Domer says, for example, that the fake song briefly uploaded to Kanye West’s Apple Music page last year should have been “super easy to catch.”

The fake song/real profile phenomenon doesn’t just happen to the Kanyes and Cartis of the industry. The manager of an unsigned act that has racked up over 50 million Spotify streams to date spoke with Pitchfork about their client’s struggles with impersonators throughout 2018. Fallible authentication measures made it possible for unsanctioned music to appear on said artist’s official Spotify profile. The manager issued takedown notices to the streaming service with mixed results: “The hurdle we came across was, will [Spotify] be able to remove the music, or will they shuffle it onto another profile and not actually remove it? There seems to be no consistency with which route is enforced.”

In one instance described by the manager, an impersonator went so far as to create and distribute a fake album under the artist’s name. According to the manager, it took three days for Spotify to remove it. “That was the first time we contacted a lawyer,” the manager said. “We didn't end up needing to pursue legal action, but we came to the conclusion that it is incredibly hard to even sue anyone who you cannot legally identify. And even then, that person could have multiple accounts on multiple uploading platforms. If they get caught on one, they could just go to another.”

While distributors are the ones who facilitate payments, all roads in the digital supply chain end with the streaming services. Companies like Spotify, Apple Music, Amazon Music, and Deezer are the final checkpoint before music reaches listeners. But with “close to 40,000” new tracks being uploaded to market leader Spotify every day, it seems near impossible, at least on the bigger services, to catch illegal uploads before payouts accrue. There does not appear to be any publicly available information on how many of those tracks are vetted in the first place, or how many eventually get taken down due to copyright violations.

A source close to Spotify tells Pitchfork that it is standard practice for the company to flag pipelined releases from notable artists and double-check the accuracy of those uploads with the artists’ representatives before they go live. This policy might explain how that fake Kanye track made it onto his Apple Music page but never surfaced on Spotify. It also might explain how “Free Uzi”—released and promoted by Lil Uzi Vert as his next single but characterized as a “leak” by his label, Atlantic—never made it onto Spotify, despite showing up on other streaming services. But it’s unclear how many artists Spotify is willing to double-check for, and how that list is determined.

“When there’s a million gallons of water and a two-foot pipe for all of that water to come through, people start to figure out another way through,” said Errol Kolosine, an associate arts professor at New York University and the former general manager of prominent electronic label Astralwerks. “The fundamental reality is, if people are losing enough money or being damaged enough through this chicanery, you’ll see something change. But the little people who don’t have resources, well, it’s just the same story as always.”

When asked why labels haven’t pressed the issue of streaming fraud, several of the industry figures interviewed for this piece mentioned “the metadata problem.” This refers to the lack of a universal metadata database in music, which makes it incredibly difficult to keep track of personnel and rights holders on any given song, and thus a huge ongoing issue in the record business. Royalty tracking start-up Paperchain estimates that there is $2.5 billion in unpaid royalties owed to musicians and songwriters, due to shoddy metadata. (There doesn’t seem to be an industry consensus on this figure; by contrast, Billboard puts the estimate at roughly $250 million.)

It’s important to note that streaming scams will likely exist in some form with or without the existence of a metadata database. (“I don’t know if there’s ever going to be a pure technological solution to prevent somebody from uploading unreleased material under fake aliases, with fake metadata,” said Domer.) But the fractured state of music metadata makes it far easier for bad actors to entangle themselves in the streaming ecosystem. It should not be possible for outside individuals to gain access to artists’ official profiles on streaming services, and yet it occurs because there is no authentication protocol outside of individual companies’ own vigilance. Having a system in place to ensure accurate metadata across companies appears to be a necessary first step.

Spotify’s solution thus far seems to be the copyright infringement form on its website, which notes that artists “may wish to consult an attorney before submitting a claim.” Apple Music has a similar online form. As for the distribution companies, DistroKid appears to be the only one to date that has developed a promising defense strategy, the aforementioned DistroLock. That said, even DistroKid stakeholder Spotify has yet to announce any plans to integrate DistroLock within its platform.

Ultimately, the problem at hand is greater than the risk of lost royalties. The prevalence of leaks on established streaming services has a significant impact on an artist’s sense of ownership over their life’s work. The lines become blurred as to whether something actually “exists” in an artist’s canon if they never gave permission for it to be released. So while diehards might feel a thrill, circumventing the system and listening to unreleased songs by their favorite musicians, the leaks ultimately hurt those same artists. After the last of this June’s many leaks, Playboi Carti uploaded a brief explanation to his Instagram Stories: “Hacked :(,” it read. “I haven’t released anything… I hate leaks.” Beneath it, a GIF sticker: “Leave me alone.”