On July 28th this year, beloved Italian surf group The Bradipos IV made an alarming post on Facebook.
A fake album titled "Surf Tides" had been uploaded onto Spotify on their artist page. The music was AI generated and aside from also being instrumental surf, didn't really bear much sonic resemblance to the band's discography.
In the comments, we noticed two things: It was on several other platforms as well, including Apple Music and Qobuz (not Spotify), and Qobuz it listed its label as Hi-Tide. Hi-Tide Recordings is an established label with a lot of surf artists, but they almost always include the word "Recordings". We tagged them in the post, and label owner Vincent said he was looking into it.
This was pretty disturbing. I'd seen AI surf records, and I'd even seen this sort of thing done before, articles written about it, etc, but it was surprising that it would hit our small, largely under-the-radar genre. That said, people more savvy than me were working on it, I'm sure there's a report button somewhere, I expected this to be a blip.
Months later I see a post from Dave Arnson, band leader behind the longstanding progressive surf group Insect Surfers reported something very similar. Immediately I noticed that the album art was a lot less generic: you could easily mistake this for a legitimate Insect Surfers album cover (the music, less so).
I checked back on The Bradipos IV album to see if it was still there. It was. In fact, if I clicked on the Hi-Tide link on Qobuz (the only streaming service I could find that let you see a label's discography), it listed both of these albums as well as one from modern exotica gropu Waitiki 7. Were these perpetrated by the same person? Some sort of targeted attack of surf musicians? And since the Bradipos IV album was still up there, it seemed to me that removing these albums wasn't as trivial as you'd expect.
But there had to be a way, and I wanted to find it. Really, I wanted to find out who this was, and find out why, but at the very least I wanted their means to do this cut off.
And if you're reading this article because you've been similarly attacked, I don't want you to hang on for that answer: I didn't find it. But I learned a lot.
Now, I'm a radio DJ, and I've noticed that often when our playlist system auto-recognizes something it might put something in the label field starting with DK and a bunch of numbers -- and I believe that that's DIstroKid. I was hoping I could find similar clues, and while researching that I found ISRC codes. These are basically unique identifier codes attributed to published songs by record labels, distributors, and individual artists to track their usage and royalties. Well that sounds great, I want to track where this is coming from, so this seems like the way to do it! I used an ISRC finder tool to look up songs on both fake albums.
Very interesting: the ISRC for one fake Insect Surfers song was NL-8RL-25-56384, and a fake Bradipos IV was NL-8RL-25-39954. The fact that the first seven digits, particularly the first five, are similar suggests that these are indeed pretty related to each other. The first two are a country cole. NL=Netherlands. 8RL is a registrant code, so everything put out by this entity will have that. "Entity" is the word I use because I don't know if this is a code for an individual or a distributor. The "25" is just the year, so much less exciting. And from what I understand, the rest of the numbers can't really be "read".
Now on this same website where I looked this up, it had a link for a "Distribution checker". Hey, this is going to be easy! I put in the ISRC number and did not get a way to identify the distributor, but the results were illuminating nonetheless. It showed every platform that these songs were on: Amazon Music, Anghami, Apple Music, Awa, Deezer, FLO, Joox, KKBOX, Line Music, IHeartRadio, NetEase, Pandora, Qobuz, QQ Music, 7digital, Shazam, Soundcloud, Spotify, Tidal, Tiktok, Trebel, Youtube, Youtube Music, Youtube Shorts. Surprisingly, not Bandcamp.
That's a lot.
OK, back to the ISRC codes. After a lot of searching, I couldn't find any way to look up that "8RL" part. I looked up the Dutch authority for ISRC codes, called Sena, and it seemed all I could do from there was send them an email.
Except was that really appropriate for me to do? I'm not in one of these bands. This is where Dave Arnson of the Insect Surfers took action. He emailed Sena and their email said something along the lines of "Sorry, we can't help you, you should try to contact the distributor." Well yeah, that's the whole idea!
I was feeling a bit stuck. The scammer wasn't. He uploaded two more albums, one "by" the Kilaueas and another "by" Jon & The Nightriders. Around this point Sunny Jake who has a surf radio show called The Drip and band The Surfmasters started a thread on the Surfguitar101 forums to draw attention to and hopefully root out the issue. If nothing else, it was gratifying to see others not directly affected by the issue similarly fired up, and useful to have one central place to discuss.
Meanwhile I changed my angle of attack. In addition to ISRC codes, these albums had UPC codes attached to them. You've probably heard that term before interchangeably with "bar code". The UPC isn't really the bar code, it's the 12-digit sequence that the bar code spits out. The thing you might not know is that UPC codes are assigned and tracked by an international authority called GS1. Unlike QR codes, you can't just make up a UPC code, not legitimately at least.
Using similar tools to before, I was able to find the UPC codes and didn't get a name, but got an address. Also in The Netherlands; Amsterdam, in fact. I checked Google Maps. It looked like a pretty commercial area. But who knows, maybe it's an apartment above a retail space. How would I know though? Should I send a Dutch friend to check it out? That seemed ridiculous. So I ran a web search on the address. There were several businesses listed at that street address, but one stood out: Downtown Music.
I hadn't heard of Downtown Music, but they have 19 offices spanning every continent except Antarctica. Although if you have that many offices, I assume you have a secret doomsday bunker there too. The "Services" tab of their site says "Downtown provides a vital bridge between creators and companies that produce, publish, distribute, manage and monetize music today." So yeah, this is sounding like the plausible home of this UPC code. Oh wait. Down there at the bottom of the page it says CD Baby. Yes, Downtown Music is CD Baby's parent company. Since I don't see a direct way to utilize Downtown's services, I'm taking an educated guess that our scammer utilized CD Baby to distribute these albums on all these streaming sites at once.
I reported my findings to the Surfguitar101 Forum and to an email chain with the Insect Surfers and a few others. I sent an email to Downtown Music being very clear that I'm not directly involved in the bands this scammer is impersonating, but also providing links of bands disavowing the fake albums. I did not get a reply.
Meanwhile, every few days another fake surf album would drop. The fascinating and frustrating part of this was just how niche it was. I understand targeting surf music to some extent: removing lyrics means one less thing to scrutinize, and people might be more tuned to find something off about generated vocals. But these were not fake albums by larger surf groups Los Straitjackets, The Ventures, The Surfaris or even modern touring groups like The Surfrajettes or Messer Chups. These were groups that by-and-large were known and appreciated by surf music nerds. Who knows, maybe these were just bands that ChatGPT spat out, but it felt like this scammer had some depth of knowledge and, you'd expect, appreciation for the genre. Most of the album art reflected the visual language of the bands, and they were surprisingly missing many AI artifacts. Text looked good, AI frequently messes up guitars, but these were alright. I daresay they might have had a modicum of effort put in. If this was some form of tribute, it was pretty tone-deaf!
In my email thread with the Insect Surfers, Dave Arnson was taking the one-by-one approach with streaming services. He sent me a lengthy chat log with Spotify. He successfully removed the album from his artist page... which just meant that the album had been moved to a different Insect Surfers artist page. But it appeared that he had spoken to a human. The Pyronauts managed to get theirs taken off of Apple Music. I was obviously happy to see progress being made, but this can't be the way to do it. Should every band go through the Spotify chatbot, then do the same thing for the other TWENTY services?
Meanwhile Mike Papageorgiou, founder of Green Cookie Records, who had released some Insect Surfers records, said he was reaching out to lawyers his label has used.
I was running out of ideas. CD Baby's website does have a section about fraud, but it seemed to assume that you knew it was CD Baby involved, which we didn't. Every tool I could find that *might* give me more details seemed to be subscription-based, and at a rate that only makes sense if it's your livelihood to navigate this stuff. I tried to think of people that might be in that space. I encouraged Jon Blair, a victim of this himself, to reach out to people that helped him track down licensing rights for the documentary he worked on recently. Shamefully, I bought one track off Qobuz in hopes that there might be clues in the ID3 tags.
The scammer made his big move. Fourteen fake albums announced at once, a bunch of them with release dates in the future -- so no album yet, just album art, band name, and album title. Bands were Blue Stingrays, The Sentinals, The Bomboras, Los Daytonas, Bang! Mustang!, The Diamondheads, The Torquays. The Penetrators, The Surf Trio, Surf Raiders, Los Twang! Marvels, Pollo Del Mar, The Secret Samurai, and The Aqua Velvets. All on the fake Hi-Tide label. Interestingly enough, The Sentinals were the first 60's era band I'd seen them target. It was a stretch, but they were on Del-Fi, whose catalog had been sold to Warner Music, so who knows, maybe that will trip an alarm.
And then the next day, *poof*. All of them were taken down. The page listing them is still viewable on Qobuz, but each links to a 404 page, and the distribution checker I had used previously only showed 2 or 3 obscure services, and when I checked one of them it wasn't even there. It was done!
But what did it? Did this sudden flurry trigger a bot check on CD Baby (or whoever the distributor was)? Or even one of the platforms it distributed to? Did one of the requests to take down an individual album listing trigger a message back to their distributor? Did Green Cookie's lawyers come through? If any of us knows, they haven't shared it.
And that's why I'm still frustrated. As I dug into this I hoped to find a blueprint that others could follow. We eventually had a community of people scratching away at this in a way that still felt pretty ineffective. If they had targeted a single technophobic musician, would the scammer face any resistance? Some of the bands they targeted were no longer active, had no social media presence. Would they even know that they were affected? I had seen examples of this before, even articles written about it, but those articles hand-waved the resolution with "had them taken down". How? We don't know what happened on the other end. Can the scammer try again with a different distro? Can they just do it again on the same distro from a different email account? When that happens, would we be scrambling for weeks like last time?
Amidst all the talk about AI's potential gifts to society, we gloss over one of its biggest "strengths". AI is an excellent exploitation tool. What happened here -- the ability for a random person to upload material under an artist they have no claim to -- likely has nothing to do with AI. I bet this exploit isn't even new. But until recently, the reward wasn't worth the effort, especially when that effort could be easily erased. But now that the effort is minimal, they have so little to lose, and I bet it's fun for them. They toss out an album, we freak out, they do it again, maybe giggle a bit. It's easy for them! And this is just one of infinite cases where that is likely true -- where the thing holding back a scam used to be the logistics involved -- and I bet new ones are emerging all the time. I bet this specific scam is only going to happen more. Why wouldn't it? I mean, I do think there could be legal ramficiations for fraud (actual lawyers, I'd love your input) but somebody would have to find them first -- or care enough to go after them.
And so we hear about how without guardrails in place, AI is going to disrupt (in the bad way (was there ever really a good way?)) the systems we rely on. Clearly, streaming services need to implement a process for this sort of scam. An easily findable one, and one that can be traced back to the distributor. To put it plainly, it should be easier to take these down than to put them up. And I doubt they will implement that process. The age of companies touting great customer support has been gone since, I don't know, the 90's, ever since Google came to dominate our web despite virtually no customer service to speak of. We already had ineffective chat bots to politely weed out the least determined before they escalate to the human helper, now we have AI to fire that human helper.
And this is what I want to say to you, musicians. The word streaming "service" is a lie. They are not here to serve you, though they may help make your music more findable. Just like so many other record executives in the history of recorded music, they're yet another pimp here to skim from what you bring to the table. There are people out there that genuinely think "I love music, I know great bands that aren't getting heard, I'm going to start a record label and do the legwork to get them noticed." Those people are great. To all the indie labels out there, love y'all, keep doing what you do. I don't think I even need to tell you that the executives of Spotify aren't those people.
I'm not telling you to quit these services. Tons of people, maybe even the majority of people out there, mostly listen to music via Spotify. This isn't even an article about Spotify! I'm just asking for you to treat your craft with dignity. Don't be complacent, expect better from the services that leech from you. They should listen to you, they should help you, and they should protect you. They can afford it.
Edit: After posting this, a reader believes he found the identity of the scammer. He'd rather not share the means that he used to find them, and I don't want to doxx the alleged scammer on this site. The method he used to identify them is not something that I or most people have direct access to, so my general point that this is harder for the scammed than it is the scammer remains. I bring this up to say that if you were in one of the bands affected by this and you want to pursue this further, reach out.
