Episode Show Notes

							
			
[Start of recording]



JACK: I’ve always like the idea of fake it ‘til you make it, where you act like someone you want to be until you become them. This sometimes comes with imposter syndrome, but I think the antidote to that is just more experience. But how do you go from being a total beginner to confidently doing something? I often turn to the book store to help me there. But you know a book that’s always bothered me? It’s those For Dummies books, like the C Programming For Dummies, or The Complete Idiot’s Guide. Even if I don’t have a clue where to start, I would never buy one of those books because I don’t consider myself a dummy or an idiot, because I want to fake it ‘til I make it, and I don’t want to fake being a dummy. I want to be a great programmer. So, A Dummy’s Guide to Programming is not the direction I want to be going. I think what those books fail to do is they seem to target who you are now, not what you want to become, and that was their failure, at least for me.

I’ve bought tons of how-to books, but I will never buy one of those books. To me, the key to success is in the aspiration. I would instantly buy books that were titled How to Be an Amazing C Programmer, because that is what I want to become. The book could contain the exact same words as the other book, that C Programming For Dummies, but it would have an entirely different impact on me. Every time I saw the title, I’d feel like I’m becoming more and more like the person I want to be, an amazing programmer, and that would give me that false sense of greatness, which is exactly what it’s like to fake it ‘til you make it. Because it’s not about who you are today; it’s about who you aspire to be tomorrow. It’s about embracing the journey of transformation and allowing your actions to shape your destiny. So go ahead and fake it. You can lie to yourself if you want, because sometimes the greatest lies are the ones that propel us towards our truest selves.



[Intro music] These are stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries.



JACK:	Today I’m talking with Andrew.



ANDREW:	Yeah, I’m Andrew Batey.



JACK:	Andrew has a really unique job that I can’t wait to ask him about. But first we should learn about how he got there.



ANDREW:	So, I started on Facebook when it was still EDU-based, and then I was one of the first fifty beta advertisers on Twitter and learning to kind of misuse their system.



JACK:	[Music] Misuse their system. These systems are huge and complex; algorithms, likes, follows, and a whole ad network. He wondered if he could manipulate any of that to his benefit.



ANDREW:	The same thing with YouTube. You used to be able to break anything into the front page of YouTube, and I guess I quickly became the guy that you would go to if you wanted to sort of…like gray hat, black hats, and stuff.



JACK:	Gray hat and black hat and white hat, let’s talk about that. That’s gonna come up a lot in this episode, and we’ll start with white hat. White hat is doing something that’s 100% legal and safe, such as hacking your own computer. Nobody is gonna come arrest you for that. Black hat is doing something that’s illegal, such as hacking your ex’s lawyer to see what they’re plotting against you. Gray hat is somewhere in-between. Maybe it’s technically not legal, but you’re hacking into something only for research, but not to cause harm. But these terms also apply to marketers, someone who follows the rules such as paying for ads the normal way. That’s a white-hat marketer. But someone who uses bots, for instance, to artificially create a bunch of five-star reviews for something, that would be a black-hat marketer in my opinion, because they are lying and cheating with their so-called marketing and run the risk of being thrown off the very platform that they’re trying to grow on. At least, this is what I think these terms mean going into this episode, but my definitions might change as we go further. So, in my opinion, Andrew was a black-hat marketer. He was trying to promote certain products or people by tricking people or systems to artificially inflate something’s popularity.



ANDREW:	My favorite thing at the time was like-jacking. It was a weird time period because it was before fan pages. So, initially when Facebook first launched, you could only friend-request somebody, and there was a 5,000-person limit. What you used to do is you would hide the request — Friend Request button, or when fan pages launched, the fan Follow button, but you would hide it in the pixels. I don’t know if you’ve come across that.



JACK:	Yeah, I have. People who want to become popular on social media might do it, like an up-and-coming band who wants as many likes and follows as possible. If others think you’re good, then you’re probably good. So, you might show up in more people’s feeds because of that, too. Facebook made it so you could add a Like button anywhere you wanted, like on your own web page or blog. But if you were sneaky, you could trick people to clicking on that Like button when they didn’t know they were clicking it. That’s what click-jacking is, or like-jacking.



ANDREW:	In our case we ended up using it a lot on video or photo-sharing websites. So, when people were clicking Next or going through video or photo carousels, every time they were clicking — we sort of trained our users to double-click. We started buying these websites that were high-volume websites. Then eventually we started doing web development for other sites and then putting these in there. What would happen was — our hypothesis was that people did not log out of their Facebook. It’s cached in their browser. So, what we would do is just hide that pixel inside of other websites. [Music] So, we could drive millions of fans to things.



JACK:	Man, how clever; they bought a popular video and photo-sharing site, and as the users clicked Next or Play, it wasn’t the Next button. It was the Facebook Like button. The users had to click twice because the first one was just liking the photo, and then the second was going to the next photo. So, what Andrew would do is he’d advertise that he can get your Facebook page 5,000 followers and thousands of likes, and people would buy his service to promote their bands, and he’d artificially grow someone’s Facebook account.



ANDREW:	So, that’s kind of where we started a lot. Another thing we did in the early days was kind of an ad arbitrage. At the time, for example, when you charge an advertiser, they cared about time on site and sort of CPMs, but they didn’t care that much about the actual click-through or engagement with the ads. They just weren’t aware. I know that seems obvious now, but back in the 2000s, no one really knew that those were metrics to look at, like traditional advertisers. So, what we would do is we had these high-traffic-volume websites and we would, for example, have a $5 CPM, let’s say. But we could buy traffic for like, a dollar. So, we would blend enough garbage traffic in that we didn’t really ruin our overall time on site or user stats, but we would be able to sort of print money.



JACK:	Oh. So, he’d sell ads on his website but then pay fake visitors to click it, making it look like a lot of people clicked that ad, and then he would just collect the money for it. But really, it was just paid traffic. Huh.



ANDREW:	Another one that we did that was really interesting at the time was around YouTube. So, we figured out that you could basically — there were these pop-under ads back then, and you could — most people recognized them from the penis-enlargement ads and things like that; you’d click out of a website and there would be the annoying little open browser underneath it. We would load it with YouTube videos on mute, and we were able to rack up hundreds of thousands of plays to a YouTube video quickly. If we could get 300,000 to 400,000 views quietly in the background, we could basically break into the algorithm on the front page. Back then, people would go to the front page of YouTube to see what was trending. So, we would be able to break a bunch of different content pieces onto the front page of YouTube. At that point they had to sink or swim. You basically had to have good content that people liked or not, but pretty quickly it was evident; you either went viral or you were trash and you were removed quite quickly. So, we could get you there, but the question was whether or not you’d stick.



JACK:	Jeesh. Now, see, to me, this is all black-hat marketing. You aren’t bringing real customers to your site or video page. Instead, it’s all fake. It’s not quite bots; it’s real people clicking things, but they’re tricked into clicking things and they don’t know they’re clicking it. The stuff they’re viewing is invisible to them, but it’s playing in the background. So, I call this black-hat marketing because if YouTube found out that you manipulated your way to the front page, they’d probably ban you. But I also think if you have a bunch of fake followers, then that’s not real marketing, either. That’s cheating and lying and manipulating. [To Andrew] Now, when you say ‘we’, what was this — where is ‘we’?



ANDREW:	I had a couple partners that we did this with.



JACK:	Was this like a black-hat marketing firm?



ANDREW:	You know, that term wasn’t really a thing then. I would say we all considered it marketing, but we didn’t — I mean, yes, it’s black hat, but I wouldn’t say that that’s what we visualized it as at the time. At the time we really felt like we were just a marketing firm using all the possible channels we could to give a brand an opportunity to take off. What I got known for at the time was — we launched an artist on Facebook, and he had no label, no major label, nothing. He was found at a bonfire in Nantucket. So, it was kind of like an interesting thing. When we went to the labels back then and tried to convince them that you could use Facebook to launch an artist, everyone laughed at us and said Facebook’s for kids. We have a website. We do e-mail lists. We do paid marketing. This isn’t part of our mix. No one believed it was possible until we did it. Then after we did it, everyone wanted to pay us to do it.



The hardest thing was trying to continue to perform, because then — everyone that finds a vein that works — everyone starts copying you, and then you have to find a new way. It’s like you’re constantly on a treadmill for finding new, innovative ways that you can break an artist or that you can just get attention. I think from our view, that’s the art of marketing. It’s less — it doesn’t — I think for a lot of us it doesn’t feel like black hat ‘cause we’re just using a technique or a tool that might only last for two months or three months until we have to find something else, and we all safeguard it. When we learn something, we don’t tell people. So, when we learned about like-jacking, which was the hypothesis we had, we definitely didn’t tell anybody because we didn’t want anyone copying us. We didn’t want people to know how we could drive a million fans to something, and they were all real fans. So, it was just kind of a — I think in that view, it’s just a different era. I would also say that no one even called it social media marketing.



At the time there was digital marketing. New media was a term. There wasn’t even a term for — growth-hacking wasn’t even a term. No one even used the word ‘growth-hacking’. It just was not a thing at that moment. So, it is interesting to see how the whole thing has evolved. I do think that if you asked us point blank is what you’re doing violating terms and services, for sure we would have lied and told you — we would have told you no. But we all knew — we weren’t drinking the Kool-Aid. Everyone in the company knew we were violating terms and services. I think the thing we thought was, who cares? If a real user likes what we have to do, like what we’re presenting them — we’re not faking the genuine product market fit. We’re just trying to get in front of those eyeballs and see if we are a product market fit.



JACK:	That was a stretch as well, but I agree with you that I think a good marketing campaign is one that actually — ‘cause I think most people are like, I hate marketers. I hate ads. I hate all this stuff. But do you? When a product lands in front of you and it’s the perfect thing — it’s your new favorite song and you’re like, holy cow, I can’t believe I just found this, then you don’t hate it, right?



ANDREW:	Totally.



JACK:	So, if you can match that person who needs this product with this thing, and that is a marketing move that you’ve done, then that is fantastic marketing. I think — I wish that’s how all marketing was, was to actually find the person who needs it and then — and focus on them. Unfortunately marketing has a lot of wasted eyeballs looking at it.



ANDREW:	For sure.



JACK:	That’s a lot of wasted money.



ANDREW:	Even back then, I remember seeing this thing in probably 2011, I feel like, where there was this report that came out in an advertising researcher port that only 8% of people who saw an ad online were real. It was just technically a machine connecting with another machine presenting the ad, but there wasn’t a real person on the other end. That was fifteen years ago. I can only imagine how much worse it’s gotten.



JACK:	Yeah. When you were doing this black-hat stuff, did you have any success stories of people that you made or products that you launched well, and just huge success with these techniques?



ANDREW:	Yeah. I don’t want to throw them under the bus, but we definitely did win a lot. We took a brand in action sports that was like, seventeenth in their spot and moved them to like, third in the market. We — and what was crazy is at the time you start doing these big activations. So, when you start winning, all the big brands pile in. All of a sudden they all want to do a collaboration or some deal with you. So, you end up doing really big brand partnerships or brand collaborations with really established companies once they all perceive you as the winner. So, the snowball sort of takes off, and then it becomes less black hat and more traditional project management and release schedules and just creative, less like hacking.



JACK:	Yeah. So, one sports brand went from seventeenth to third. What else?



ANDREW:	Yeah. We had a musician that we launched that went number-one iTunes, number-seven billboard with no label.



JACK:	Okay, number-one iTunes, number seven, is that fake numbers? Is that fake numbers or…?



ANDREW:	No, those are real numbers. That’s the crazy part. That’s what I’m saying; I don’t feel like it was black hat because we got in front of all the people. We got in front of people who decided they really loved this artist. Because they really loved that artist — and we sort of had an eighteen-month plan. So, as we were building this artist with all these techniques, we were providing them with content to get them more and more hooked and engaged with the artist. When we released that artist’s EP, that artist went number one over everybody. I remember we beat DJ Catalan, as an example. We beat everybody. No one could believe it. We were called out. People thought we had faked the numbers. We didn’t fake anything. It was all real. We just sort of met the consumer at the point — we were in front of the consumer at the right moment when they quote, unquote “discovered this artist” and then thought they really liked it. So, again, the techniques allowed us to engage and have a real product market fit. But the techniques we used were definitely not approved.



JACK:	Yeah, I mean, I’m — when I first started this podcast I was like, alright, let’s market it. You start noticing some of these black-hat marketing techniques. I had to really sit and look at myself in the mirror and be like, am I a guy who is going to cheat my way to success? Like, fake it ‘til you make it. I had a long debate about it. I’m like, no, I’m a hacker; of course I’m gonna use every trick in the book, right? This is great. Let’s try it all. Then I was like, no, this is not honest. This is unethical and all that sort of stuff. So, I landed — this is funny; I landed on no black-hat marketing, but I’m totally for guerrilla marketing, which is unsanctioned marketing, right? So, if I go to a conference and there’s an empty booth where a vendor didn’t show up, I might sit down at that booth, put a little banner up that says…



ANDREW:	I love that.



JACK:	…hey, this is Darknet Diaries, and I didn’t pay $10,000 for that booth. Until the people come and say, hey, is this — did you pay for this booth? No. Okay, well, get out. Alright, cool. So, I’ll put stickers on places…



ANDREW:	That’s amazing.



JACK:	…that aren’t supposed to be stickers and all kinds of stuff like that. So, that’s what it is, guerrilla marketing.



ANDREW:	No, I agree. I think that’s definitely — and I have some examples. Like, we launched an app in 2013 called Hater App. It was Instagram for everything you hate. Our logo was a giant thumbs down. We went — I never — we went to South by Southwest and we just started putting stickers on people’s backs as they were walking, and there was thousands of people walking around with these stickers. It went — we got so many downloads. The downside was we had built this thing totally crappy just to see if it would work as an MVP, and it went — we had hundreds of thousands of downloads overnight, and the app was not functional. It was a complete mess. But it was such an interesting moment where I remember doing interviews with — we did interviews with Wall Street Journal and everyone. It was like a huge story at the time ‘cause we basically did this guerrilla approach and it kinda worked. I guess to your point, I always viewed the stuff I did online — I mean, maybe I’m just justifying it now. Like, hindsight, I have revisionist history. But I remember really feeling like the things we were doing online was the guerrilla version of what we did in person for these types of techniques.



JACK:	Something I noticed on the podcast world is that people can fake their way to the top on Apple Podcast charts, but most of them fall off a cliff as soon as they stop paying their black-hat marketer.



ANDREW:	Totally. So, I have an — there’s an artist I know who I won’t throw under the bus who is a major artist now. They were up for a Grammy, a bunch of things. Their entire first album was fake.



JACK:	Okay, I know who you’re talking about. Check this out. I saw this article last week. Spotify accuses Drake of forging billions of fraudulent streams.



ANDREW:	That’s not who I was talking about, but that’s also interesting.



JACK:	[Music] Okay, so that’s what Andrew was busy doing for a while. He was living in Los Angeles, and he wasn’t just doing black-hat marketing and launching people’s careers, but also building websites and tech companies and buying and selling them. He was solidly tuned into the internet and saw it in a way that not many did. One of his friends is Morgan, and they liked going to football games together.



ANDREW:	Back in the day we had tickets to the LA Rams. So, we would go to the games every week, every — eight times a year or whatever. We’d go to the games all together. We had ten seats together. So, it was Morgan, me, and a bunch of music exec guys that we had known just randomly together. So, anyway, we’re there all the time, and around — I was everyone’s weird crypto friend. I started mining in 2011 and sort of been really interested in technology and how it could be used. But anyone who goes back to that day will understand, anyone who was in this thing — maybe you were in it back then — but it was weird because pure tech people really didn’t like blockchain people. There was this weird — if you were a crypto guy, you kinda got the scarlet letter put on you when it came to tech, and it was — it really did feel like at the moment, if people found out you were the crypto guy, that you would just get pigeon-holed and lose opportunities.



So, I was very careful to keep building tech and keep the blockchain crypto stuff entirely separate. Around 2017, that sort of whole world merged together. All of a sudden, inter — people in suits started showing up to crypto events, and next thing you know, bankers are around and everyone’s talking about how it could be used for enterprise. It really felt like the industry collided. The music people came to us and said, hey, could you use blockchain to track the number of times songs are played? The reason is, until today, even, the streaming services give the labels a CSD that says Snoop Dogg, 100 million plays. No one actually — there’s no receipts behind that. It’s literally just a cell; the artist’s name, and the next cell over, number of plays for the month. There’s no receipts for usage. Usage is the number-one driver to how much money you should be making every month, so it’s really weird there’s no receipts there.



So, the way that it typically worked when streaming took off, the music industry just adopted what they’d always done for physical, and that was always an audit period after three years. So, every three years they go and audit the partner. To do a usage audit, though, a forensic audit, not where I’m trapping the contract, not where I’m trapping revenue coming in, but how many times the song was actually played, that could take them up to two years to complete. So, you’re talking about five years later figuring out that five years ago you should have been paid a million more dollars for this artist and $2 million for that artist, and that adds up to a lot. But all that money’s been paid out. So, you don’t have this ability to sort of recapture that money from the streaming services ‘cause it’s gone. So, they came to us and said, we believe blockchain could be a solution. You’re our weird crypto friend that also understands music, and we trust your whole team here.



Morgan, my co-founder, had been a lobbyist on behalf of a lot of the majors for copyright protection, extending copyright law, and Poria was a really gifted machine-learning AI engineer, but at the time we were doing a lot of crypto stuff together. So, they said, we believe your team could solve this. Will you build a real-time tracking tool? The question we were trying to answer at the time was how many times is every song actually played? Because you can’t rely on the CSVs to just — that they hand over. They’re always wrong. What we learned from the offline audits, where they pulled the usage logs in fifty different audits, was on average anywhere between 20% and 31% discrepancy, always under-counted. So, imagine you’re perpetually being paid 20% to 30% less than you thought you should have. That is where we started, and we built one of the fastest blockchains in the world. At the time we did 10 million transactions per second per region in a private permission chain. We have over forty patents in seven countries filed, probably thirty-something issued. We built this technology. When we went live is when we accidentally discovered fraud.



JACK:	This discover would ultimately make him abandon this very blockchain company that he just built and take his life in a whole new direction. We’re gonna take a quick ad-break here, but stay with us because you’ll never believe the fraud he discovered. So, Andrew and his co-founders Morgan and Poria built a tool to track how many times a song is played. Since the music labels wanted him to do it, they were also helping him get in touch with these music-streaming services to try to work out a way for Andrew to see the real-time streaming data they had. So, they made deals with these streaming platforms that they were able to see the play counts for the few music labels that they were dealing with. Their goal was simply to count the plays and make sure the artist got paid for what was played. But little did they know, [music] counting plays was not accurate at all.



ANDREW:	We started seeing these weird clusters of users, like 8,000 users playing the exact same sequence of songs sixty-three times on a Sunday, or users suddenly getting play counts in seventeen different countries in the same week. Like, how is that even possible? So, we started noticing these discrepancies, and we went back to the labels and the streaming services and said, we think you have a fraud problem. If we’re supposed to be the leader or the trusted source of truth of how many times a song is played and we’re just telling you a song was played, we’re not actually telling you the intent behind the play and if it should still be counted. You can’t actually pay this out because there’s a bunch of fraud happening here that should be removed. So, until we can solve the fraud problem, we don’t think we can solve audit. That was the summary we came to after two and a half years, and it was a real challenging moment for the company because it was like, you’ve been building this entire tool believing this is the one problem, and then you get there and realize — someone said, hold my beer, and you have a totally different problem you have to solve with a completely different skill set.



JACK:	I’m still shocked at the point that the streaming services didn’t have this capability to detect this sort of thing. In the podcast world we have the IAB, which is a — it’s actually a certifiable way of measuring metrics for podcast listens, and they have a whole list. They’re like, okay, if a user starts on their phone and then switches to their computer, is that considered two listens or one? They have to download for over a minute before they can actually be considered a listen. If it’s streaming on the watch, the watch does things to grab MP3s very differently than how a computer might. So, it looks like 500 listens when you come in from a watch, so you have to adjust for that sort of thing. There’s — you can look it up, how to measure podcasts, which is very complex and complicated downloads. I just can’t imagine these bigger streaming services not wanting to have accurate download numbers, especially with paying before that. They must have had a whole team of people trying to figure this out, and you’re saying, no, they didn’t. It was you that figured it out.



ANDREW:	No, they didn’t. At the time major streaming services — enter your streaming service — had less than half of a person dealing with this. It was probably some data scientist, and they were mostly using rules-based anomaly detection. So like, did a song get played more times than literally possible? Like, did someone play a song 10,000 times this week?



JACK:	Well, that’s really eye-opening and — it’s hard to believe because when you’re dealing with money, you have to pay accurately, and — crazy. Like I said, IAB is a certifiable thing. You can actually pay them to come audit your monitoring, your statistics, and they’ll confirm it, and then sponsors will be more likely to pay those numbers ‘cause you could say, no, it’s been confirmed that we’re IAB-certified.



ANDREW:	100%. ‘Cause when I’ve done podcast advertising, I always ask for the certs because I don’t trust any of the numbers to be real. So, I understand 100 — ‘cause especially in the early days of podcasting, I feel like it was just like reading tea leaves. Nothing seemed to make sense.



JACK:	So, this became Andrew’s pivot. He was able to go to the music-streaming services and convince them, look, you have some major fraud happening. Here’s proof. They didn’t believe him at first, so he had to really show them how much fraud there was. They eventually said, okay, instead of monitoring just those music labels that you’re supposed to, [music] do you mind looking at all our stream music and see what else you can discover? That just snowballed. One streaming provider turned into two, and he kept getting full, unfetted download data from many online streaming platforms.



ANDREW:	Yeah, we’re definitely the leader. We’re the market.



JACK:	You are such a unique position. I don’t imagine there even being two companies that have this access compared to — you’re…



ANDREW:	We have more data access than anyone in the music industry, especially…



JACK:	No, I mean — I mean there’s no other person like you who’s measuring like that. They don’t say, oh yeah, let’s open this up to 500 companies to come watch our stats and make sure that we’re accurate. You’re probably the only one for these companies.



ANDREW:	We are the only one. [Crosstalk]



JACK:	The competition here is zero for you.



ANDREW:	Yeah, totally, 100%. In a lot of ways we felt like we made the market. ‘Cause at the time, I remember going back to the labels and the streaming services and saying, I think you have a fraud problem. Literally, they laughed at us. Especially the major labels thought it was less than one percent. Because keep in mind, their artists aren’t cheating. So, what they see as only their data — and they’re like, there’s no anomalies here. But to them it just looked like the independent market was growing. I would actually argue that most of the independent music growth has been from fraud, not from true, independent market share increasing.



JACK:	Okay. Yeah, you gave me a taste of a few of these things that you were noticing, right, people playing things that are humanly impossible to play that much, and a group of people playing in different regions all at the same time.



ANDREW:	Yeah.



JACK:	This suddenly sounds to me — ‘cause I come from cybersecurity world — this suddenly sounds to me like not exactly threat intelligence, but yeah, it sounds like you’re looking at a security incident tool and trying to build signatures to detect when there’s a security incident. Just the one that comes to mind for me is if I had fifty connections from some office all go to the same IP address somewhere from different computers internally, why did that happen? There might be a botnet in our company that suddenly said, oh, all phone home at the same time. Get new instructions. So, I would immediately flag those fifty computers to be like, can someone do an antivirus on those to see what’s going on here? I was right. There was a botnet on that computer. So, I was like, okay, we’ve got a way to detect when a botnet happens just by — how in the world did this all happen in the same millisecond, right? So, I imagine that’s kinda the tools or the signatures. How do you look at this?



ANDREW:	100%. We’re building — we have probably close to 700 models looking for different things, and it’s constantly changing. [Music] So, to give you examples, we found one where somebody had hacked a major artist’s delivery feed. So, imagine — it’s very common to have multiple registration numbers for the same song because it may have been part of an album, a single, a deluxe version. It could have been done multiple times with different people in the supply chain. So, what ends up happening a lot of times is the streaming service will concatenate that and pick one parent and a bunch — child sort of numbers. But that way they’re all grouped together. So, in this case, someone had hacked the feed, put their version in, but the metadata for that, the pay, was different than the actual label. So, in this case it looks like the same song, it sounds like the same song, has the same artwork as the same song, but who the finance team pays is different. They were able to promote their version as the parent and then manipulate those — the payouts.



So, in that case they stole millions of dollars from that artist over an eight-month period. When we found it, we found it by some of the ways that they manipulated the streams. Like, how do you become the parent to your — like, why did this happen right at the beginning? We found the manipulation early and then it stopped. We were able to identify that there was something wrong in their data because of their manipulation. Then when we found that, we then built a model to find other artists it happened to. We found 1,700 other artists that had been hijacked the same way over the course of a couple years. So, again, they’re constantly being creative. Another one we found a little over a year and a half ago was a device we had never seen. So, why all of a sudden is this very specific device running up a bunch of streams? We would normally see what — for example, the Android system you’re on, what the operating system, what the device is, et cetera. This is a device we had never seen. It turned out it was owned by the Department of Corrections, and someone had hacked the prison system and turned all the prison tablets into a streaming farm.



JACK:	Wow. Tell me more about that. How did that happen?



ANDREW:	I don’t know how they hacked it, but the net effect was that they had turned — I think it was like, 400,000 devices into a streaming farm where they were manipulating streams from streaming players. So, I guess — I didn’t even know, to be honest, that prisoners had devices. But in a lot of states they have — you sort of pay I think by the minute or whatever. You pay for these devices, and there’s a handful of applications that are approved. It turns out most of them are run or slash-owned by a private equity company or a couple private equity companies, and someone had just simply hacked the devices and were able to use them all in sort of a bot network that we hadn’t expected at the time.



JACK:	How did you spot that?



ANDREW:	Because the device type was suddenly new and different. We had never — ‘cause we get all these different — so, why all of a sudden…? In context it seems small, but we have all these types of community-clustering techniques that are looking for different parameters and features. So, let’s say that we get, I don’t know, 500 fields. We’ll get — at this point now from streaming services, we get all kinds of stuff; gyroscope, battery life, orientation of phone, everything you’ve done in app. We’re catching a lot of different data, anonymized but individual — but hashed.



JACK:	The streaming service app is collecting that and then you’re seeing that as well.



ANDREW:	We’re seeing an anonymized version, generally hashed data so that we didn’t have any PII ever. But that’s — yes, we’re seeing all of this stuff and then triangulating it and saying, why are all these exactly the same? We’ve never seen this unique device, so what’s happening here? Then it just turned out that that one device is specifically made for the Department of Corrections, and no one else buys it. So, it leads you to sort of one vendor, which then allows you to unravel the rest. So, that was a very interesting case.



JACK:	Then what do you do with that? Do you say, okay streaming service, here’s a device type that we should just not…?



ANDREW:	We demonetize it all.



JACK:	Yeah?



ANDREW:	So we don’t pay any of those streams now…



JACK:	But you block that — I mean, not block, but you demonetize that device type. You can do it that granular or…?



ANDREW:	Yeah, for sure. We can say these don’t get paid. I mean, at the end of every month what happens is we have three sort of primary checks. We check daily to see what fraud we’re catching so that it gets removed out of product-level stuff. So, recommendation engines, algorithms, et cetera. We sort of down-weight anything we see that’s fraudulent so we don’t make the problem worse. The second thing we do is we do weekly updates for charts, so if we see anything on the charting side, we will — you’re allowed to update the charts weekly. So, we’ll update the charting information. That’s way less common, ‘cause again, most big artists aren’t cheating, at least from the streaming side. But again, we sort of just safeguard that. Then the last one, which is the real one, is the money payout. So, at the end of the — at the end of every month we do the check for the entire month. ‘Cause there’s stuff we’ll catch, right? The really obvious fraud we’ll catch day one.



But there’s some fraud that takes us a long — you need more of a longitudinal view to see how they’re interacting over the course of a week, two weeks, three weeks. There’s all kinds of cases, for example, that when we first started we would catch that no longer happens anymore. So, in the early days, I’m guessing his engineers were lazy. Or, it’s just easy — like, how do you deal with checking for anomaly detections for months where they have different days of the month? So, what we often — or, you know, they have twenty-nine days, twenty-eight days, thirty days, thirty-one days. So, a lot of times what they would do at the end of the month is pull the first twenty-eight days. I don’t know how fraudsters figured this out, but starting on Day 29, they would jam all their bots. So, you’d see massive numbers; 29, 30, 31.



So, they would end up getting a large percentage of the pro rata pool, but they only ran their fraud at the end to sort of get away from whatever was being checked, ‘cause a lot of the anomaly-detection checks initially in the early days were the first 28 days, just to simplify it. So, again, we find all these weird sort of techniques that they would use, and we would shut them down or demonetize them. In some cases the streaming services, when we returned the data back, they take action. So, sometimes the streaming service will decide to completely remove all the content and just say this is all fraudulent. So, in this case, for example, really obvious stuff. So, less than a hundred real users have streamed this. 99.99% of all of their streams, historically, are from fake accounts. You know, maybe they have less than a total of 2,000 streams total.



Whatever it is, they’re gonna have these rule sets we have in place to make sure it’s only the worst of the worst fraud, and then we’ll — the streaming service will just straight remove that content or take it off the platform entirely. That seems to be incredibly effective because the fraudsters realize they’re caught and they just stop on that or go to different services. So, I think our approach has been less — I’m not naive enough to believe we’ll always stop fraud. I think historically you can look at all fraud and say that’s never the case. There’s always going to be smart people and they’re gonna try different techniques. But I think we can make it so difficult that they just go to other industries.



JACK:	[Music] It’s so interesting for me to listen to him talk, because this isn’t a cybersecurity story, yet everything he’s saying is exactly what happens in cybersecurity land. You set up monitoring tools, you build rules to detect problems, and then you make it harder for people to exploit those things again. They did it all from scratch. We all know in cybersecurity you can never stop hackers, but what you want to do is make it so hard for them that they move on to an easier target. That’s something I’ve heard again and again, yet that’s what he’s doing in this world. Some people always reach out to me and complain that when I do an episode that’s not cybersecurity-related that they get upset. But listen, this show is about the dark side of the internet. To me, that encapsulates way more than just cybersecurity. It’s about all the hidden stuff that you never see or experience.



I want to shine a light on that shady, dark, gritty, underground aspect of our digital life. The fraud and the manipulation of algorithms, the websites and technology, the people who abuse it, and of course, hacking in cybersecurity, too. [To Andrew] I was trying to find a link I had a long time ago. There was a — I’ve actually seen many Reddit posts where people are saying, hey, what’s up with my Spotify account? It suddenly shows that I’ve played a whole bunch of these artists that I’ve never even heard of much less played. I don’t understand why my Spotify is showing that I’ve played these, and it’s recommending all this other stuff.



ANDREW:	Account takeovers. That’s a huge percentage of what we see now. If you think about — you’re in cyber, so imagine it’s a giant arrow back to you. If all of your bots look the same, it’s easy to cluster them. If they’re behaving the same way, it’s easy to cluster them. If they are all streaming one artist specifically, it’s like a giant arrow back to that artist. If they’re all streaming from one distributor, it’s a giant arrow back to the distributor. So, you need to hide the needle in the haystack, and the easiest way today to do that, or what we’ve — I’d say for the last three years put a lot of R&D in to catch, is account takeovers. So, they’ll log in as you, play a song five or six times, and then leave. Then all of this stuff you do naturally just hides whatever they did. So, they don’t have to create that. They don’t need to make differences. You don’t need to program in artificial changes in your bots. You just basically log in as somebody, play five streams, and hope they don’t notice. I would say that that’s really common these days. That’s the number-one growth area for fraud that we catch, is account takeovers in general, or adding devices to family plans. So, we’ll see a device that’s an IOS that’s legit, a Tesla that’s legit, and then an Android that’s all fraud.



JACK:	Wow. Okay, so, what I don’t understand is how they’re taking over the accounts. You say it’s one of the biggest things you’re seeing. How are they getting so many Spotify accounts or whatever streaming service?



ANDREW:	So, there’s a couple ways. The simplistic ways are — 90% of internet log-ins are just people trying different data-breached passwords and usernames. I would say that most streaming services are not high on people’s priority list for protecting. So — and there’s a sort of product question about how much friction do you add into a service to make it difficult for users, ‘cause it hinders growth, right? So, I think there’s an interesting friction point there between how secure do you make a streaming service on the user end and how much do they actually care, and do they really care if your account that was used to play a song ten or twenty times? I don’t think they’re realizing how much damage it does in aggregate. So, there’s that issue, I would say. I mean, you’ve been on — your whole series is called Darknet Diaries. You get on the darknet and download these accounts quite easily.



I think at one point, to prove a point, we went on and downloaded and showed people, some executives, that I could get 100,000 accounts on every single streaming service immediately. It gives you the independent — the infection date and the last log-in date. You can even get — if they have malware on the actual device, you can even get all of the browsing history, too. So, if you want to warm up the IP before you use it, you can kind of mimic their behavior before you log in. There’s lots of this stuff existing. There’s also an API that we found in the darknet where they own tens of millions of these accounts, and they will spin them up for you. So, you basically tell them the parameters of the types of plays you need, and they make sure that no single account is overused or indexed too hard, and they actually create the fraud for you. [Music] So, it is a fully professionalized, industrialized supply chain for fraud at this point.



JACK:	Wow. Seriously, wow. He’s shown streaming service execs that he can get 100,000 accounts on their platform instantly, because after a data breach there’s communities of people who will parse through those usernames in the data breach and pluck out all the streaming service accounts, or even try to use those usernames and passwords on a streaming service to see if they reuse passwords. From that, they build the giant list of users for each streaming service, and that list is valuable because if you can manipulate the streams, then you can get paid by these streaming services. I’m just astonished because when I hear how bad the problem is like this and how easy it is for people to get access to our stuff, it’s like a cold, wet slap in my face. I kinda go through this process again and again when making the show. At the beginning of this episode I’m like, ooh, these are some interesting techniques. Maybe I’ll try one of these on my show.



But by this point of the story, I’m so mad that these companies aren’t protecting our data and it’s just exposed on the dark web only for fraudsters to use to make money for themselves off my account. Because it’s our data; it’s not some nameless victim out there. It’s yours and mine that these people are gaining from. I’ve done this show long enough to know that there is no way from keeping our data from getting leaked, which makes me black-pilled, right? Like, okay, I’m giving up. Oh well, my data’s out there. I might as well just assume I have no privacy anymore because it’s out there like, all over the place. I just totally give up protecting myself. But I don’t like feeling hopeless. I’m not someone who gives up forever. I’m an optimist. I’m a fighter, and I don’t mind hard work. So, then I get this surge of ideas, and it makes me white-pilled, because then I realize, wait a minute, who’s the ding-dong who told them my address and gave them my password and username and telephone number and all that stuff?



I am. Hell no. No more am I telling these companies my real name or phone number. I’m not going to reuse passwords or even reuse e-mail addresses anymore. It’s a war out there, and I’ve got to take care of my own data since no one else will. Okay, anyway, the name of the company that Andrew co-founded was called Beatdapp in order to analyze music streams to detect fraud. He abandoned the original idea of using the blockchain to help these labels get paid properly, and he focus on this now, pretty much entirely working for streaming services now. [To Andrew] Yeah, well, I guess what I’m wondering is you almost need a black-hat person who knows that, the cheating industry, who’s been there, to actually sit down and look for these — to look for things you haven’t found yet, right? To find new signatures.



ANDREW:	Totally agree. I think I’m that guy, probably. Yeah. You know, the music industry often said I’m their hacker now. I’ve switched sides. I think the side-switching is mostly industries. I would say the — for me, the difference is that users no longer have to actually engage with the content for that artist to get paid. What I did back in the day I really believe was in service of the artist. If the artist is good, the people will listen, consume, and adopt it. If the artist is not, they will let you know right away that it’s trash. I think that has changed in a sense that you can be a trash artist that manipulates lots of streams and gets paid without actually being good or having real users or being able to sell ten tickets to an event. So, I just think they’re now stealing from other artists.



JACK:	Yeah. So, you’re saying it’s now more of a financially-driven thing and not so much a let’s try to market this person and get them to break out. But I push back at you because you did that ad arbitrage where you’re like, hey, we could print money by charging this much CPM and then actually just paying for somebody to come here. So, you were financially driven in some aspects, as well. It wasn’t always, oh, let’s just market someone.



ANDREW:	I regret that, and thank god that the Statute of Limitations has passed, ‘cause it was definitely not my proudest moment, for sure.



JACK:	What I didn’t realize is that musicians don’t get paid per stream on these platforms. Instead, they get paid a percentage of what advertising revenue came in for that month, which means fraudsters are stealing money from real artists.



ANDREW:	Okay, so, the way the music industry works is that there’s one — I’m gonna simplify this ‘cause it’s little more nuanced, but generally speaking there’s one pool of capital. Every month a streaming service makes money from advertising revenue and subscription fees. Now, this money goes into one pot, and it’s paid out every month based on play count. So, if you’re a artist and you make — you did, let’s say, 100,000 streams, and that streaming service did a million total streams that month, you get 10% of that pot. You get your percentage of streams for the whole entire — of the whole, entire streaming ecosystem you’re in of the revenue. So, it’s a performance pro rata. What happens is you could release a song in November and do a million streams and get paid $3,000, and that’s correct. You could release the same song and do a million streams in February and get paid, I don’t know, $500, and that could also be correct.



The reason the numbers could be different is that month the advertising might be smaller because they’d spent — especially as February or January, they had spent a bunch of money for Black Friday and holidays, and advertisers weren’t spending as much in January, February. You could have less subscribers. You could also have had a major release. So, say Taylor Swift released a track or an album, and all of a sudden the majority of streams are going to Taylor Swift, then your pro rata goes down. So, you could actually have wildly different amounts of money you make for the same general performance because it’s a performance base relative to the entire industry. So, if you do one of ten streams, you get 10%. If you do one of twenty streams, you get 5%, and so on. So, why that matters and how you steal is that fraudsters will load millions of songs onto streaming services as if they’re independent artists.



[Music] They’ll create different independent artists’ names, different independent artist labels, they’ll put them in different parts of the world so it just looks like they’re from different people, different regions, different companies. They will load those direct do-it-yourself, like DIY to streaming services through distributors. So, the distributor is an aggregator who, if you’re an independent artist, you upload to like a DistroKid or a TuneCore or a Symphonic or whatever, and they basically put all the data together and all the pieces together and upload it to the streaming services for you. So, they do it in one shop for you. So, instead of you going and uploading to a hundred different streaming services, you go to this one provider and they aggregate it and put it on to all the stores for you.



So, these fraudsters will create fake artists, fake labels, they’ll use fifteen or twenty different distributors so there’s not one point of failure, they’ll upload — so, they’ll get millions of songs onto streaming services, and then here’s the key; they will play a bunch of these songs small amounts of times. They do not want to get noticed. You don’t want an artist that charts that’s not real. You want to generate 1,000, 3,000, 4,000 streams, but you don’t actually — no one notices the song with 3,000 plays. So, if you create a small number of streams across a large number of artists, then your aggregate pro rata, the amount that you actually have of all of the pools for that month, can dramatically increase, ‘cause you’re stealing pennies. It’s basically like Office Space. You’re stealing pennies from all of these different artists. They just don’t realize it. But in aggregate it’s a large amount of money. So, the way that it works today is about $3 billion worth is stolen from real artists, because it’s going to people that are not real artists.



JACK:	Wow, $3 billion is going to fraudsters who are manipulating these streaming platforms. That’s incredible. It’s apparently very profitable to go through all this process of making tons of songs and getting someone else to play those songs across hundreds of thousands of accounts. It seems like a lot of work, but man, it’s really paying off for them. If it’s paying off, then that means it’s only gonna grow. [To Andrew] So, a few times you’ve made my — the hair on my neck stand up when — ‘cause I’m a big privacy advocate, right? I’m crazy into it. I’m a freak about it. So, you’ve talked about some of the metrics you’re getting from some of these apps such as gyroscope and battery life.



As a privacy person, I don’t understand why I need — you need to get my gyroscope information in order to just let me play a song. But on the other side, when I went to actually take ads out on some of these platforms to say, hey, market a legitimate ad on the platform, they’ll ask you, hey, when do you want someone to listen to this ad? Do you want them to listen while they’re working out, while they’re having sex, when they’re making dinner? I’m like, how the heck do you know when someone is making dinner? What is going on here? So, the amount of information that these streaming platforms have on us is crazy. I don’t know what question I have, but it just — like I said, it makes my hair stand up.



ANDREW:	I agree, but I would say for us, just know that in most cases they treat that data like it is the most important — I mean, they treat it — having come from healthcare in the previous company, they treated it at a level way higher than healthcare, like crazy, like HIPAA compliant times ten. They are insane with this data. They hash everything. They’re very particular about how it gets to us, how it gets back. We get security audited. We have an entire internal security team. It is — it’s partitioned in lots of ways so even if you get to one piece, you can’t get to the rest. We are insane because they make us be insane with it. Again, at the end of the quarter, you’re like, it’s just streaming data. But people are stealing $3 billion a year. So, that’s a massive amount of money that is going sometimes to people like terrorist organizations and organized crime, not some kid in a basement.



So, the argument also is I think that there’s some large-level implications for where this money goes and what happens, but I will say that the streaming service side treats that data — whether or not you want them to have it, they treat it like it’s very, very important. I’ve never come across a streaming service that casually allows data. Even then, when we decide exactly what fields we need from different streaming services, we then reject the rest of the fields. We take the least amount that we need to do our job once we’ve built the models, and then if we built a new model or find a new thing that we need to do, we re-ingest that data and build again. But we don’t typically just sit on all this stuff, even if it’s anonymized, because we just don’t want it. So, again, my point is I feel they’ve been very responsible with it, if that makes you feel any better, even though they haven’t.



JACK:	You said terrorist organizations?



ANDREW:	[Music] Yeah. Imagine that you could move money through a streaming platform without anyone noticing. So, what you do is you take dollars, you turn it into crypto at crypto ATMs, you pay the streaming farm operators in cryptocurrency to stream a certain amount of songs. Those songs are owned by different entities globally. So, quite literally you could move money from Colombia to Doha through the streaming service. It’ll all be washed and clean through the streaming services themselves, directly funding terrorist activity.



JACK:	So, the artist that they’re playing is an artist that they’re controlling because they’re getting paid…



ANDREW:	They’re making fake artists. They’re putting fake artists’ names up. They’re taking music that’s not theirs. So, they might hack, for example, Dropbox accounts. ‘Cause you figure one out of every hundred songs typically an artist releases — so there’s a huge back catalog of artist songs that have never actually been distributed, and when they’re distributed is when they’re fingerprinted. So, a lot of these don’t have fingerprints. So, if you upload them and there’s no fingerprint, the streaming service and the distributor feels that you are the rightful owner of that song ‘cause they’ve never seen it before. So, now you can take old songs that have never been digitized, make them your own, and then manipulate the stream. So, the first step is just getting the music.



The second step is manipulating the streams so you get paid. If you were a terrorist organization and you build all this infrastructure, you might have literally let’s say thirty different music label entities around the world all using different distributors with, I don’t know, a hundred quote, unquote “independent artists” in each, and then you’re going to just run small numbers of streams to those on a hundred different streaming services and slowly get paid. But that money will be clean and end up from one location to another without you ever having to actually transport the cash.



JACK:	You think that’s…? I mean, looking at those numbers, how much cash do you think they’re transporting? 80…?



ANDREW:	Hundreds of millions of dollars.



JACK:	Well, I was gonna guess a percentage here, right? So like, if I have $100 million and I say I need to transfer this, 80% of it makes it?



ANDREW:	Oh, percentage-wise of the dollar? Like 40% to 50%.



JACK:	Yeah, ‘cause it’s not — see, this is — they’re losing a ton of money on — in the transfer, then.



ANDREW:	But it’s better than leaving it in cash. Honestly, that’s what typically — how do you move this much cash? They’re gonna pay someone to wash their money regardless, sometimes 20%, 25%. They’re gonna pay a large amount of money anyway. Then they still need to move that money and sort of pay taxes on that money when it ends up — you end up losing a lot anyway. So your other approach is just to hide it somewhere or keep it as cash and find other fronts to move it through. It actually ends up that over the last ten years, the music industry, as it was growing so fast, was a really opportunistic place to hide or wash money because no one was watching it.



JACK:	Now I think I’ve come full circle on you saying you were gray hat, because I was saying to myself, if you’re breaking the terms of service, it’s black hat. Now I’m like, wait a minute, if you’re breaking the law, that’s black hat. This is different than terms of service.



ANDREW:	Yeah, that’s how I feel, you know? I didn’t break laws. I just definitely didn’t agree that I wasn’t allowed to do something.



JACK:	Yeah, and now it’s getting crazy, where hundreds of millions of dollars are being sent from — from who? Who’s involved in this?



ANDREW:	Well, imagine any kind of illicit activity; you can move the money to your partners. You can send — how we potentially caught one, for example, is you’d see the exact same percentage — like, let’s say that you have a million users all playing music. I’m just gonna use Colombia as an example. But they’re — the beneficial — if you think about who the artists are that’s benefiting from those plays, it would be abnormal — in one case, for example, where we saw — I’ll give you — I don’t know the exact numbers so I’m gonna give you examples here; like 12% always in a Hong Kong entity, and 30% in a Canadian entity, and 40% in a Middle-Eastern entity, and, you know, maybe another 10% somewhere else. So, if all the numbers of streams are changing every month but the beneficial owner percentage is exactly the same, it looks as if someone’s moving money from one location to another location through these other entities.



JACK:	So, the moving part is that they’re paying bots or listening to a stream…



ANDREW:	Yeah, they’re paying a streaming farm to create the streams whether they’re doing it through account takeovers or bots or whatever, but the end result is they’ve uploaded as owners under these different entities all of these fake artists that have songs on the streaming services. There’s roughly a hundred streaming services globally. So, they’re uploading it onto all these streaming services and they’re telling these streaming farms to go play those songs across all the services.



JACK:	Then the person who owns that account is getting paid for their streams, and then the money is arriving to where they need to send it.



ANDREW:	Yeah, exactly, because now the streaming service thinks, oh, XYZ label in Hong Kong had X percentage of the total streams. We have to pay them out. So, it gets paid to the distributor and paid to them, and they just get paid.



JACK:	This is one of those stories that I feel like the floor has dropped out in my head, of like, oh yeah, we have — I have a good understanding of how money laundering happens and how things get sent here and there and how you clean money. But then when you hear about stories like this where, oh yeah, they’re using a streaming service to launder money and send it across the globe, suddenly my head’s like, well, you could do that with buying and selling things on the Steam marketplace or Roblox accounts or any other marketplace that has money shifted here and there. This isn’t even a straightforward like — here, I’m buying something from another user. This is, oh, they’ll pay us for streams. If we can get the streams, then we can get paid. It’s such a roundabout way of — a convoluted way to launder money that it’s blowing my mind and it just makes me think that every single place that has money going in and out is probably getting hit with something like this.



ANDREW:	100% agree. I think the more convoluted, the better for them, ‘cause it’s so much harder for the average person to understand how the money moves.



JACK:	‘Cause I mean, even something like Twitter is — you get paid for how much engagement you have, right? So, you could totally…



ANDREW:	Oh, yeah. Any of these engagement-based activities, especially in Web3, anything at the time — a couple years ago there was this big push with treasury tokens. So, you’d get paid every time people interacted with you on social five platforms or any of these game 5 stuff. You could manipulate all of this stuff and then get the tokens, take it to market, and sell it.



JACK:	It’s crazy to me that there’s a dark web API that has access to millions of online streaming accounts, and if you feed it money, you can get all your songs played a bunch. I bet whoever runs that hates Andrew.



ANDREW:	I mean, I’ve had a couple of them do crazy stuff like reaching out or say things. But I would say that generally — we were talking once — our lawyer for the company is this guy named Jim Trustee. He was the former Chief of Organized Crime for the DOJ. He told me once that the good news is they don’t typically shoot the border guards. It’s kind of a gentleman’s sport. So, I would say that most of them just changed their tactics and changed the way they behaved. I also think the industry has progressed. In the early days there was some real trepidation or fear around what happens, ‘cause we’re just a handful of people that know what’s going on here. I would say now every single streaming service has a trust and safety department. Every single stream label has a fraud trust and safety person. So, the industry has changed over the last three years in a way that I would say I feel less scared about. Like, if you did something to me or my co-founders, it’s not going away at this point. The cat’s out of the bag. But I would say there was a real moment in the early 2021, 2022 where we were actually very concerned about what happens if…



JACK:	Yeah, I mean, especially if you’ve got cartels that are moving money in big ways and you’re like, okay, let’s put a stop to these guys. I could see them being upset with you.



ANDREW:	I mean, that was my concern, but again, I think we sort of — whether or not it was naive at the time, it was more like, oh, well, they don’t normally shoot the border guards. They just find a different way to move the money, you know?



JACK:	Do you ever point the feds to someone and be like, hey, these guys are breaking a lot of laws? Like, I don’t know, the dark web API or cartels moving money. We’ve gotta report this to someone more than just the streaming service.



ANDREW:	Yeah, in some cases when we find things that are outside the data that is given to us in privacy, then sure, we might tell people. But generally speaking, we report the results back to the streaming services and then they determine — and the distributors, for example, and the collection societies, right? They determine then who to — who they want to work with on the government’s side to prosecute, ‘cause that’s typically a long road, three to five years, sometimes — especially in multiple countries you’ve gotta deal with Interpol and all kinds of different activities. So, I think — I would say that’s an area that’s emerging, but we provide all the evidence that they need, and then they — and help them package it to whoever agency they’re going to. But typically they are the ones that are the ones actually determining whether or not they’re gonna pursue it.



JACK:	Okay, I’m now changing my mind. What Andrew did when he was younger I used to say was black-hat marketing, but now I’m gonna say he was doing gray-hat marketing. Aside from the ad arbitrage stuff, all he did was violate the terms of use on websites like Facebook and YouTube by artificially inflating the numbers. Coming into this, I would have said that’s black hat, but not now. Now I think these cartels or terrorist organizations that are moving hundreds of millions of dollars through these streaming platforms, that’s black-hat marketing. That’s some real dark stuff. Any time these streaming services have to call the authorities on someone, that’s what I think is black-hat marketing at this point. I suppose because now that I’ve seen such an extreme side of this marketing, I’m no longer so judgmental about somebody having a bunch of fake followers on their account to help them break out. Because really, the fake followers and algorithm manipulation can only go so far.



If they’re a bad musician or whatever it is they’re creating, they’ll never take off no matter how many fake streams they get. But if they are great and people really love them, then that was just a growth-hacking technique to kick start their journey. After they break out, there’s no longer a need for all the fake followers. You do run the risk of getting banned off those platforms, so I don’t recommend doing it. But now that I think about it, banning users is really tricky, because suppose Twitter has a way to detect when there are fake followers, right, and they automatically ban someone if they have — like 60% of their followers are fake. Well, then imagine someone gets millions of fake followers to follow Elon, and he gets kicked off for having a majority of fake followers following him. You see, you can use these bans as a weapon to get someone else banned that you don’t like. So, banning users for having a bunch of bots following them is really, really tricky, and maybe you can’t even do it.



[To Andrew] With all this information you have, you’ve gotta have probably some sort of restriction on what you’re allowed to say, because if there is — you can see who the top artist of the day is. You have so much data. You could see how many streams are getting — and all this sort of stuff. Magazines like — I don’t know Pitchfork, but whoever is the music industry magazines would love to know who’s the top streamer of the day or week or month or something like that. A lot of the stuff is kept quiet. We get to see some statistics of what — how many downloads a song has, but we don’t see very much of that. You could have such an outstanding blog of like, here’s what’s going on today, and people would just flock to it. It would be huge, but you’re probably not allowed to share that kind of information.



ANDREW:	It’s our core promise to all of our vendors. Like, you give us your data; we do not monetize it in that way. So, we provide you results back as a true financial tool and a trust-and-safety tool. We do not monetize it in any kind of marketing, any type of market reports. We will not monetize the data they provide us. They pay us an annual service fee so that we aren’t incentivized to find more fraud than there is. If there’s not a lot of fraud, we tell them. If there’s a lot of fraud, we tell them. We are just the trusted source of truth, but we do not — we don’t monetize that data in any way. Yes, we could probably build a massive company, but I’m not sure they would trust us in the same way. I think that’s why a lot of these marketing-level companies that do aggregate data, they get very limited data sets because they — the biggest fear for these services is the state of being public or going other places. So, we are allowed — we are privileged enough to handle it because we’ve built a large and strong level of trust with all of our partners, and they know that we would never violate that trust.



JACK:	Yeah, at first I was thinking as well of like, oh, you’re saving all these streaming companies money by saying, hey, don’t pay these people ‘cause they’re not doing it. But now — but at the beginning you told me, no, there’s a big pool and a percentage goes out to whoever gets the streams. So, I don’t think you’re saving these streaming companies any money at all because they have to pay out 100% every month or whatever.



ANDREW:	Yeah.



JACK:	Whether it goes to the right person or the wrong person…



ANDREW:	We’re a cost of doing business for them.



JACK:	Okay.



ANDREW:	We’re a cost of doing business for them. I would say in some cases they save money. So, there’s — this is where it gets nuanced. What I’ve been talking a lot about is what’s called interactive streams, where people get to choose what song they listen to. But in cases where it’s non-interactive — think of it like online radio — they have to pay a set rate out. There’s a rate card that’s in. So, when you remove the fraud from those, they actually do save money. So, in some cases, in some areas they’ll save money, but I would say generally across the board, they’re probably not not making money off of us if they’re interactive. So, if they offer a service where you get to choose what you listen to, they’re probably not making money off of us.



But they also — if I’m being honest — don’t want to be the executive who’s blocked for funding terrorism. So, there is an existential risk. Also, you figure the major labels are huge victims here. Keep in mind, if you’re a major label, you own and distribute probably over 80% of all revenue-generating content. Not just all content but revenue-generating content like royalties are coming primarily from the major labels or the independent labels they distribute as a major. So, when you look at it as a whole, if you’re a streaming service and 80% of the things people are listening to are controlled by these three parties and they’re saying we’re tired of being victims; if you do not have a service like this, you cannot have our content, it moves a lot of needles.



JACK:	Wow. Well, this — so much of this was so illuminating to me. I did not know about this world much at all. I told you what I do know, and it was a few things here and there, but man, there was so much I’ve learned here. Thanks so much for coming and telling me all this.



ANDREW:	Yeah, thanks for having me on. It’s been really fun. Again, I appreciate you making the time for me.



(Outro):	[Outro music] This show is created by me, the hashed brown Jack Rhysider. Our editor is our friendly sysadmin Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. I don’t know about you, but the next time someone makes fun of me for the music I listen to, I have the perfect excuse; oh no, my account’s been hijacked! It plays random stuff, I swear! I can’t stand this band. You kidding me? This is Darknet Diaries.



[End of recording]
Transcription performed by LeahTranscribes
Transcription performed by LeahTranscribes