They did it, essentially, in their sleep.

A scamming operation in Bulgaria swindled as much as $1 million in royalties out of Spotify last year, according to high-level music-industry sources in a bombshell Music Business Worldwide report this week. The Bulgarian entity—which hasn’t been identified, and may be either an individual or collective—pulled off the feat reportedly by uploading several third-party playlists of songs, creating a flurry of fake Spotify accounts to boost their play counts, and reaping the cash rewards out of the music-streaming company’s percentage-based payoff system.

A major-label executive first spotted the unusual activity in September 2017 in Spotify’s regular revenue roundups sent out to the industry, according to the report—but it was already too late.

Some time last year, two playlists were uploaded to Spotify with music that can be traced back with ISRC codes (the international system to identify music and music videos) to an operation in Bulgaria. They rocketed up in Spotify’s weekly global playlist charts, which keeps tabs on the playlists bringing in the most revenue. The playlists featured around 500 songs with only 1,200 listeners apiece. Most of the tracks were 30 seconds long—suspicious, considering that’s exactly the minimum amount of time a song must be listened to before Spotify registers a single “play.”

It’s possible that those 1,200 followers were real, ardent listeners, streaming the tracks for hours at a time. But what is far more likely is that a Bulgarian individual or group set up 1,200 paying Spotify accounts and played the 500 tracks on continual, random loop. That seems expensive—1,200 accounts at the rate of $9.99 a month adds up to $12,000 for the person running the scheme—until you look at the payouts.

Spotify’s average per-track payout is $0.004 per play. If 500 30-second songs are set to play on an automatic 24/7 loop for one month, that’s 72 million plays in that period—or $415,000 a month.

That’s for one playlist; the other known suspicious Bulgarian playlist was pushing out comparable numbers, and there may well have been others that remain undiscovered. Music Business Worldwide’s sources estimate the scam ran for four months before industry officials alerted Spotify, which deleted most of the playlists’ tracks. Spotify says it is “improving methods of detection and removal”; short of manually screening every single of the 30 million tracks on its catalog, though, there’s no obvious way this can be done thoroughly and consistently.

Until Spotify does come up with a solution, cheating music streaming—a massive, lucrative, and still-booming industry—will remain remarkably easy. “It’s something that will probably increase. Whether that results in thousands of misappropriated dollars or millions, I don’t know,” John Seay, an entertainment lawyer who specializes in copyright and streaming, told Quartz back in 2016. “[Click fraud] is a new development in an ongoing narrative of hustlers trying to get money they’re not entitled to.” The Bulgarian scheme isn’t notable for its originality so much as its sheer scale and ease.