Melbourne hacker and payments security professional Peter Filimore, who, it should be mentioned, cannot play or sing a single note, managed to accrue $1,000 in royalties and knock artists like Pink, Nicki Minaj, and Flume off high spots in online music charts through the use of bots.

In an effort to uncover security flaws in online streaming services like Spotify, Filimore decided to send “garbage” tunes to the top of the charts and generate royalties in the process. Filimore started by using algorithms to compile public domain audio and splicing cheesy MIDI tracks together.

Filimore then purchased three Amazon-linked compute instances — virtual servers that are able to run applications — and created a simple hacking script to simulate three listeners playing his songs 24-hours a day for a month, while accruing reviews that described his music as “rubbish.”

“I’m not a musician,” Filimore told SC Magazine at the Ruxcon security event, held in Melbourne this week. “But I kept hearing that artists were going broke and wanted to look into it. As it turns out, you’re doing it wrong if you want to make money in music by being a musician.”

Filimore’s account was banned by Telstra’s MOG and Spotify, though Filimore suspected it wasn’t through any kind of automation. In the case of MOG, Filimore’s 1,200 plays would have been unusually high traffic, while Spotify users likely reported the popular yet awful music to site admins.

Besides seeing his tunes rocking the tops of the Rdio charts, Filimore’s experiment also netted him $1,000 in royalties and uncovered serious security flaws hidden in the way online streaming services operate, all for the price of $30.

Filimore said that using the same techniques he employed during his experiment, artists could in-effect launch “Denial of Service” attacks against rival artists by directing fraudulent plays from attack-controlled cloud computing instances to the target artist’s account.

Filimore also explained that using a larger cluster of computing instances could potentially generate thousands of dollars in fraudulent royalties. He said that he’d seen another “fake” artist who appeared to be scamming royalties, operating under the name ‘Scam Artist’.

Readers can check out Filimore’s talk at Ruxcon 2013, titled ‘How To Top The Charts with Zero Melodic Talent and a Few Friendly Computers’, below.

Watch: Ruxcon 2013 Talk On ‘How To Top The Charts With Zero Melodic Talent’

UPDATE: Spotify have contacted Music Feeds with a statement in regards to Filimore’s suspicions regarding his account’s eventual ban from the music streaming service. They say, although there are automated processes in place to identify suspect activity, the actual removal of the unwanted music is a manual process. Read the whole statement below.

“Spotify understand there needs to be a tight balance between providing artists with the freedom get their music out to millions of passionate music fans across the world, and ensuring this freedom isn’t abused by a minority.

“Any artist can get their music up on Spotify through our various aggregators quickly and simply, which is critical to Spotify’s belief in offering a truly democratic music service to artists and users alike.

“Filimore’s comments about not having any type of automation are incorrect. We do have automated systems in place that regularly check to identify and flag any suspicious streaming activity (such as in his case). The removal of any ’fake’ music though is a manual process to ensure ‘real’ content is protected.

“We have these aforementioned systems in place as a priority to protect real artists and the integrity of the content on our platform.”



(Via SC Magazine)