WEBVTT 00:00:00.000 --> 00:00:03.680 JACK: I’ve always like the idea of fake it ‘til you make it, where you act like 00:00:03.680 --> 00:00:09.200 someone you want to be until you become them. This sometimes comes with imposter syndrome, 00:00:09.200 --> 00:00:14.160 but I think the antidote to that is just more experience. But how do you go from being a 00:00:14.160 --> 00:00:19.760 total beginner to confidently doing something? I often turn to the book store to help me there. But 00:00:19.760 --> 00:00:24.800 you know a book that’s always bothered me? It’s those For Dummies books, like the C Programming 00:00:24.800 --> 00:00:30.080 For Dummies, or The Complete Idiot’s Guide. Even if I don’t have a clue where to start, 00:00:30.080 --> 00:00:34.640 I would never buy one of those books because I don’t consider myself a dummy or an idiot, 00:00:34.640 --> 00:00:37.920 because I want to fake it ‘til I make it, and I don’t want to fake being a dummy. I want to be 00:00:37.920 --> 00:00:42.080 a great programmer. So, A Dummy’s Guide to Programming is not the direction I want to 00:00:42.080 --> 00:00:47.200 be going. I think what those books fail to do is they seem to target who you are now, 00:00:47.200 --> 00:00:51.280 not what you want to become, and that was their failure, at least for me. 00:00:51.280 --> 00:00:56.400 I’ve bought tons of how-to books, but I will never buy one of those books. To me, 00:00:56.400 --> 00:01:03.200 the key to success is in the aspiration. I would instantly buy books that were titled How to Be an 00:01:03.200 --> 00:01:09.440 Amazing C Programmer, because that is what I want to become. The book could contain the exact same 00:01:09.440 --> 00:01:14.240 words as the other book, that C Programming For Dummies, but it would have an entirely different 00:01:14.240 --> 00:01:19.920 impact on me. Every time I saw the title, I’d feel like I’m becoming more and more like the person I 00:01:19.920 --> 00:01:26.160 want to be, an amazing programmer, and that would give me that false sense of greatness, which is 00:01:26.160 --> 00:01:30.800 exactly what it’s like to fake it ‘til you make it. Because it’s not about who you are today; 00:01:30.800 --> 00:01:36.400 it’s about who you aspire to be tomorrow. It’s about embracing the journey of transformation and 00:01:36.400 --> 00:01:41.920 allowing your actions to shape your destiny. So go ahead and fake it. You can lie to yourself if 00:01:41.920 --> 00:01:54.066 you want, because sometimes the greatest lies are the ones that propel us towards our truest selves. 00:01:54.066 --> 00:01:55.760 [Intro music] These are stories from the 00:01:55.760 --> 00:02:18.920 dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. 00:02:18.920 --> 00:02:19.920 JACK: 00:02:19.920 --> 00:02:21.240 Today I’m talking with Andrew. 00:02:21.240 --> 00:02:22.600 ANDREW: Yeah, I’m Andrew Batey. 00:02:22.600 --> 00:02:25.200 JACK: Andrew has a really unique job that I can’t 00:02:25.200 --> 00:02:28.400 wait to ask him about. But first we should learn about how he got there. 00:02:28.400 --> 00:02:33.120 ANDREW: So, I started on Facebook when it was still EDU-based, and then I was one of 00:02:33.120 --> 00:02:39.746 the first fifty beta advertisers on Twitter and learning to kind of misuse their system. 00:02:39.746 --> 00:02:45.600 JACK: [Music] Misuse their system. These systems are huge and complex; algorithms, likes, follows, 00:02:45.600 --> 00:02:51.508 and a whole ad network. He wondered if he could manipulate any of that to his benefit. 00:02:51.508 --> 00:02:54.160 ANDREW: The same thing with YouTube. You used to be able to break anything 00:02:54.160 --> 00:02:58.960 into the front page of YouTube, and I guess I quickly became the guy that you would go to 00:02:58.960 --> 00:03:02.840 if you wanted to sort of…like gray hat, black hats, and stuff. 00:03:02.840 --> 00:03:06.960 JACK: Gray hat and black hat and white hat, let’s talk about that. That’s gonna come up a lot in 00:03:06.960 --> 00:03:12.720 this episode, and we’ll start with white hat. White hat is doing something that’s 100% legal 00:03:12.720 --> 00:03:18.640 and safe, such as hacking your own computer. Nobody is gonna come arrest you for that. 00:03:18.640 --> 00:03:24.160 Black hat is doing something that’s illegal, such as hacking your ex’s lawyer to see what they’re 00:03:24.160 --> 00:03:29.840 plotting against you. Gray hat is somewhere in-between. Maybe it’s technically not legal, 00:03:29.840 --> 00:03:35.120 but you’re hacking into something only for research, but not to cause harm. But these 00:03:35.120 --> 00:03:41.840 terms also apply to marketers, someone who follows the rules such as paying for ads the normal way. 00:03:41.840 --> 00:03:47.040 That’s a white-hat marketer. But someone who uses bots, for instance, to artificially create 00:03:47.040 --> 00:03:51.600 a bunch of five-star reviews for something, that would be a black-hat marketer in my opinion, 00:03:51.600 --> 00:03:56.160 because they are lying and cheating with their so-called marketing and run the risk of being 00:03:56.160 --> 00:04:01.200 thrown off the very platform that they’re trying to grow on. At least, this is what I think these 00:04:01.200 --> 00:04:06.000 terms mean going into this episode, but my definitions might change as we go further. So, 00:04:06.000 --> 00:04:10.560 in my opinion, Andrew was a black-hat marketer. He was trying to promote certain products 00:04:10.560 --> 00:04:16.280 or people by tricking people or systems to artificially inflate something’s popularity. 00:04:16.280 --> 00:04:20.640 ANDREW: My favorite thing at the time was like-jacking. It was a weird time period 00:04:20.640 --> 00:04:24.080 because it was before fan pages. So, initially when Facebook first launched, 00:04:24.080 --> 00:04:28.880 you could only friend-request somebody, and there was a 5,000-person limit. What you used to do is 00:04:28.880 --> 00:04:35.040 you would hide the request — Friend Request button, or when fan pages launched, the fan 00:04:35.040 --> 00:04:39.080 Follow button, but you would hide it in the pixels. I don’t know if you’ve come across that. 00:04:39.080 --> 00:04:42.880 JACK: Yeah, I have. People who want to become popular on social media might do it, like 00:04:42.880 --> 00:04:47.760 an up-and-coming band who wants as many likes and follows as possible. If others think you’re good, 00:04:47.760 --> 00:04:51.280 then you’re probably good. So, you might show up in more people’s feeds because of that, 00:04:51.280 --> 00:04:55.760 too. Facebook made it so you could add a Like button anywhere you wanted, like on your own 00:04:55.760 --> 00:05:01.120 web page or blog. But if you were sneaky, you could trick people to clicking on that Like 00:05:01.120 --> 00:05:05.760 button when they didn’t know they were clicking it. That’s what click-jacking is, or like-jacking. 00:05:05.760 --> 00:05:12.160 ANDREW: In our case we ended up using it a lot on video or photo-sharing websites. So, 00:05:12.160 --> 00:05:18.240 when people were clicking Next or going through video or photo carousels, every time they were 00:05:18.240 --> 00:05:22.720 clicking — we sort of trained our users to double-click. We started buying these websites 00:05:22.720 --> 00:05:27.680 that were high-volume websites. Then eventually we started doing web development for other sites and 00:05:27.680 --> 00:05:33.200 then putting these in there. What would happen was — our hypothesis was that people did not log out 00:05:33.200 --> 00:05:39.120 of their Facebook. It’s cached in their browser. So, what we would do is just hide that pixel 00:05:39.120 --> 00:05:45.760 inside of other websites. [Music] So, we could drive millions of fans to things. 00:05:45.760 --> 00:05:51.040 JACK: Man, how clever; they bought a popular video and photo-sharing site, 00:05:51.040 --> 00:05:55.440 and as the users clicked Next or Play, it wasn’t the Next button. It was the 00:05:55.440 --> 00:06:00.400 Facebook Like button. The users had to click twice because the first one was just liking the photo, 00:06:00.400 --> 00:06:04.720 and then the second was going to the next photo. So, what Andrew would do is he’d advertise that 00:06:04.720 --> 00:06:09.520 he can get your Facebook page 5,000 followers and thousands of likes, and people would buy 00:06:09.520 --> 00:06:15.120 his service to promote their bands, and he’d artificially grow someone’s Facebook account. 00:06:15.120 --> 00:06:19.040 ANDREW: So, that’s kind of where we started a lot. Another thing we did in the early days 00:06:19.040 --> 00:06:24.240 was kind of an ad arbitrage. At the time, for example, when you charge an advertiser, 00:06:24.240 --> 00:06:29.840 they cared about time on site and sort of CPMs, but they didn’t care that much about the actual 00:06:29.840 --> 00:06:35.120 click-through or engagement with the ads. They just weren’t aware. I know that seems obvious now, 00:06:35.120 --> 00:06:40.800 but back in the 2000s, no one really knew that those were metrics to look at, 00:06:40.800 --> 00:06:45.680 like traditional advertisers. So, what we would do is we had these high-traffic-volume websites 00:06:45.680 --> 00:06:51.840 and we would, for example, have a $5 CPM, let’s say. But we could buy traffic for like, 00:06:51.840 --> 00:06:56.800 a dollar. So, we would blend enough garbage traffic in that we didn’t really ruin our 00:06:56.800 --> 00:07:03.240 overall time on site or user stats, but we would be able to sort of print money. 00:07:03.240 --> 00:07:09.360 JACK: Oh. So, he’d sell ads on his website but then pay fake visitors to click it, 00:07:09.360 --> 00:07:11.840 making it look like a lot of people clicked that ad, 00:07:11.840 --> 00:07:17.360 and then he would just collect the money for it. But really, it was just paid traffic. Huh. 00:07:17.360 --> 00:07:22.000 ANDREW: Another one that we did that was really interesting at the time was around YouTube. So, 00:07:22.000 --> 00:07:26.800 we figured out that you could basically — there were these pop-under ads back then, 00:07:26.800 --> 00:07:34.240 and you could — most people recognized them from the penis-enlargement ads and things like that; 00:07:34.240 --> 00:07:38.640 you’d click out of a website and there would be the annoying little open browser underneath it. 00:07:38.640 --> 00:07:44.000 We would load it with YouTube videos on mute, and we were able to rack up 00:07:44.000 --> 00:07:52.000 hundreds of thousands of plays to a YouTube video quickly. If we could get 300,000 to 400,000 views 00:07:52.000 --> 00:07:56.720 quietly in the background, we could basically break into the algorithm on the front page. 00:07:56.720 --> 00:08:00.240 Back then, people would go to the front page of YouTube to see what was trending. So, 00:08:00.240 --> 00:08:05.280 we would be able to break a bunch of different content pieces onto the front page of YouTube. At 00:08:05.280 --> 00:08:10.800 that point they had to sink or swim. You basically had to have good content that people liked or not, 00:08:10.800 --> 00:08:15.040 but pretty quickly it was evident; you either went viral or you were trash and you were removed 00:08:15.040 --> 00:08:19.520 quite quickly. So, we could get you there, but the question was whether or not you’d stick. 00:08:19.520 --> 00:08:24.240 JACK: Jeesh. Now, see, to me, this is all black-hat marketing. You aren’t bringing 00:08:24.240 --> 00:08:30.400 real customers to your site or video page. Instead, it’s all fake. It’s not quite bots; 00:08:30.400 --> 00:08:33.600 it’s real people clicking things, but they’re tricked into clicking things 00:08:33.600 --> 00:08:38.480 and they don’t know they’re clicking it. The stuff they’re viewing is invisible to them, 00:08:38.480 --> 00:08:43.840 but it’s playing in the background. So, I call this black-hat marketing because if YouTube found 00:08:43.840 --> 00:08:48.800 out that you manipulated your way to the front page, they’d probably ban you. But I also think 00:08:48.800 --> 00:08:52.960 if you have a bunch of fake followers, then that’s not real marketing, either. That’s cheating and 00:08:52.960 --> 00:08:56.720 lying and manipulating. [To Andrew] Now, when you say ‘we’, what was this — where is ‘we’? 00:08:56.720 --> 00:08:59.680 ANDREW: I had a couple partners that we did this with. 00:08:59.680 --> 00:09:02.480 JACK: Was this like a black-hat marketing firm? 00:09:02.480 --> 00:09:08.240 ANDREW: You know, that term wasn’t really a thing then. I would say we all considered it marketing, 00:09:08.240 --> 00:09:15.120 but we didn’t — I mean, yes, it’s black hat, but I wouldn’t say that that’s what we visualized it 00:09:15.120 --> 00:09:20.880 as at the time. At the time we really felt like we were just a marketing firm using all 00:09:20.880 --> 00:09:26.800 the possible channels we could to give a brand an opportunity to take off. What I got known 00:09:26.800 --> 00:09:37.840 for at the time was — we launched an artist on Facebook, and he had no label, no major label, 00:09:37.840 --> 00:09:43.440 nothing. He was found at a bonfire in Nantucket. So, it was kind of like an interesting thing. 00:09:43.440 --> 00:09:48.560 When we went to the labels back then and tried to convince them that you could use Facebook 00:09:48.560 --> 00:09:54.080 to launch an artist, everyone laughed at us and said Facebook’s for kids. We have a website. We 00:09:54.080 --> 00:09:58.880 do e-mail lists. We do paid marketing. This isn’t part of our mix. No one believed it 00:09:58.880 --> 00:10:04.400 was possible until we did it. Then after we did it, everyone wanted to pay us to do it. 00:10:04.400 --> 00:10:11.600 The hardest thing was trying to continue to perform, because then — everyone that finds a 00:10:11.600 --> 00:10:16.160 vein that works — everyone starts copying you, and then you have to find a new way. It’s like 00:10:16.160 --> 00:10:21.040 you’re constantly on a treadmill for finding new, innovative ways that you can break an artist or 00:10:21.040 --> 00:10:28.000 that you can just get attention. I think from our view, that’s the art of marketing. It’s less — it 00:10:28.000 --> 00:10:33.120 doesn’t — I think for a lot of us it doesn’t feel like black hat ‘cause we’re just using a technique 00:10:33.120 --> 00:10:38.080 or a tool that might only last for two months or three months until we have to find something else, 00:10:38.080 --> 00:10:42.000 and we all safeguard it. When we learn something, we don’t tell people. So, when we learned about 00:10:42.000 --> 00:10:46.800 like-jacking, which was the hypothesis we had, we definitely didn’t tell anybody because we didn’t 00:10:46.800 --> 00:10:50.960 want anyone copying us. We didn’t want people to know how we could drive a million fans to 00:10:50.960 --> 00:10:58.000 something, and they were all real fans. So, it was just kind of a — I think in that view, 00:10:58.000 --> 00:11:03.840 it’s just a different era. I would also say that no one even called it social media marketing. 00:11:03.840 --> 00:11:08.400 At the time there was digital marketing. New media was a term. There wasn’t even a term 00:11:08.400 --> 00:11:14.240 for — growth-hacking wasn’t even a term. No one even used the word ‘growth-hacking’. It just was 00:11:14.240 --> 00:11:19.680 not a thing at that moment. So, it is interesting to see how the whole thing has evolved. I do think 00:11:19.680 --> 00:11:25.920 that if you asked us point blank is what you’re doing violating terms and services, 00:11:25.920 --> 00:11:32.400 for sure we would have lied and told you — we would have told you no. But we all knew — we 00:11:32.400 --> 00:11:36.640 weren’t drinking the Kool-Aid. Everyone in the company knew we were violating terms and 00:11:36.640 --> 00:11:43.840 services. I think the thing we thought was, who cares? If a real user likes what we have to do, 00:11:43.840 --> 00:11:49.040 like what we’re presenting them — we’re not faking the genuine product market 00:11:49.040 --> 00:11:54.800 fit. We’re just trying to get in front of those eyeballs and see if we are a product market fit. 00:11:54.800 --> 00:12:00.560 JACK: That was a stretch as well, but I agree with you that I think a good marketing 00:12:00.560 --> 00:12:04.720 campaign is one that actually — ‘cause I think most people are like, 00:12:04.720 --> 00:12:09.280 I hate marketers. I hate ads. I hate all this stuff. But do you? When a product lands 00:12:09.280 --> 00:12:13.600 in front of you and it’s the perfect thing — it’s your new favorite song and you’re like, 00:12:13.600 --> 00:12:18.000 holy cow, I can’t believe I just found this, then you don’t hate it, right? 00:12:18.000 --> 00:12:18.234 ANDREW: Totally. 00:12:18.234 --> 00:12:24.160 JACK: So, if you can match that person who needs this product with this thing, 00:12:24.160 --> 00:12:29.680 and that is a marketing move that you’ve done, then that is fantastic marketing. I think — I 00:12:29.680 --> 00:12:34.000 wish that’s how all marketing was, was to actually find the person who needs it and 00:12:34.000 --> 00:12:38.960 then — and focus on them. Unfortunately marketing has a lot of wasted eyeballs looking at it. 00:12:38.960 --> 00:12:40.216 ANDREW: For sure. 00:12:40.216 --> 00:12:40.960 JACK: That’s a lot of wasted money. 00:12:40.960 --> 00:12:45.680 ANDREW: Even back then, I remember seeing this thing in probably 2011, I feel like, 00:12:45.680 --> 00:12:51.360 where there was this report that came out in an advertising researcher port that only 00:12:51.360 --> 00:12:58.960 8% of people who saw an ad online were real. It was just technically a machine connecting 00:12:58.960 --> 00:13:04.400 with another machine presenting the ad, but there wasn’t a real person on the other end. 00:13:04.400 --> 00:13:09.160 That was fifteen years ago. I can only imagine how much worse it’s gotten. 00:13:09.160 --> 00:13:16.400 JACK: Yeah. When you were doing this black-hat stuff, did you have any success stories of 00:13:16.400 --> 00:13:23.600 people that you made or products that you launched well, and just huge success with these techniques? 00:13:23.600 --> 00:13:29.440 ANDREW: Yeah. I don’t want to throw them under the bus, but we definitely did win a lot. We 00:13:29.440 --> 00:13:34.080 took a brand in action sports that was like, seventeenth in their spot and moved them to like, 00:13:34.080 --> 00:13:40.960 third in the market. We — and what was crazy is at the time you start doing these big activations. 00:13:40.960 --> 00:13:45.200 So, when you start winning, all the big brands pile in. All of a sudden they all want to do a 00:13:45.200 --> 00:13:50.480 collaboration or some deal with you. So, you end up doing really big brand partnerships or brand 00:13:50.480 --> 00:13:56.320 collaborations with really established companies once they all perceive you as the winner. So, 00:13:56.320 --> 00:14:02.800 the snowball sort of takes off, and then it becomes less black hat and more traditional 00:14:02.800 --> 00:14:08.360 project management and release schedules and just creative, less like hacking. 00:14:08.360 --> 00:14:12.320 JACK: Yeah. So, one sports brand went from seventeenth to third. What else? 00:14:12.320 --> 00:14:15.840 ANDREW: Yeah. We had a musician that we launched that went number-one iTunes, 00:14:15.840 --> 00:14:17.520 number-seven billboard with no label. 00:14:17.520 --> 00:14:23.964 JACK: Okay, number-one iTunes, number seven, is that fake numbers? Is that fake numbers or…? 00:14:23.964 --> 00:14:26.560 ANDREW: No, those are real numbers. That’s the crazy part. That’s what I’m saying; 00:14:26.560 --> 00:14:31.520 I don’t feel like it was black hat because we got in front of all the people. We got in front of 00:14:31.520 --> 00:14:38.560 people who decided they really loved this artist. Because they really loved that artist — and we 00:14:38.560 --> 00:14:43.520 sort of had an eighteen-month plan. So, as we were building this artist with all these techniques, 00:14:43.520 --> 00:14:47.120 we were providing them with content to get them more and more hooked and engaged with 00:14:47.120 --> 00:14:54.480 the artist. When we released that artist’s EP, that artist went number one over everybody. 00:14:54.480 --> 00:15:00.160 I remember we beat DJ Catalan, as an example. We beat everybody. No one could believe it. 00:15:00.160 --> 00:15:03.520 We were called out. People thought we had faked the numbers. We didn’t fake 00:15:03.520 --> 00:15:11.040 anything. It was all real. We just sort of met the consumer at the point — we were in 00:15:11.040 --> 00:15:14.960 front of the consumer at the right moment when they quote, unquote “discovered this 00:15:14.960 --> 00:15:19.760 artist” and then thought they really liked it. So, again, the techniques allowed us to 00:15:19.760 --> 00:15:25.960 engage and have a real product market fit. But the techniques we used were definitely not approved. 00:15:25.960 --> 00:15:31.040 JACK: Yeah, I mean, I’m — when I first started this podcast I was like, alright, let’s market 00:15:31.040 --> 00:15:36.320 it. You start noticing some of these black-hat marketing techniques. I had to really sit and 00:15:36.320 --> 00:15:41.520 look at myself in the mirror and be like, am I a guy who is going to cheat my way to success? Like, 00:15:41.520 --> 00:15:47.040 fake it ‘til you make it. I had a long debate about it. I’m like, no, I’m a hacker; of course 00:15:47.040 --> 00:15:50.720 I’m gonna use every trick in the book, right? This is great. Let’s try it all. Then I was like, 00:15:50.720 --> 00:15:56.960 no, this is not honest. This is unethical and all that sort of stuff. So, I landed — this is funny; 00:15:56.960 --> 00:16:03.040 I landed on no black-hat marketing, but I’m totally for guerrilla marketing, 00:16:03.040 --> 00:16:07.760 which is unsanctioned marketing, right? So, if I go to a conference and there’s an empty booth 00:16:07.760 --> 00:16:13.014 where a vendor didn’t show up, I might sit down at that booth, put a little banner up that says… 00:16:13.014 --> 00:16:13.034 ANDREW: I love that. 00:16:13.034 --> 00:16:17.440 JACK: …hey, this is Darknet Diaries, and I didn’t pay $10,000 for that booth. Until 00:16:17.440 --> 00:16:20.480 the people come and say, hey, is this — did you pay for this booth? No. Okay, 00:16:20.480 --> 00:16:24.529 well, get out. Alright, cool. So, I’ll put stickers on places… 00:16:24.529 --> 00:16:24.554 ANDREW: That’s amazing. 00:16:24.554 --> 00:16:27.280 JACK: …that aren’t supposed to be stickers and 00:16:27.280 --> 00:16:29.880 all kinds of stuff like that. So, that’s what it is, guerrilla marketing. 00:16:29.880 --> 00:16:34.000 ANDREW: No, I agree. I think that’s definitely — and I have some examples. Like, we launched an 00:16:34.000 --> 00:16:40.560 app in 2013 called Hater App. It was Instagram for everything you hate. Our logo was a giant 00:16:40.560 --> 00:16:44.800 thumbs down. We went — I never — we went to South by Southwest and we just started putting stickers 00:16:44.800 --> 00:16:48.560 on people’s backs as they were walking, and there was thousands of people walking around 00:16:48.560 --> 00:16:55.760 with these stickers. It went — we got so many downloads. The downside was we had built this 00:16:55.760 --> 00:17:01.520 thing totally crappy just to see if it would work as an MVP, and it went — we had hundreds 00:17:01.520 --> 00:17:06.960 of thousands of downloads overnight, and the app was not functional. It was a complete mess. 00:17:06.960 --> 00:17:11.280 But it was such an interesting moment where I remember doing interviews with — we did 00:17:11.280 --> 00:17:17.520 interviews with Wall Street Journal and everyone. It was like a huge story at the time ‘cause we 00:17:17.520 --> 00:17:21.280 basically did this guerrilla approach and it kinda worked. I guess to your point, 00:17:21.280 --> 00:17:28.560 I always viewed the stuff I did online — I mean, maybe I’m just justifying it now. Like, hindsight, 00:17:28.560 --> 00:17:33.120 I have revisionist history. But I remember really feeling like the things we were doing 00:17:33.120 --> 00:17:39.040 online was the guerrilla version of what we did in person for these types of techniques. 00:17:39.040 --> 00:17:42.800 JACK: Something I noticed on the podcast world is that people can 00:17:42.800 --> 00:17:46.160 fake their way to the top on Apple Podcast charts, 00:17:46.160 --> 00:17:50.120 but most of them fall off a cliff as soon as they stop paying their black-hat marketer. 00:17:50.120 --> 00:17:54.240 ANDREW: Totally. So, I have an — there’s an artist I know who I won’t throw under 00:17:54.240 --> 00:17:58.080 the bus who is a major artist now. They were up for a Grammy, 00:17:58.080 --> 00:18:03.280 a bunch of things. Their entire first album was fake. 00:18:03.280 --> 00:18:06.880 JACK: Okay, I know who you’re talking about. Check this out. I saw this 00:18:06.880 --> 00:18:12.840 article last week. Spotify accuses Drake of forging billions of fraudulent streams. 00:18:12.840 --> 00:18:21.186 ANDREW: That’s not who I was talking about, but that’s also interesting. 00:18:21.186 --> 00:18:24.160 JACK: [Music] Okay, so that’s what Andrew was busy doing for a while. He was living in Los 00:18:24.160 --> 00:18:28.320 Angeles, and he wasn’t just doing black-hat marketing and launching people’s careers, 00:18:28.320 --> 00:18:32.560 but also building websites and tech companies and buying and selling them. 00:18:32.560 --> 00:18:37.360 He was solidly tuned into the internet and saw it in a way that not many did. 00:18:37.360 --> 00:18:40.600 One of his friends is Morgan, and they liked going to football games together. 00:18:40.600 --> 00:18:45.840 ANDREW: Back in the day we had tickets to the LA Rams. So, we would go to the games every week, 00:18:45.840 --> 00:18:50.880 every — eight times a year or whatever. We’d go to the games all together. We had ten seats together. 00:18:50.880 --> 00:18:56.880 So, it was Morgan, me, and a bunch of music exec guys that we had known just randomly together. So, 00:18:56.880 --> 00:19:01.120 anyway, we’re there all the time, and around — I was everyone’s weird crypto friend. I started 00:19:01.120 --> 00:19:10.560 mining in 2011 and sort of been really interested in technology and how it could be used. But anyone 00:19:10.560 --> 00:19:14.560 who goes back to that day will understand, anyone who was in this thing — maybe you were in it back 00:19:14.560 --> 00:19:20.720 then — but it was weird because pure tech people really didn’t like blockchain people. There was 00:19:20.720 --> 00:19:27.520 this weird — if you were a crypto guy, you kinda got the scarlet letter put on you 00:19:27.520 --> 00:19:33.200 when it came to tech, and it was — it really did feel like at the moment, if people found 00:19:33.200 --> 00:19:37.280 out you were the crypto guy, that you would just get pigeon-holed and lose opportunities. 00:19:37.280 --> 00:19:41.440 So, I was very careful to keep building tech and keep the blockchain crypto stuff 00:19:41.440 --> 00:19:48.000 entirely separate. Around 2017, that sort of whole world merged together. All of a sudden, 00:19:48.000 --> 00:19:53.440 inter — people in suits started showing up to crypto events, and next thing you know, 00:19:53.440 --> 00:19:57.360 bankers are around and everyone’s talking about how it could be used for enterprise. It really 00:19:57.360 --> 00:20:04.480 felt like the industry collided. The music people came to us and said, hey, could you use blockchain 00:20:04.480 --> 00:20:11.040 to track the number of times songs are played? The reason is, until today, even, the streaming 00:20:11.040 --> 00:20:19.360 services give the labels a CSD that says Snoop Dogg, 100 million plays. No one actually — there’s 00:20:19.360 --> 00:20:24.880 no receipts behind that. It’s literally just a cell; the artist’s name, and the next cell over, 00:20:24.880 --> 00:20:31.680 number of plays for the month. There’s no receipts for usage. Usage is the number-one driver to how 00:20:31.680 --> 00:20:35.680 much money you should be making every month, so it’s really weird there’s no receipts there. 00:20:35.680 --> 00:20:39.760 So, the way that it typically worked when streaming took off, the music industry just 00:20:39.760 --> 00:20:44.800 adopted what they’d always done for physical, and that was always an audit period after three 00:20:44.800 --> 00:20:50.080 years. So, every three years they go and audit the partner. To do a usage audit, 00:20:50.080 --> 00:20:52.960 though, a forensic audit, not where I’m trapping the contract, 00:20:52.960 --> 00:20:56.800 not where I’m trapping revenue coming in, but how many times the song was actually played, 00:20:56.800 --> 00:21:02.320 that could take them up to two years to complete. So, you’re talking about five years later figuring 00:21:02.320 --> 00:21:07.440 out that five years ago you should have been paid a million more dollars for this artist 00:21:07.440 --> 00:21:12.320 and $2 million for that artist, and that adds up to a lot. But all that money’s been paid out. So, 00:21:12.320 --> 00:21:16.240 you don’t have this ability to sort of recapture that money from the streaming services ‘cause it’s 00:21:16.240 --> 00:21:20.800 gone. So, they came to us and said, we believe blockchain could be a solution. You’re our 00:21:20.800 --> 00:21:25.920 weird crypto friend that also understands music, and we trust your whole team here. 00:21:25.920 --> 00:21:31.040 Morgan, my co-founder, had been a lobbyist on behalf of a lot of the majors for copyright 00:21:31.040 --> 00:21:36.240 protection, extending copyright law, and Poria was a really gifted machine-learning AI engineer, 00:21:36.240 --> 00:21:39.680 but at the time we were doing a lot of crypto stuff together. So, they said, 00:21:39.680 --> 00:21:45.280 we believe your team could solve this. Will you build a real-time tracking tool? The question we 00:21:45.280 --> 00:21:49.760 were trying to answer at the time was how many times is every song actually played? Because 00:21:49.760 --> 00:21:53.760 you can’t rely on the CSVs to just — that they hand over. They’re always wrong. What 00:21:53.760 --> 00:21:58.240 we learned from the offline audits, where they pulled the usage logs in fifty different audits, 00:21:58.240 --> 00:22:04.320 was on average anywhere between 20% and 31% discrepancy, always under-counted. So, 00:22:04.320 --> 00:22:09.520 imagine you’re perpetually being paid 20% to 30% less than you thought you should have. 00:22:09.520 --> 00:22:13.600 That is where we started, and we built one of the fastest blockchains in the world. At 00:22:13.600 --> 00:22:17.920 the time we did 10 million transactions per second per region in a private permission 00:22:17.920 --> 00:22:23.440 chain. We have over forty patents in seven countries filed, probably thirty-something 00:22:23.440 --> 00:22:31.520 issued. We built this technology. When we went live is when we accidentally discovered fraud. 00:22:31.520 --> 00:22:36.480 JACK: This discover would ultimately make him abandon this very blockchain company that he just 00:22:36.480 --> 00:22:41.840 built and take his life in a whole new direction. We’re gonna take a quick ad-break here, but stay 00:22:41.840 --> 00:22:51.840 with us because you’ll never believe the fraud he discovered. So, Andrew and his co-founders Morgan 00:22:51.840 --> 00:22:56.800 and Poria built a tool to track how many times a song is played. Since the music labels wanted 00:22:56.800 --> 00:23:02.080 him to do it, they were also helping him get in touch with these music-streaming services to try 00:23:02.080 --> 00:23:07.760 to work out a way for Andrew to see the real-time streaming data they had. So, they made deals with 00:23:07.760 --> 00:23:12.320 these streaming platforms that they were able to see the play counts for the few music labels that 00:23:12.320 --> 00:23:17.520 they were dealing with. Their goal was simply to count the plays and make sure the artist got paid 00:23:17.520 --> 00:23:23.520 for what was played. But little did they know, [music] counting plays was not accurate at all. 00:23:23.520 --> 00:23:29.360 ANDREW: We started seeing these weird clusters of users, like 8,000 users playing the exact 00:23:29.360 --> 00:23:36.000 same sequence of songs sixty-three times on a Sunday, or users suddenly getting play counts in 00:23:36.000 --> 00:23:40.320 seventeen different countries in the same week. Like, how is that even possible? So, we started 00:23:40.320 --> 00:23:44.800 noticing these discrepancies, and we went back to the labels and the streaming services and said, 00:23:44.800 --> 00:23:50.240 we think you have a fraud problem. If we’re supposed to be the leader or the trusted source 00:23:50.240 --> 00:23:54.480 of truth of how many times a song is played and we’re just telling you a song was played, 00:23:54.480 --> 00:23:58.880 we’re not actually telling you the intent behind the play and if it should still be counted. You 00:23:58.880 --> 00:24:03.040 can’t actually pay this out because there’s a bunch of fraud happening here that should 00:24:03.040 --> 00:24:09.040 be removed. So, until we can solve the fraud problem, we don’t think we can solve audit. 00:24:09.040 --> 00:24:14.480 That was the summary we came to after two and a half years, and it was a real challenging moment 00:24:14.480 --> 00:24:18.160 for the company because it was like, you’ve been building this entire tool believing this 00:24:18.160 --> 00:24:23.200 is the one problem, and then you get there and realize — someone said, hold my beer, 00:24:23.200 --> 00:24:28.000 and you have a totally different problem you have to solve with a completely different skill set. 00:24:28.000 --> 00:24:33.200 JACK: I’m still shocked at the point that the streaming services didn’t have 00:24:33.200 --> 00:24:39.120 this capability to detect this sort of thing. In the podcast world we have the IAB, which is 00:24:39.120 --> 00:24:46.320 a — it’s actually a certifiable way of measuring metrics for podcast listens, and they have a whole 00:24:46.320 --> 00:24:51.600 list. They’re like, okay, if a user starts on their phone and then switches to their computer, 00:24:51.600 --> 00:24:56.080 is that considered two listens or one? They have to download for over a minute before 00:24:56.080 --> 00:25:03.280 they can actually be considered a listen. If it’s streaming on the watch, the watch does things to 00:25:03.280 --> 00:25:09.360 grab MP3s very differently than how a computer might. So, it looks like 500 listens when you 00:25:09.360 --> 00:25:14.080 come in from a watch, so you have to adjust for that sort of thing. There’s — you can look it up, 00:25:14.080 --> 00:25:20.320 how to measure podcasts, which is very complex and complicated downloads. I just 00:25:20.320 --> 00:25:25.680 can’t imagine these bigger streaming services not wanting to have accurate download numbers, 00:25:25.680 --> 00:25:30.240 especially with paying before that. They must have had a whole team of people trying 00:25:30.240 --> 00:25:34.868 to figure this out, and you’re saying, no, they didn’t. It was you that figured it out. 00:25:34.868 --> 00:25:38.880 ANDREW: No, they didn’t. At the time major streaming services — enter your streaming 00:25:38.880 --> 00:25:44.000 service — had less than half of a person dealing with this. It was probably some data scientist, 00:25:44.000 --> 00:25:49.040 and they were mostly using rules-based anomaly detection. So like, did a song get played more 00:25:49.040 --> 00:25:54.160 times than literally possible? Like, did someone play a song 10,000 times this week? 00:25:54.160 --> 00:26:00.640 JACK: Well, that’s really eye-opening and — it’s hard to believe because when you’re 00:26:00.640 --> 00:26:06.800 dealing with money, you have to pay accurately, and — crazy. Like I said, 00:26:06.800 --> 00:26:11.680 IAB is a certifiable thing. You can actually pay them to come audit your monitoring, 00:26:11.680 --> 00:26:16.720 your statistics, and they’ll confirm it, and then sponsors will be more likely to 00:26:16.720 --> 00:26:20.800 pay those numbers ‘cause you could say, no, it’s been confirmed that we’re IAB-certified. 00:26:20.800 --> 00:26:25.520 ANDREW: 100%. ‘Cause when I’ve done podcast advertising, I always ask for the certs because 00:26:25.520 --> 00:26:32.400 I don’t trust any of the numbers to be real. So, I understand 100 — ‘cause especially in the early 00:26:32.400 --> 00:26:37.480 days of podcasting, I feel like it was just like reading tea leaves. Nothing seemed to make sense. 00:26:37.480 --> 00:26:42.400 JACK: So, this became Andrew’s pivot. He was able to go to the music-streaming services and convince 00:26:42.400 --> 00:26:48.000 them, look, you have some major fraud happening. Here’s proof. They didn’t believe him at first, 00:26:48.000 --> 00:26:51.120 so he had to really show them how much fraud there was. They eventually said, 00:26:51.120 --> 00:26:54.240 okay, instead of monitoring just those music labels that you’re supposed to, 00:26:54.240 --> 00:26:58.000 [music] do you mind looking at all our stream music and see what else you can 00:26:58.000 --> 00:27:02.080 discover? That just snowballed. One streaming provider turned into two, 00:27:02.080 --> 00:27:07.440 and he kept getting full, unfetted download data from many online streaming platforms. 00:27:07.440 --> 00:27:10.440 ANDREW: Yeah, we’re definitely the leader. We’re the market. 00:27:10.440 --> 00:27:14.560 JACK: You are such a unique position. I don’t imagine there 00:27:14.560 --> 00:27:18.840 even being two companies that have this access compared to — you’re… 00:27:18.840 --> 00:27:22.554 ANDREW: We have more data access than anyone in the music industry, especially… 00:27:22.554 --> 00:27:26.800 JACK: No, I mean — I mean there’s no other person like you who’s measuring like that. 00:27:26.800 --> 00:27:32.240 They don’t say, oh yeah, let’s open this up to 500 companies to come watch our stats 00:27:32.240 --> 00:27:35.760 and make sure that we’re accurate. You’re probably the only one for these companies. 00:27:35.760 --> 00:27:39.034 ANDREW: We are the only one. [Crosstalk] 00:27:39.034 --> 00:27:40.920 JACK: The competition here is zero for you. 00:27:40.920 --> 00:27:47.520 ANDREW: Yeah, totally, 100%. In a lot of ways we felt like we made the market. ‘Cause at the time, 00:27:47.520 --> 00:27:50.160 I remember going back to the labels and the streaming services and saying, 00:27:50.160 --> 00:27:57.600 I think you have a fraud problem. Literally, they laughed at us. Especially the major labels thought 00:27:57.600 --> 00:28:02.560 it was less than one percent. Because keep in mind, their artists aren’t cheating. So, 00:28:02.560 --> 00:28:07.760 what they see as only their data — and they’re like, there’s no anomalies here. But to them 00:28:07.760 --> 00:28:11.920 it just looked like the independent market was growing. I would actually argue that most of the 00:28:11.920 --> 00:28:16.320 independent music growth has been from fraud, not from true, independent market share increasing. 00:28:16.320 --> 00:28:23.360 JACK: Okay. Yeah, you gave me a taste of a few of these things that you were noticing, 00:28:23.360 --> 00:28:28.480 right, people playing things that are humanly impossible to play that much, 00:28:28.480 --> 00:28:33.200 and a group of people playing in different regions all at the same time. 00:28:33.200 --> 00:28:33.680 ANDREW: Yeah. 00:28:33.680 --> 00:28:37.760 JACK: This suddenly sounds to me — ‘cause I come from cybersecurity 00:28:37.760 --> 00:28:44.400 world — this suddenly sounds to me like not exactly threat intelligence, but yeah, 00:28:44.400 --> 00:28:52.640 it sounds like you’re looking at a security incident tool and trying to build signatures 00:28:52.640 --> 00:28:59.360 to detect when there’s a security incident. Just the one that comes to mind for me is if I had 00:28:59.360 --> 00:29:05.600 fifty connections from some office all go to the same IP address somewhere from different computers 00:29:05.600 --> 00:29:12.240 internally, why did that happen? There might be a botnet in our company that suddenly said, 00:29:12.240 --> 00:29:18.800 oh, all phone home at the same time. Get new instructions. So, I would immediately flag 00:29:18.800 --> 00:29:23.760 those fifty computers to be like, can someone do an antivirus on those to see what’s going 00:29:23.760 --> 00:29:31.840 on here? I was right. There was a botnet on that computer. So, I was like, okay, we’ve got a way to 00:29:31.840 --> 00:29:37.360 detect when a botnet happens just by — how in the world did this all happen in the same millisecond, 00:29:37.360 --> 00:29:42.760 right? So, I imagine that’s kinda the tools or the signatures. How do you look at this? 00:29:42.760 --> 00:29:48.560 ANDREW: 100%. We’re building — we have probably close to 700 models looking for different things, 00:29:48.560 --> 00:29:53.600 and it’s constantly changing. [Music] So, to give you examples, we found one where somebody 00:29:53.600 --> 00:29:59.120 had hacked a major artist’s delivery feed. So, imagine — it’s very common to have multiple 00:29:59.120 --> 00:30:04.320 registration numbers for the same song because it may have been part of an album, a single, 00:30:04.320 --> 00:30:09.040 a deluxe version. It could have been done multiple times with different people in the supply chain. 00:30:09.040 --> 00:30:13.360 So, what ends up happening a lot of times is the streaming service will concatenate that and pick 00:30:13.360 --> 00:30:18.800 one parent and a bunch — child sort of numbers. But that way they’re all grouped together. So, in 00:30:18.800 --> 00:30:24.640 this case, someone had hacked the feed, put their version in, but the metadata for that, the pay, 00:30:24.640 --> 00:30:30.000 was different than the actual label. So, in this case it looks like the same song, it sounds like 00:30:30.000 --> 00:30:36.480 the same song, has the same artwork as the same song, but who the finance team pays is different. 00:30:36.480 --> 00:30:42.240 They were able to promote their version as the parent and then manipulate those — the payouts. 00:30:42.240 --> 00:30:47.360 So, in that case they stole millions of dollars from that artist over an eight-month period. 00:30:47.360 --> 00:30:51.840 When we found it, we found it by some of the ways that they manipulated the streams. Like, 00:30:51.840 --> 00:30:55.920 how do you become the parent to your — like, why did this happen right at the beginning? We found 00:30:55.920 --> 00:31:01.760 the manipulation early and then it stopped. We were able to identify that there was something 00:31:01.760 --> 00:31:08.000 wrong in their data because of their manipulation. Then when we found that, we then built a model to 00:31:08.000 --> 00:31:13.680 find other artists it happened to. We found 1,700 other artists that had been hijacked the same way 00:31:13.680 --> 00:31:20.080 over the course of a couple years. So, again, they’re constantly being creative. Another one 00:31:20.080 --> 00:31:25.440 we found a little over a year and a half ago was a device we had never seen. So, why all of a sudden 00:31:25.440 --> 00:31:32.400 is this very specific device running up a bunch of streams? We would normally see what — for example, 00:31:32.400 --> 00:31:37.200 the Android system you’re on, what the operating system, what the device is, et cetera. This is 00:31:37.200 --> 00:31:42.000 a device we had never seen. It turned out it was owned by the Department of Corrections, and 00:31:42.000 --> 00:31:47.120 someone had hacked the prison system and turned all the prison tablets into a streaming farm. 00:31:47.120 --> 00:31:51.600 JACK: Wow. Tell me more about that. How did that happen? 00:31:51.600 --> 00:31:57.200 ANDREW: I don’t know how they hacked it, but the net effect was that they had turned — I think it 00:31:57.200 --> 00:32:02.960 was like, 400,000 devices into a streaming farm where they were manipulating streams 00:32:02.960 --> 00:32:08.480 from streaming players. So, I guess — I didn’t even know, to be honest, 00:32:08.480 --> 00:32:12.960 that prisoners had devices. But in a lot of states they have — you sort of pay I think 00:32:12.960 --> 00:32:18.240 by the minute or whatever. You pay for these devices, and there’s a handful of applications 00:32:18.240 --> 00:32:23.120 that are approved. It turns out most of them are run or slash-owned by a private equity 00:32:23.120 --> 00:32:30.560 company or a couple private equity companies, and someone had just simply hacked the devices 00:32:30.560 --> 00:32:37.680 and were able to use them all in sort of a bot network that we hadn’t expected at the time. 00:32:37.680 --> 00:32:39.200 JACK: How did you spot that? 00:32:39.200 --> 00:32:43.120 ANDREW: Because the device type was suddenly new and different. We had never — ‘cause 00:32:43.120 --> 00:32:47.920 we get all these different — so, why all of a sudden…? In context it seems small, 00:32:47.920 --> 00:32:51.040 but we have all these types of community-clustering techniques 00:32:51.040 --> 00:32:54.560 that are looking for different parameters and features. So, let’s say that we get, 00:32:54.560 --> 00:32:59.600 I don’t know, 500 fields. We’ll get — at this point now from streaming services, 00:32:59.600 --> 00:33:03.600 we get all kinds of stuff; gyroscope, battery life, orientation of phone, everything you’ve 00:33:03.600 --> 00:33:09.800 done in app. We’re catching a lot of different data, anonymized but individual — but hashed. 00:33:09.800 --> 00:33:14.160 JACK: The streaming service app is collecting that and then you’re seeing that as well. 00:33:14.160 --> 00:33:18.880 ANDREW: We’re seeing an anonymized version, generally hashed data so that we didn’t have any 00:33:18.880 --> 00:33:24.320 PII ever. But that’s — yes, we’re seeing all of this stuff and then triangulating it and saying, 00:33:24.320 --> 00:33:28.880 why are all these exactly the same? We’ve never seen this unique device, 00:33:28.880 --> 00:33:34.720 so what’s happening here? Then it just turned out that that one device is specifically made 00:33:34.720 --> 00:33:40.880 for the Department of Corrections, and no one else buys it. So, it leads you to sort of one vendor, 00:33:40.880 --> 00:33:47.440 which then allows you to unravel the rest. So, that was a very interesting case. 00:33:47.440 --> 00:33:50.960 JACK: Then what do you do with that? Do you say, okay streaming service, 00:33:50.960 --> 00:33:53.920 here’s a device type that we should just not…? 00:33:53.920 --> 00:33:55.360 ANDREW: We demonetize it all. 00:33:55.360 --> 00:33:55.760 JACK: Yeah? 00:33:55.760 --> 00:33:57.520 ANDREW: So we don’t pay any of those streams now… 00:33:57.520 --> 00:33:59.200 JACK: But you block that — I mean, not block, 00:33:59.200 --> 00:34:04.640 but you demonetize that device type. You can do it that granular or…? 00:34:04.640 --> 00:34:07.280 ANDREW: Yeah, for sure. We can say these don’t get paid. I mean, 00:34:07.280 --> 00:34:12.240 at the end of every month what happens is we have three sort of primary checks. We check 00:34:12.240 --> 00:34:17.040 daily to see what fraud we’re catching so that it gets removed out of product-level stuff. So, 00:34:17.040 --> 00:34:23.200 recommendation engines, algorithms, et cetera. We sort of down-weight anything we see that’s 00:34:23.200 --> 00:34:28.320 fraudulent so we don’t make the problem worse. The second thing we do is we do weekly updates 00:34:28.320 --> 00:34:32.880 for charts, so if we see anything on the charting side, we will — you’re allowed to 00:34:32.880 --> 00:34:38.560 update the charts weekly. So, we’ll update the charting information. That’s way less common, 00:34:38.560 --> 00:34:43.200 ‘cause again, most big artists aren’t cheating, at least from the streaming side. But again, 00:34:43.200 --> 00:34:48.240 we sort of just safeguard that. Then the last one, which is the real one, is the money payout. So, 00:34:48.240 --> 00:34:53.680 at the end of the — at the end of every month we do the check for the entire month. ‘Cause 00:34:53.680 --> 00:34:57.520 there’s stuff we’ll catch, right? The really obvious fraud we’ll catch day one. 00:34:57.520 --> 00:35:02.480 But there’s some fraud that takes us a long — you need more of a longitudinal view to see how 00:35:02.480 --> 00:35:06.960 they’re interacting over the course of a week, two weeks, three weeks. There’s all kinds of cases, 00:35:06.960 --> 00:35:10.800 for example, that when we first started we would catch that no longer happens anymore. So, 00:35:10.800 --> 00:35:18.320 in the early days, I’m guessing his engineers were lazy. Or, it’s just easy — like, 00:35:18.320 --> 00:35:23.200 how do you deal with checking for anomaly detections for months where they have 00:35:23.200 --> 00:35:27.040 different days of the month? So, what we often — or, you know, they have twenty-nine days, 00:35:27.040 --> 00:35:30.560 twenty-eight days, thirty days, thirty-one days. So, a lot of times what they would do at the end 00:35:30.560 --> 00:35:34.480 of the month is pull the first twenty-eight days. I don’t know how fraudsters figured this out, 00:35:34.480 --> 00:35:41.440 but starting on Day 29, they would jam all their bots. So, you’d see massive numbers; 29, 30, 31. 00:35:41.440 --> 00:35:46.960 So, they would end up getting a large percentage of the pro rata pool, but they only ran their 00:35:46.960 --> 00:35:52.400 fraud at the end to sort of get away from whatever was being checked, ‘cause a lot 00:35:52.400 --> 00:35:57.280 of the anomaly-detection checks initially in the early days were the first 28 days, 00:35:57.280 --> 00:36:03.280 just to simplify it. So, again, we find all these weird sort of techniques that they would use, 00:36:03.280 --> 00:36:08.560 and we would shut them down or demonetize them. In some cases the streaming services, 00:36:08.560 --> 00:36:11.840 when we returned the data back, they take action. So, 00:36:11.840 --> 00:36:16.160 sometimes the streaming service will decide to completely remove all the content and 00:36:16.160 --> 00:36:21.040 just say this is all fraudulent. So, in this case, for example, really obvious stuff. So, 00:36:21.040 --> 00:36:26.640 less than a hundred real users have streamed this. 99.99% of all of their streams, historically, 00:36:26.640 --> 00:36:35.600 are from fake accounts. You know, maybe they have less than a total of 2,000 streams total. 00:36:35.600 --> 00:36:39.600 Whatever it is, they’re gonna have these rule sets we have in place to make sure it’s only 00:36:39.600 --> 00:36:43.520 the worst of the worst fraud, and then we’ll — the streaming service will just straight 00:36:43.520 --> 00:36:49.600 remove that content or take it off the platform entirely. That seems to be incredibly effective 00:36:49.600 --> 00:36:54.720 because the fraudsters realize they’re caught and they just stop on that or go to different 00:36:54.720 --> 00:36:59.600 services. So, I think our approach has been less — I’m not naive enough to believe we’ll 00:36:59.600 --> 00:37:03.920 always stop fraud. I think historically you can look at all fraud and say that’s never the 00:37:03.920 --> 00:37:07.520 case. There’s always going to be smart people and they’re gonna try different techniques. 00:37:07.520 --> 00:37:13.680 But I think we can make it so difficult that they just go to other industries. 00:37:13.680 --> 00:37:15.840 JACK: [Music] It’s so interesting for me to listen to him talk, 00:37:15.840 --> 00:37:21.280 because this isn’t a cybersecurity story, yet everything he’s saying is exactly what happens 00:37:21.280 --> 00:37:26.560 in cybersecurity land. You set up monitoring tools, you build rules to detect problems, 00:37:26.560 --> 00:37:31.200 and then you make it harder for people to exploit those things again. They did it all 00:37:31.200 --> 00:37:36.320 from scratch. We all know in cybersecurity you can never stop hackers, but what you want to 00:37:36.320 --> 00:37:40.880 do is make it so hard for them that they move on to an easier target. That’s something I’ve heard 00:37:40.880 --> 00:37:45.120 again and again, yet that’s what he’s doing in this world. Some people always reach out to me 00:37:45.120 --> 00:37:50.080 and complain that when I do an episode that’s not cybersecurity-related that they get upset. 00:37:50.080 --> 00:37:56.480 But listen, this show is about the dark side of the internet. To me, that encapsulates way 00:37:56.480 --> 00:38:02.480 more than just cybersecurity. It’s about all the hidden stuff that you never see or experience. 00:38:02.480 --> 00:38:08.720 I want to shine a light on that shady, dark, gritty, underground aspect of our digital life. 00:38:08.720 --> 00:38:14.560 The fraud and the manipulation of algorithms, the websites and technology, the people who abuse it, 00:38:14.560 --> 00:38:21.440 and of course, hacking in cybersecurity, too. [To Andrew] I was trying to find a link I had 00:38:21.440 --> 00:38:27.760 a long time ago. There was a — I’ve actually seen many Reddit posts where people are saying, 00:38:27.760 --> 00:38:31.920 hey, what’s up with my Spotify account? It suddenly shows that I’ve played a whole bunch 00:38:31.920 --> 00:38:36.960 of these artists that I’ve never even heard of much less played. I don’t understand why 00:38:36.960 --> 00:38:40.640 my Spotify is showing that I’ve played these, and it’s recommending all this other stuff. 00:38:40.640 --> 00:38:44.640 ANDREW: Account takeovers. That’s a huge percentage of what we see now. If you 00:38:44.640 --> 00:38:50.400 think about — you’re in cyber, so imagine it’s a giant arrow back to you. If all of your bots look 00:38:50.400 --> 00:38:55.920 the same, it’s easy to cluster them. If they’re behaving the same way, it’s easy to cluster them. 00:38:55.920 --> 00:39:01.360 If they are all streaming one artist specifically, it’s like a giant arrow back to that artist. 00:39:01.360 --> 00:39:05.200 If they’re all streaming from one distributor, it’s a giant arrow back to the distributor. So, 00:39:05.200 --> 00:39:10.320 you need to hide the needle in the haystack, and the easiest way today to do that, or what 00:39:10.320 --> 00:39:15.920 we’ve — I’d say for the last three years put a lot of R&D in to catch, is account takeovers. So, 00:39:15.920 --> 00:39:20.880 they’ll log in as you, play a song five or six times, and then leave. Then all of this stuff 00:39:20.880 --> 00:39:25.760 you do naturally just hides whatever they did. So, they don’t have to create that. They don’t 00:39:25.760 --> 00:39:32.480 need to make differences. You don’t need to program in artificial changes in your bots. 00:39:32.480 --> 00:39:36.880 You just basically log in as somebody, play five streams, and hope they don’t notice. I would say 00:39:36.880 --> 00:39:41.920 that that’s really common these days. That’s the number-one growth area for fraud that we catch, 00:39:41.920 --> 00:39:47.040 is account takeovers in general, or adding devices to family plans. So, we’ll see a device 00:39:47.040 --> 00:39:52.640 that’s an IOS that’s legit, a Tesla that’s legit, and then an Android that’s all fraud. 00:39:52.640 --> 00:39:55.920 JACK: Wow. Okay, so, what I don’t understand is how they’re taking 00:39:55.920 --> 00:39:59.200 over the accounts. You say it’s one of the biggest things you’re seeing. 00:39:59.200 --> 00:40:02.240 How are they getting so many Spotify accounts or whatever streaming service? 00:40:02.240 --> 00:40:10.640 ANDREW: So, there’s a couple ways. The simplistic ways are — 90% of internet log-ins are just people 00:40:10.640 --> 00:40:14.800 trying different data-breached passwords and usernames. I would say that most streaming 00:40:14.800 --> 00:40:20.880 services are not high on people’s priority list for protecting. So — and there’s a sort 00:40:20.880 --> 00:40:27.200 of product question about how much friction do you add into a service to make it difficult for users, 00:40:27.200 --> 00:40:32.800 ‘cause it hinders growth, right? So, I think there’s an interesting friction point there 00:40:32.800 --> 00:40:37.600 between how secure do you make a streaming service on the user end and how much do they 00:40:37.600 --> 00:40:42.160 actually care, and do they really care if your account that was used to play a song ten or 00:40:42.160 --> 00:40:45.760 twenty times? I don’t think they’re realizing how much damage it does in aggregate. So, 00:40:45.760 --> 00:40:52.560 there’s that issue, I would say. I mean, you’ve been on — your whole series is called 00:40:52.560 --> 00:40:57.280 Darknet Diaries. You get on the darknet and download these accounts quite easily. 00:40:57.280 --> 00:41:03.600 I think at one point, to prove a point, we went on and downloaded and showed people, 00:41:03.600 --> 00:41:08.400 some executives, that I could get 100,000 accounts on every single streaming service immediately. It 00:41:08.400 --> 00:41:13.680 gives you the independent — the infection date and the last log-in date. You can even get — if 00:41:13.680 --> 00:41:19.520 they have malware on the actual device, you can even get all of the browsing history, too. So, 00:41:19.520 --> 00:41:23.760 if you want to warm up the IP before you use it, you can kind of mimic their behavior before 00:41:23.760 --> 00:41:31.840 you log in. There’s lots of this stuff existing. There’s also an API that we found in the darknet 00:41:31.840 --> 00:41:38.000 where they own tens of millions of these accounts, and they will spin them up for you. So, you 00:41:38.000 --> 00:41:43.040 basically tell them the parameters of the types of plays you need, and they make sure that no single 00:41:43.040 --> 00:41:50.480 account is overused or indexed too hard, and they actually create the fraud for you. [Music] So, 00:41:50.480 --> 00:41:57.800 it is a fully professionalized, industrialized supply chain for fraud at this point. 00:41:57.800 --> 00:42:08.400 JACK: Wow. Seriously, wow. He’s shown streaming service execs that he can get 100,000 accounts on 00:42:08.400 --> 00:42:13.200 their platform instantly, because after a data breach there’s communities of people who will 00:42:13.200 --> 00:42:18.000 parse through those usernames in the data breach and pluck out all the streaming service accounts, 00:42:18.000 --> 00:42:22.320 or even try to use those usernames and passwords on a streaming service to see if they reuse 00:42:22.320 --> 00:42:29.040 passwords. From that, they build the giant list of users for each streaming service, and that 00:42:29.040 --> 00:42:35.360 list is valuable because if you can manipulate the streams, then you can get paid by these streaming 00:42:35.360 --> 00:42:42.160 services. I’m just astonished because when I hear how bad the problem is like this and how 00:42:42.160 --> 00:42:49.120 easy it is for people to get access to our stuff, it’s like a cold, wet slap in my face. I kinda go 00:42:49.120 --> 00:42:53.360 through this process again and again when making the show. At the beginning of this episode I’m 00:42:53.360 --> 00:42:57.440 like, ooh, these are some interesting techniques. Maybe I’ll try one of these on my show. 00:42:57.440 --> 00:43:01.920 But by this point of the story, I’m so mad that these companies aren’t protecting our 00:43:01.920 --> 00:43:06.480 data and it’s just exposed on the dark web only for fraudsters to use to make money 00:43:06.480 --> 00:43:12.160 for themselves off my account. Because it’s our data; it’s not some nameless victim out 00:43:12.160 --> 00:43:17.840 there. It’s yours and mine that these people are gaining from. I’ve done this show long enough to 00:43:17.840 --> 00:43:24.080 know that there is no way from keeping our data from getting leaked, which makes me black-pilled, 00:43:24.080 --> 00:43:29.760 right? Like, okay, I’m giving up. Oh well, my data’s out there. I might as well just assume I 00:43:29.760 --> 00:43:35.680 have no privacy anymore because it’s out there like, all over the place. I just totally give 00:43:35.680 --> 00:43:43.600 up protecting myself. But I don’t like feeling hopeless. I’m not someone who gives up forever. 00:43:43.600 --> 00:43:50.400 I’m an optimist. I’m a fighter, and I don’t mind hard work. So, then I get this surge of ideas, 00:43:50.400 --> 00:43:54.640 and it makes me white-pilled, because then I realize, wait a minute, who’s the ding-dong who 00:43:54.640 --> 00:43:59.120 told them my address and gave them my password and username and telephone number and all that stuff? 00:43:59.120 --> 00:44:04.480 I am. Hell no. No more am I telling these companies my real name or phone number. 00:44:04.480 --> 00:44:09.280 I’m not going to reuse passwords or even reuse e-mail addresses anymore. It’s a war out there, 00:44:09.280 --> 00:44:16.400 and I’ve got to take care of my own data since no one else will. Okay, anyway, 00:44:16.400 --> 00:44:21.280 the name of the company that Andrew co-founded was called Beatdapp in order to analyze music streams 00:44:21.280 --> 00:44:25.360 to detect fraud. He abandoned the original idea of using the blockchain to help these 00:44:25.360 --> 00:44:30.560 labels get paid properly, and he focus on this now, pretty much entirely working for streaming 00:44:30.560 --> 00:44:35.600 services now. [To Andrew] Yeah, well, I guess what I’m wondering is you almost need a black-hat 00:44:35.600 --> 00:44:41.600 person who knows that, the cheating industry, who’s been there, to actually sit down and look 00:44:41.600 --> 00:44:45.920 for these — to look for things you haven’t found yet, right? To find new signatures. 00:44:45.920 --> 00:44:51.280 ANDREW: Totally agree. I think I’m that guy, probably. Yeah. You know, 00:44:51.280 --> 00:44:57.520 the music industry often said I’m their hacker now. I’ve switched sides. I think 00:44:57.520 --> 00:45:02.960 the side-switching is mostly industries. I would say the — for me, the difference is 00:45:02.960 --> 00:45:08.400 that users no longer have to actually engage with the content for that artist to get paid. 00:45:08.400 --> 00:45:17.040 What I did back in the day I really believe was in service of the artist. If the artist is good, 00:45:17.040 --> 00:45:22.800 the people will listen, consume, and adopt it. If the artist is not, they will let you know right 00:45:22.800 --> 00:45:28.400 away that it’s trash. I think that has changed in a sense that you can be a trash artist that 00:45:28.400 --> 00:45:35.120 manipulates lots of streams and gets paid without actually being good or having real users or being 00:45:35.120 --> 00:45:42.240 able to sell ten tickets to an event. So, I just think they’re now stealing from other artists. 00:45:42.240 --> 00:45:49.600 JACK: Yeah. So, you’re saying it’s now more of a financially-driven thing and not so much a let’s 00:45:49.600 --> 00:45:55.600 try to market this person and get them to break out. But I push back at you because you did that 00:45:55.600 --> 00:46:01.360 ad arbitrage where you’re like, hey, we could print money by charging this much CPM and then 00:46:01.360 --> 00:46:07.760 actually just paying for somebody to come here. So, you were financially driven in some aspects, 00:46:07.760 --> 00:46:10.480 as well. It wasn’t always, oh, let’s just market someone. 00:46:10.480 --> 00:46:15.280 ANDREW: I regret that, and thank god that the Statute of Limitations has passed, 00:46:15.280 --> 00:46:18.640 ‘cause it was definitely not my proudest moment, for sure. 00:46:18.640 --> 00:46:24.000 JACK: What I didn’t realize is that musicians don’t get paid per stream on these platforms. 00:46:24.000 --> 00:46:28.880 Instead, they get paid a percentage of what advertising revenue came in for that month, 00:46:28.880 --> 00:46:32.640 which means fraudsters are stealing money from real artists. 00:46:32.640 --> 00:46:36.640 ANDREW: Okay, so, the way the music industry works is that there’s one — I’m gonna simplify 00:46:36.640 --> 00:46:41.440 this ‘cause it’s little more nuanced, but generally speaking there’s one pool of capital. 00:46:41.440 --> 00:46:46.400 Every month a streaming service makes money from advertising revenue and subscription fees. Now, 00:46:46.400 --> 00:46:52.880 this money goes into one pot, and it’s paid out every month based on play count. So, if you’re a 00:46:52.880 --> 00:47:00.080 artist and you make — you did, let’s say, 100,000 streams, and that streaming service did a million 00:47:00.080 --> 00:47:06.640 total streams that month, you get 10% of that pot. You get your percentage of streams for the whole 00:47:06.640 --> 00:47:12.320 entire — of the whole, entire streaming ecosystem you’re in of the revenue. So, 00:47:12.320 --> 00:47:19.920 it’s a performance pro rata. What happens is you could release a song in November and do a 00:47:19.920 --> 00:47:25.760 million streams and get paid $3,000, and that’s correct. You could release the same song and 00:47:25.760 --> 00:47:33.440 do a million streams in February and get paid, I don’t know, $500, and that could also be correct. 00:47:33.440 --> 00:47:37.920 The reason the numbers could be different is that month the advertising might be 00:47:37.920 --> 00:47:41.600 smaller because they’d spent — especially as February or January, they had spent a 00:47:41.600 --> 00:47:46.320 bunch of money for Black Friday and holidays, and advertisers weren’t spending as much in January, 00:47:46.320 --> 00:47:52.000 February. You could have less subscribers. You could also have had a major release. So, 00:47:52.000 --> 00:47:57.040 say Taylor Swift released a track or an album, and all of a sudden the majority of streams 00:47:57.040 --> 00:48:02.720 are going to Taylor Swift, then your pro rata goes down. So, you could actually have wildly 00:48:02.720 --> 00:48:08.160 different amounts of money you make for the same general performance because it’s a performance 00:48:08.160 --> 00:48:12.480 base relative to the entire industry. So, if you do one of ten streams, you get 10%. If you do one 00:48:12.480 --> 00:48:18.960 of twenty streams, you get 5%, and so on. So, why that matters and how you steal is that fraudsters 00:48:18.960 --> 00:48:23.960 will load millions of songs onto streaming services as if they’re independent artists. 00:48:23.960 --> 00:48:27.120 [Music] They’ll create different independent artists’ names, different independent artist 00:48:27.120 --> 00:48:32.400 labels, they’ll put them in different parts of the world so it just looks like they’re from different 00:48:32.400 --> 00:48:37.360 people, different regions, different companies. They will load those direct do-it-yourself, 00:48:37.360 --> 00:48:42.080 like DIY to streaming services through distributors. So, the distributor is an 00:48:42.080 --> 00:48:47.520 aggregator who, if you’re an independent artist, you upload to like a DistroKid or a TuneCore or 00:48:47.520 --> 00:48:52.560 a Symphonic or whatever, and they basically put all the data together and all the pieces 00:48:52.560 --> 00:48:56.800 together and upload it to the streaming services for you. So, they do it in one shop for you. So, 00:48:56.800 --> 00:48:59.760 instead of you going and uploading to a hundred different streaming services, 00:48:59.760 --> 00:49:03.680 you go to this one provider and they aggregate it and put it on to all the stores for you. 00:49:03.680 --> 00:49:08.000 So, these fraudsters will create fake artists, fake labels, they’ll use fifteen 00:49:08.000 --> 00:49:12.400 or twenty different distributors so there’s not one point of failure, 00:49:12.400 --> 00:49:18.160 they’ll upload — so, they’ll get millions of songs onto streaming services, and then here’s the key; 00:49:18.160 --> 00:49:22.400 they will play a bunch of these songs small amounts of times. They do not want to get 00:49:22.400 --> 00:49:27.920 noticed. You don’t want an artist that charts that’s not real. You want to generate 1,000, 00:49:27.920 --> 00:49:34.400 3,000, 4,000 streams, but you don’t actually — no one notices the song with 3,000 plays. So, 00:49:34.400 --> 00:49:38.880 if you create a small number of streams across a large number of artists, 00:49:38.880 --> 00:49:45.600 then your aggregate pro rata, the amount that you actually have of all of the pools for that month, 00:49:45.600 --> 00:49:52.480 can dramatically increase, ‘cause you’re stealing pennies. It’s basically like Office Space. You’re 00:49:52.480 --> 00:49:55.760 stealing pennies from all of these different artists. They just don’t realize it. But in 00:49:55.760 --> 00:50:00.720 aggregate it’s a large amount of money. So, the way that it works today is about $3 billion worth 00:50:00.720 --> 00:50:05.440 is stolen from real artists, because it’s going to people that are not real artists. 00:50:05.440 --> 00:50:12.320 JACK: Wow, $3 billion is going to fraudsters who are manipulating these streaming platforms. That’s 00:50:12.320 --> 00:50:18.000 incredible. It’s apparently very profitable to go through all this process of making tons 00:50:18.000 --> 00:50:22.880 of songs and getting someone else to play those songs across hundreds of thousands of accounts. 00:50:22.880 --> 00:50:28.720 It seems like a lot of work, but man, it’s really paying off for them. If it’s paying off, 00:50:28.720 --> 00:50:33.600 then that means it’s only gonna grow. [To Andrew] So, a few times 00:50:33.600 --> 00:50:38.800 you’ve made my — the hair on my neck stand up when — ‘cause I’m a big privacy advocate, 00:50:38.800 --> 00:50:45.280 right? I’m crazy into it. I’m a freak about it. So, you’ve talked about some of the 00:50:45.280 --> 00:50:50.560 metrics you’re getting from some of these apps such as gyroscope and battery life. 00:50:50.560 --> 00:50:56.400 As a privacy person, I don’t understand why I need — you need to get my gyroscope information 00:50:56.400 --> 00:51:02.080 in order to just let me play a song. But on the other side, when I went to actually take ads out 00:51:02.080 --> 00:51:09.040 on some of these platforms to say, hey, market a legitimate ad on the platform, they’ll ask you, 00:51:09.040 --> 00:51:13.680 hey, when do you want someone to listen to this ad? Do you want them to listen while 00:51:13.680 --> 00:51:16.560 they’re working out, while they’re having sex, when they’re making dinner? I’m like, 00:51:16.560 --> 00:51:21.280 how the heck do you know when someone is making dinner? What is going on here? So, 00:51:21.280 --> 00:51:28.880 the amount of information that these streaming platforms have on us is crazy. I don’t know what 00:51:28.880 --> 00:51:32.840 question I have, but it just — like I said, it makes my hair stand up. 00:51:32.840 --> 00:51:38.240 ANDREW: I agree, but I would say for us, just know that in most cases they treat that 00:51:38.240 --> 00:51:42.880 data like it is the most important — I mean, they treat it — having come from healthcare 00:51:42.880 --> 00:51:48.480 in the previous company, they treated it at a level way higher than healthcare, like crazy, 00:51:48.480 --> 00:51:54.800 like HIPAA compliant times ten. They are insane with this data. They hash everything. They’re very 00:51:54.800 --> 00:51:59.280 particular about how it gets to us, how it gets back. We get security audited. We have an entire 00:51:59.280 --> 00:52:04.720 internal security team. It is — it’s partitioned in lots of ways so even if you get to one piece, 00:52:04.720 --> 00:52:10.400 you can’t get to the rest. We are insane because they make us be insane with 00:52:10.400 --> 00:52:14.720 it. Again, at the end of the quarter, you’re like, it’s just streaming data. But people 00:52:14.720 --> 00:52:22.560 are stealing $3 billion a year. So, that’s a massive amount of money that is going sometimes 00:52:22.560 --> 00:52:28.720 to people like terrorist organizations and organized crime, not some kid in a basement. 00:52:28.720 --> 00:52:34.640 So, the argument also is I think that there’s some large-level implications for where this 00:52:34.640 --> 00:52:39.520 money goes and what happens, but I will say that the streaming service side treats that 00:52:39.520 --> 00:52:44.800 data — whether or not you want them to have it, they treat it like it’s very, 00:52:44.800 --> 00:52:50.000 very important. I’ve never come across a streaming service that casually allows data. Even then, 00:52:50.000 --> 00:52:53.520 when we decide exactly what fields we need from different streaming services, 00:52:53.520 --> 00:52:58.320 we then reject the rest of the fields. We take the least amount that we need to do our job once 00:52:58.320 --> 00:53:02.640 we’ve built the models, and then if we built a new model or find a new thing that we need to do, 00:53:02.640 --> 00:53:08.480 we re-ingest that data and build again. But we don’t typically just sit on all this stuff, 00:53:08.480 --> 00:53:14.080 even if it’s anonymized, because we just don’t want it. So, again, my point is I feel they’ve 00:53:14.080 --> 00:53:18.320 been very responsible with it, if that makes you feel any better, even though they haven’t. 00:53:18.320 --> 00:53:22.144 JACK: You said terrorist organizations? 00:53:22.144 --> 00:53:25.200 ANDREW: [Music] Yeah. Imagine that you could move money through a streaming 00:53:25.200 --> 00:53:29.440 platform without anyone noticing. So, what you do is you take dollars, 00:53:29.440 --> 00:53:35.280 you turn it into crypto at crypto ATMs, you pay the streaming farm operators in cryptocurrency to 00:53:35.280 --> 00:53:40.320 stream a certain amount of songs. Those songs are owned by different entities globally. So, 00:53:40.320 --> 00:53:45.600 quite literally you could move money from Colombia to Doha through the streaming service. It’ll all 00:53:45.600 --> 00:53:53.280 be washed and clean through the streaming services themselves, directly funding terrorist activity. 00:53:53.280 --> 00:53:57.520 JACK: So, the artist that they’re playing is an 00:53:57.520 --> 00:54:00.640 artist that they’re controlling because they’re getting paid… 00:54:00.640 --> 00:54:04.720 ANDREW: They’re making fake artists. They’re putting fake artists’ names up. They’re taking 00:54:04.720 --> 00:54:10.800 music that’s not theirs. So, they might hack, for example, Dropbox accounts. ‘Cause you figure one 00:54:10.800 --> 00:54:17.440 out of every hundred songs typically an artist releases — so there’s a huge back catalog of 00:54:17.440 --> 00:54:20.960 artist songs that have never actually been distributed, and when they’re distributed is 00:54:20.960 --> 00:54:24.080 when they’re fingerprinted. So, a lot of these don’t have fingerprints. So, 00:54:24.080 --> 00:54:27.920 if you upload them and there’s no fingerprint, the streaming service and the distributor 00:54:27.920 --> 00:54:32.160 feels that you are the rightful owner of that song ‘cause they’ve never seen it before. So, 00:54:32.160 --> 00:54:37.440 now you can take old songs that have never been digitized, make them your own, 00:54:37.440 --> 00:54:41.200 and then manipulate the stream. So, the first step is just getting the music. 00:54:41.200 --> 00:54:45.760 The second step is manipulating the streams so you get paid. If you were a terrorist organization and 00:54:45.760 --> 00:54:52.080 you build all this infrastructure, you might have literally let’s say thirty different music label 00:54:52.080 --> 00:54:56.880 entities around the world all using different distributors with, I don’t know, a hundred quote, 00:54:56.880 --> 00:55:01.280 unquote “independent artists” in each, and then you’re going to just run small numbers of streams 00:55:01.280 --> 00:55:07.200 to those on a hundred different streaming services and slowly get paid. But that money will be clean 00:55:07.200 --> 00:55:12.720 and end up from one location to another without you ever having to actually transport the cash. 00:55:12.720 --> 00:55:16.400 JACK: You think that’s…? I mean, looking at those numbers, 00:55:16.400 --> 00:55:19.280 how much cash do you think they’re transporting? 80…? 00:55:19.280 --> 00:55:21.760 ANDREW: Hundreds of millions of dollars. 00:55:21.760 --> 00:55:26.560 JACK: Well, I was gonna guess a percentage here, right? So like, 00:55:26.560 --> 00:55:31.680 if I have $100 million and I say I need to transfer this, 80% of it makes it? 00:55:31.680 --> 00:55:35.680 ANDREW: Oh, percentage-wise of the dollar? Like 40% to 50%. 00:55:35.680 --> 00:55:38.160 JACK: Yeah, ‘cause it’s not — see, 00:55:38.160 --> 00:55:40.960 this is — they’re losing a ton of money on — in the transfer, then. 00:55:40.960 --> 00:55:45.760 ANDREW: But it’s better than leaving it in cash. Honestly, that’s what typically — how do you move 00:55:45.760 --> 00:55:50.400 this much cash? They’re gonna pay someone to wash their money regardless, sometimes 20%, 00:55:50.400 --> 00:55:54.480 25%. They’re gonna pay a large amount of money anyway. Then they still need to move that money 00:55:54.480 --> 00:55:59.520 and sort of pay taxes on that money when it ends up — you end up losing a lot anyway. So your other 00:55:59.520 --> 00:56:04.000 approach is just to hide it somewhere or keep it as cash and find other fronts to move it through. 00:56:04.000 --> 00:56:10.000 It actually ends up that over the last ten years, the music industry, as it was growing so fast, 00:56:10.000 --> 00:56:20.200 was a really opportunistic place to hide or wash money because no one was watching it. 00:56:20.200 --> 00:56:26.480 JACK: Now I think I’ve come full circle on you saying you were gray hat, because I was saying to 00:56:26.480 --> 00:56:30.240 myself, if you’re breaking the terms of service, it’s black hat. Now I’m like, wait a minute, 00:56:30.240 --> 00:56:34.080 if you’re breaking the law, that’s black hat. This is different than terms of service. 00:56:34.080 --> 00:56:38.240 ANDREW: Yeah, that’s how I feel, you know? I didn’t break laws. I 00:56:38.240 --> 00:56:41.000 just definitely didn’t agree that I wasn’t allowed to do something. 00:56:41.000 --> 00:56:43.200 JACK: Yeah, and now it’s getting crazy, 00:56:43.200 --> 00:56:49.640 where hundreds of millions of dollars are being sent from — from who? Who’s involved in this? 00:56:49.640 --> 00:56:53.280 ANDREW: Well, imagine any kind of illicit activity; you can move the money to your 00:56:53.280 --> 00:56:59.440 partners. You can send — how we potentially caught one, for example, is you’d see the 00:56:59.440 --> 00:57:04.560 exact same percentage — like, let’s say that you have a million users all playing music. I’m just 00:57:04.560 --> 00:57:09.200 gonna use Colombia as an example. But they’re — the beneficial — if you think about who the 00:57:09.200 --> 00:57:13.360 artists are that’s benefiting from those plays, it would be abnormal — in one case, for example, 00:57:13.360 --> 00:57:17.440 where we saw — I’ll give you — I don’t know the exact numbers so I’m gonna give you examples here; 00:57:17.440 --> 00:57:24.480 like 12% always in a Hong Kong entity, and 30% in a Canadian entity, and 40% in a Middle-Eastern 00:57:24.480 --> 00:57:30.720 entity, and, you know, maybe another 10% somewhere else. So, if all the numbers of streams are 00:57:30.720 --> 00:57:35.360 changing every month but the beneficial owner percentage is exactly the same, it looks as 00:57:35.360 --> 00:57:42.200 if someone’s moving money from one location to another location through these other entities. 00:57:42.200 --> 00:57:47.992 JACK: So, the moving part is that they’re paying bots or listening to a stream… 00:57:47.992 --> 00:57:50.800 ANDREW: Yeah, they’re paying a streaming farm to create the streams whether they’re doing it 00:57:50.800 --> 00:57:56.080 through account takeovers or bots or whatever, but the end result is they’ve uploaded as owners under 00:57:56.080 --> 00:58:01.440 these different entities all of these fake artists that have songs on the streaming services. There’s 00:58:01.440 --> 00:58:05.520 roughly a hundred streaming services globally. So, they’re uploading it onto all these streaming 00:58:05.520 --> 00:58:12.560 services and they’re telling these streaming farms to go play those songs across all the services. 00:58:12.560 --> 00:58:18.480 JACK: Then the person who owns that account is getting paid for their streams, 00:58:18.480 --> 00:58:21.160 and then the money is arriving to where they need to send it. 00:58:21.160 --> 00:58:24.640 ANDREW: Yeah, exactly, because now the streaming service thinks, oh, 00:58:24.640 --> 00:58:30.160 XYZ label in Hong Kong had X percentage of the total streams. We have to pay them out. So, 00:58:30.160 --> 00:58:33.520 it gets paid to the distributor and paid to them, and they just get paid. 00:58:33.520 --> 00:58:38.160 JACK: This is one of those stories that I feel like the floor has dropped out in my head, 00:58:38.160 --> 00:58:44.000 of like, oh yeah, we have — I have a good understanding of how money laundering happens 00:58:44.000 --> 00:58:49.120 and how things get sent here and there and how you clean money. But then when you hear about 00:58:49.120 --> 00:58:53.120 stories like this where, oh yeah, they’re using a streaming service to launder money and send 00:58:53.120 --> 00:58:57.200 it across the globe, suddenly my head’s like, well, you could do that with buying 00:58:57.200 --> 00:59:03.520 and selling things on the Steam marketplace or Roblox accounts or any other marketplace 00:59:03.520 --> 00:59:07.840 that has money shifted here and there. This isn’t even a straightforward like — here, 00:59:07.840 --> 00:59:12.400 I’m buying something from another user. This is, oh, they’ll pay us for streams. If we 00:59:12.400 --> 00:59:18.000 can get the streams, then we can get paid. It’s such a roundabout way of — a convoluted 00:59:18.000 --> 00:59:23.120 way to launder money that it’s blowing my mind and it just makes me think that every 00:59:23.120 --> 00:59:27.640 single place that has money going in and out is probably getting hit with something like this. 00:59:27.640 --> 00:59:31.280 ANDREW: 100% agree. I think the more convoluted, the better for them, 00:59:31.280 --> 00:59:34.680 ‘cause it’s so much harder for the average person to understand how the money moves. 00:59:34.680 --> 00:59:38.240 JACK: ‘Cause I mean, even something like Twitter is — you get paid for 00:59:38.240 --> 00:59:41.400 how much engagement you have, right? So, you could totally… 00:59:41.400 --> 00:59:47.680 ANDREW: Oh, yeah. Any of these engagement-based activities, especially in Web3, anything at the 00:59:47.680 --> 00:59:51.520 time — a couple years ago there was this big push with treasury tokens. So, you’d get paid 00:59:51.520 --> 00:59:57.680 every time people interacted with you on social five platforms or any of these game 5 stuff. 00:59:57.680 --> 01:00:01.320 You could manipulate all of this stuff and then get the tokens, take it to market, and sell it. 01:00:01.320 --> 01:00:04.720 JACK: It’s crazy to me that there’s a dark web API that has 01:00:04.720 --> 01:00:08.800 access to millions of online streaming accounts, and if you feed it money, 01:00:08.800 --> 01:00:14.880 you can get all your songs played a bunch. I bet whoever runs that hates Andrew. 01:00:14.880 --> 01:00:20.880 ANDREW: I mean, I’ve had a couple of them do crazy stuff like reaching out or say things. But I would 01:00:20.880 --> 01:00:27.120 say that generally — we were talking once — our lawyer for the company is this guy named 01:00:27.120 --> 01:00:33.120 Jim Trustee. He was the former Chief of Organized Crime for the DOJ. He told me once that the good 01:00:33.120 --> 01:00:38.160 news is they don’t typically shoot the border guards. It’s kind of a gentleman’s sport. So, 01:00:38.160 --> 01:00:44.560 I would say that most of them just changed their tactics and changed the way they behaved. I also 01:00:44.560 --> 01:00:48.640 think the industry has progressed. In the early days there was some real trepidation 01:00:48.640 --> 01:00:53.120 or fear around what happens, ‘cause we’re just a handful of people that know what’s 01:00:53.120 --> 01:00:57.200 going on here. I would say now every single streaming service has a trust 01:00:57.200 --> 01:01:02.640 and safety department. Every single stream label has a fraud trust and safety person. So, 01:01:02.640 --> 01:01:07.280 the industry has changed over the last three years in a way that I would say 01:01:07.280 --> 01:01:11.680 I feel less scared about. Like, if you did something to me or my co-founders, 01:01:11.680 --> 01:01:15.840 it’s not going away at this point. The cat’s out of the bag. But I would say there was a 01:01:15.840 --> 01:01:22.394 real moment in the early 2021, 2022 where we were actually very concerned about what happens if… 01:01:22.394 --> 01:01:27.520 JACK: Yeah, I mean, especially if you’ve got cartels that are moving money in big ways and 01:01:27.520 --> 01:01:32.160 you’re like, okay, let’s put a stop to these guys. I could see them being upset with you. 01:01:32.160 --> 01:01:36.400 ANDREW: I mean, that was my concern, but again, I think we sort of — whether 01:01:36.400 --> 01:01:39.520 or not it was naive at the time, it was more like, oh, well, they don’t normally 01:01:39.520 --> 01:01:43.840 shoot the border guards. They just find a different way to move the money, you know? 01:01:43.840 --> 01:01:47.680 JACK: Do you ever point the feds to someone and be like, hey, 01:01:47.680 --> 01:01:51.600 these guys are breaking a lot of laws? Like, I don’t know, the dark web API 01:01:51.600 --> 01:01:57.440 or cartels moving money. We’ve gotta report this to someone more than just the streaming service. 01:01:57.440 --> 01:02:02.720 ANDREW: Yeah, in some cases when we find things that are outside the data that is given to us 01:02:02.720 --> 01:02:10.080 in privacy, then sure, we might tell people. But generally speaking, we report the results 01:02:10.080 --> 01:02:15.200 back to the streaming services and then they determine — and the distributors, for example, 01:02:15.200 --> 01:02:20.080 and the collection societies, right? They determine then who to — who they want to work 01:02:20.080 --> 01:02:26.080 with on the government’s side to prosecute, ‘cause that’s typically a long road, three to five years, 01:02:26.080 --> 01:02:29.680 sometimes — especially in multiple countries you’ve gotta deal with Interpol and all kinds 01:02:29.680 --> 01:02:35.680 of different activities. So, I think — I would say that’s an area that’s emerging, 01:02:35.680 --> 01:02:39.760 but we provide all the evidence that they need, and then they — and help them package 01:02:39.760 --> 01:02:44.560 it to whoever agency they’re going to. But typically they are the ones that 01:02:44.560 --> 01:02:47.360 are the ones actually determining whether or not they’re gonna pursue it. 01:02:47.360 --> 01:02:51.840 JACK: Okay, I’m now changing my mind. What Andrew did when he was younger I used to 01:02:51.840 --> 01:02:56.640 say was black-hat marketing, but now I’m gonna say he was doing gray-hat marketing. 01:02:56.640 --> 01:03:00.960 Aside from the ad arbitrage stuff, all he did was violate the terms of use on websites 01:03:00.960 --> 01:03:05.200 like Facebook and YouTube by artificially inflating the numbers. Coming into this, 01:03:05.200 --> 01:03:10.640 I would have said that’s black hat, but not now. Now I think these cartels or terrorist 01:03:10.640 --> 01:03:15.680 organizations that are moving hundreds of millions of dollars through these streaming platforms, 01:03:15.680 --> 01:03:21.280 that’s black-hat marketing. That’s some real dark stuff. Any time these streaming services 01:03:21.280 --> 01:03:26.320 have to call the authorities on someone, that’s what I think is black-hat marketing 01:03:26.320 --> 01:03:32.160 at this point. I suppose because now that I’ve seen such an extreme side of this marketing, 01:03:32.160 --> 01:03:38.080 I’m no longer so judgmental about somebody having a bunch of fake followers on their account to help 01:03:38.080 --> 01:03:43.600 them break out. Because really, the fake followers and algorithm manipulation can only go so far. 01:03:43.600 --> 01:03:47.760 If they’re a bad musician or whatever it is they’re creating, they’ll never take off no 01:03:47.760 --> 01:03:53.200 matter how many fake streams they get. But if they are great and people really love them, 01:03:53.200 --> 01:03:58.240 then that was just a growth-hacking technique to kick start their journey. After they break out, 01:03:58.240 --> 01:04:02.320 there’s no longer a need for all the fake followers. You do run the risk of getting 01:04:02.320 --> 01:04:09.840 banned off those platforms, so I don’t recommend doing it. But now that I think about it, banning 01:04:09.840 --> 01:04:15.280 users is really tricky, because suppose Twitter has a way to detect when there are fake followers, 01:04:15.280 --> 01:04:20.480 right, and they automatically ban someone if they have — like 60% of their followers are fake. Well, 01:04:20.480 --> 01:04:24.160 then imagine someone gets millions of fake followers to follow Elon, 01:04:24.160 --> 01:04:28.800 and he gets kicked off for having a majority of fake followers following him. You see, you 01:04:28.800 --> 01:04:34.400 can use these bans as a weapon to get someone else banned that you don’t like. So, banning users for 01:04:34.400 --> 01:04:41.588 having a bunch of bots following them is really, really tricky, and maybe you can’t even do it. 01:04:41.588 --> 01:04:44.400 [To Andrew] With all this information you have, 01:04:44.400 --> 01:04:47.200 you’ve gotta have probably some sort of restriction on what you’re allowed to say, because 01:04:47.200 --> 01:04:53.920 if there is — you can see who the top artist of the day is. You have so much data. You could see 01:04:53.920 --> 01:04:59.920 how many streams are getting — and all this sort of stuff. Magazines like — I don’t know Pitchfork, 01:04:59.920 --> 01:05:07.600 but whoever is the music industry magazines would love to know who’s the top streamer of the day or 01:05:07.600 --> 01:05:13.120 week or month or something like that. A lot of the stuff is kept quiet. We get to see some statistics 01:05:13.120 --> 01:05:22.080 of what — how many downloads a song has, but we don’t see very much of that. You could have such 01:05:22.080 --> 01:05:27.360 an outstanding blog of like, here’s what’s going on today, and people would just flock 01:05:27.360 --> 01:05:30.440 to it. It would be huge, but you’re probably not allowed to share that kind of information. 01:05:30.440 --> 01:05:34.160 ANDREW: It’s our core promise to all of our vendors. Like, you give us your data; 01:05:34.160 --> 01:05:41.600 we do not monetize it in that way. So, we provide you results back as a true financial tool and 01:05:41.600 --> 01:05:48.720 a trust-and-safety tool. We do not monetize it in any kind of marketing, any type of market 01:05:48.720 --> 01:05:53.840 reports. We will not monetize the data they provide us. They pay us an annual service fee 01:05:53.840 --> 01:05:58.080 so that we aren’t incentivized to find more fraud than there is. If there’s not a lot of fraud, 01:05:58.080 --> 01:06:02.080 we tell them. If there’s a lot of fraud, we tell them. We are just the trusted source of truth, 01:06:02.080 --> 01:06:07.200 but we do not — we don’t monetize that data in any way. Yes, we could probably build a massive 01:06:07.200 --> 01:06:11.200 company, but I’m not sure they would trust us in the same way. I think that’s why a lot of these 01:06:11.200 --> 01:06:15.360 marketing-level companies that do aggregate data, they get very limited data sets because 01:06:15.360 --> 01:06:21.280 they — the biggest fear for these services is the state of being public or going other places. So, 01:06:21.280 --> 01:06:30.720 we are allowed — we are privileged enough to handle it because we’ve built a large and strong 01:06:30.720 --> 01:06:35.160 level of trust with all of our partners, and they know that we would never violate that trust. 01:06:35.160 --> 01:06:39.920 JACK: Yeah, at first I was thinking as well of like, oh, you’re saving all these streaming 01:06:39.920 --> 01:06:43.760 companies money by saying, hey, don’t pay these people ‘cause they’re not doing it. 01:06:43.760 --> 01:06:48.800 But now — but at the beginning you told me, no, there’s a big pool and a percentage goes 01:06:48.800 --> 01:06:53.280 out to whoever gets the streams. So, I don’t think you’re saving these streaming companies 01:06:53.280 --> 01:06:57.760 any money at all because they have to pay out 100% every month or whatever. 01:06:57.760 --> 01:06:58.074 ANDREW: Yeah. 01:06:58.074 --> 01:07:00.119 JACK: Whether it goes to the right person or the wrong person… 01:07:00.119 --> 01:07:00.840 ANDREW: We’re a cost of doing business for them. 01:07:00.840 --> 01:07:01.880 JACK: Okay. 01:07:01.880 --> 01:07:07.040 ANDREW: We’re a cost of doing business for them. I would say in some cases they save money. So, 01:07:07.040 --> 01:07:10.960 there’s — this is where it gets nuanced. What I’ve been talking a lot about is what’s called 01:07:10.960 --> 01:07:15.280 interactive streams, where people get to choose what song they listen to. But in cases where it’s 01:07:15.280 --> 01:07:20.560 non-interactive — think of it like online radio — they have to pay a set rate out. There’s a rate 01:07:20.560 --> 01:07:25.120 card that’s in. So, when you remove the fraud from those, they actually do save money. So, 01:07:25.120 --> 01:07:30.720 in some cases, in some areas they’ll save money, but I would say generally across the board, 01:07:30.720 --> 01:07:37.040 they’re probably not not making money off of us if they’re interactive. So, if they offer 01:07:37.040 --> 01:07:41.440 a service where you get to choose what you listen to, they’re probably not making money off of us. 01:07:41.440 --> 01:07:46.720 But they also — if I’m being honest — don’t want to be the executive who’s blocked for funding 01:07:46.720 --> 01:07:56.080 terrorism. So, there is an existential risk. Also, you figure the major labels are huge victims here. 01:07:56.080 --> 01:08:00.560 Keep in mind, if you’re a major label, you own and distribute probably over 80% of all 01:08:00.560 --> 01:08:05.920 revenue-generating content. Not just all content but revenue-generating content like royalties 01:08:05.920 --> 01:08:10.960 are coming primarily from the major labels or the independent labels they distribute as a major. So, 01:08:10.960 --> 01:08:16.720 when you look at it as a whole, if you’re a streaming service and 80% of the things people are 01:08:16.720 --> 01:08:20.400 listening to are controlled by these three parties and they’re saying we’re tired of being victims; 01:08:20.400 --> 01:08:25.400 if you do not have a service like this, you cannot have our content, it moves a lot of needles. 01:08:25.400 --> 01:08:30.720 JACK: Wow. Well, this — so much of this was so illuminating to me. I did not know about 01:08:30.720 --> 01:08:35.520 this world much at all. I told you what I do know, and it was a few things here and there, but man, 01:08:35.520 --> 01:08:39.520 there was so much I’ve learned here. Thanks so much for coming and telling me all this. 01:08:39.520 --> 01:08:42.400 ANDREW: Yeah, thanks for having me on. It’s been really fun. Again, 01:08:42.400 --> 01:08:53.577 I appreciate you making the time for me. 01:08:53.577 --> 01:08:57.200 (Outro): [Outro music] This show is created by me, the hashed brown Jack Rhysider. Our editor 01:08:57.200 --> 01:09:01.600 is our friendly sysadmin Tristan Ledger, mixing done by Proximity Sound, and our intro music is 01:09:01.600 --> 01:09:05.520 by the mysterious Breakmaster Cylinder. I don’t know about you, but the next time someone makes 01:09:05.520 --> 01:09:11.920 fun of me for the music I listen to, I have the perfect excuse; oh no, my account’s been hijacked! 01:09:11.920 --> 01:09:26.480 It plays random stuff, I swear! I can’t stand this band. You kidding me? This is Darknet Diaries.