Bot Attacks, Explained
🧠 Pay-for-play playlist companies employ a few sketchy tactics to lure unsuspecting artists into their money trap. One of these tactics is to employ a bit of code to crawl Spotify for new music releases. Once targets have been identified, those songs are then automatically added to a collection of bot playlists, owned by the scammer. Artists who don’t know any better often pay for bot promotion – so, you might be wondering, “why are they giving the bot plays away for free?” You might also be wondering, “why are they doing this to me? Is it malicious?” Of course it feels malicious, and it is, in-fact, morally bankrupt. But the goal is not to attack. The goal is money. (Pro Tip: it’s always money). The idea is that they’re hoping some of the people they put on these playlists will contact them and ask them how they can stay on the rotation, thinking it’s an editorial playlist or just a really good user playlist. They’re playing the numbers game.
Bot Attacks: Overview
Bot attacks are becoming a common tactic among scammers in the music industry.
Here’s how it works:
Certain playlist companies add newly released songs to their bot-driven playlists. They do this without the artist’s permission or knowledge. This is often linked to pay-for-play schemes, a form of illegal activity known as payola.
Problems with Helsinki?
If you’ve been targeted by MusicArray (identifiable by all streams coming from Helsinki), jump to the bottom of this post where you’ll find buttons that’ll take you to our prevention and solutions pages.
What is Payola?
Payola is a term that originated in the radio era and is still legally upheld in our modern, digital era. It’s a piece of legislation that refers to the illegal practice of paying for media exposure without disclosing the payment.
As I mentioned previously, payola laws were written to stop radio programming from being overrun with amateur acts with deep pockets. Radio was a protected form of media and communication, and at the time, no one wanted these broadcasts that were supposed to be “today’s top hits” to be secretly “today’s richest managers who were able to pay the most money in order to get their artist air time.”
To understand why a law like this even exists, we need to explain the mentality of that era. Most commercial, music-based radio programs were seen as a sort of “Top Charts” collection of songs. Letting someone pay for more exposure on these programs seemed manipulative. This was especially true for those who believed radio reflected the most popular artists at the time, not the artists with the most money.
It’s similar to how we feel when someone says all Grammy Winners had to pay to get those Grammy’s. Whether or not that’s true, nobody is comfortable with that idea. And we are immediately upset about it. Radio used to be like that for people.
This mentality is mostly outdated. However, its legality still applies. Moreover, the Payola laws are now applicable to music streaming platforms.
These laws prohibit the exchange of money for playlist placements or airplay. It must be disclosed as a sponsored or promotional placement.
In other words, paying to be added to a playlist is illegal unless it’s fully transparent. And since “transparency” doesn’t apply to playlists, it’s safe to say it’s just illegal.
☝🏻 Important to Note:
Spotify currently has no type of playlist that allows for paid placement. This is true with or without disclosure. Any playlist placement on Spotify that you pay to be on is definitely illegal. This is regardless of whether or not it was disclosed to you. Don’t worry about getting in legal trouble if you’ve been bot attacked. The playlist companies are the ones committing the illegal act, especially in the case of bot attacks.
How Do Bot Attacks Work?
These payola-driven companies exploit bot technology as a marketing tactic. They add new releases to their playlists in bulk. They hope that some artists will notice the activity. The artists might reach out, mistaking the bot-generated streams for genuine engagement. That’s when they hit the artist with a price tag, offering to keep their song on the playlist in exchange for payment.
The process is simple: these companies use basic code to scan platforms like Spotify for new releases. Then, they automatically add songs to their fraudulent playlists without the artist’s consent.
Worse yet, sometimes artists don’t even realize what’s happening before it’s too late. They often realize there’s a problem once they find out that their song was flagged by Spotify, and has already been removed by their distributor.
Dive Deeper
The operation described above is called a “bot attack” Aka, being “Helsinkied” (MusicArray is the origin of that fun little nickname).
🤖 Here’s how it usually works: as soon as an artist releases a track, the playlist company’s automated system—designed to crawl Spotify for fresh releases—will add it to one of their genre-specific playlists.
These playlists often have names like “Top Hit Rap Songs” or “Best New Indie Tracks” to appear legitimate and enticing. This is all done without the artist’s involvement, and it’s entirely unsolicited.
☝🏻 The goal is to get the artist to notice a sudden spike in streams, prompting them to log into Spotify for Artists to investigate.
When they see that the extra streams are all coming from a single playlist, curiosity kicks in. They’ll likely click the three dots in the upper right corner of the playlist’s name. Then, they will select “View on Spotify.” They will find themselves redirected to a playlist on Spotify, with some flashy album art and a catchy title.
📞 And there’s one more thing I can promise you will be there on that playlist page on Spotify. A contact email in the description. Or a website. Or an Instagram account. There will be some way to get a hold of the playlist company. That’s basically essential to their scam. They’re counting on you to find that contact information, and reach out to them.
This is the bait. The hope is that the artist will feel flattered or excited by the exposure. They might then reach out to the playlist owner via the email listed. They probably say something along the lines of, “Thank you for adding me! How can I stay on this playlist?”
According to my research, many artists believe this is an editorial playlist they’ve been put on. Editorial playlists do create a sudden influx of new listeners and streams. The big difference is that those are real people. And the playlist in question will show that it is published by Spotify.
👀 Take a look at the difference:
Spotify Editorial Playlist
Not An Editorial Playlist
Once you’ve reached out to them, that’s when they believe that they’ve basically got you. The playlist company will respond with something encouraging, claiming they believe in the artist’s potential and are thrilled to support their music. Right.
The End Game
🪝 Then comes the hook. They inform the artist that to stay on the playlist, the artist will need to pay a fee. The amount varies, but it’s always some absurd number.
It obviously works on some people, though most are savvy to the scheme. I assume some pay up for their playlist placements, or these scam companies wouldn’t survive the first fiscal year. Maybe the artists who fall for it don’t understand that they’re taking part in sketchy promotional tactics. Maybe they don’t realize that they’re doing something that will inevitably harm their careers. Spotify is a data-driven, algorithm-driven platform. Harming your listener data is synonymous with harming yourself.
But there’s a lot of misinformation out there. And a lack of information, in general. You’d be surprised how many artists don’t yet understand what bot plays really are. And even those who are familiar with bot streams often don’t fully understand the problem with bot attacks.
I frequently get questions from artists. Some will ask me what the big deal is. I’ll hear things like, “So what if you get free streams from bot attacks. Why is that a bad thing?”
Others wonder why these bot-attack companies would give the bot streams away for free, when other charge for it. I understand the logic there: If it’s not profitable, it seems almost malicious. And malicious does seem to fit this situation (hence the name bot “attack”).
But of course, in all of these cases, the artist isn’t to blame. They are just on the far side of the learning curve. Eventually, they’ll figure it out, just like the rest of us did. We all had to start somewhere, so there’s certainly no room for judgment.
One thing is for sure, the bot traffic is very much a bad thing. And equally, very much a profitable thing for the companies using them.
Why This Scam Works
This bot attack scheme aims to take advantage of the artist’s excitement. It preys on their desire for more streams. This makes the scheme feel particularly insidious and predatory.
For artists who don’t understand Spotify’s policies or are new to the industry, this can seem like a tempting investment. It leads many to pay up to stay on the list.
Even if you’re on to their antics, they’ll continue adding your new releases to their trash playlists. Even if you have made it abundantly clear to these companies that you’ll never pay for their services, they’ll continue adding your new releases to their scam playlists. That’s because it’s not a person behind the wheel of this part of the operation. It’s more bots.
Of course, no human is adding these songs to playlists. That process would require some actual work and real time. That’s not in their scammer handbook. So, of course, the whole thing is automated.
They build rudimentary bots to crawl Spotify (probably using a vulnerability in the Spotify API) for newly released songs.
Their crawling algorithms don’t (and can’t) discriminate. They sweep Spotify for the latest tracks. Then, they automatically add them to any relevant genre playlists.
All songs come tagged with basic genre information, assuming you filled that part out on your distributor’s distribution form. And even if you didn’t, it would just mean you’d end up on some random playlist. It would be nominally worse, if you can believe that.
It’s a numbers game. These companies rely on a large number of new artists and releases. This strategy attracts a consistent stream of artists emailing the company, inquiring about the strange playlist they’ve been put on. Some are obviously willing to pay for it, or this grift wouldn’t be sustainable. I’m sure those who pay for a spot on these playlists don’t know better. They believe they are paying for an opportunity to grow from what seems to be legitimate playlist exposure.
💀 It’s an aggressive and damaging tactic. It preys on artists’ desire to be heard. This tactic ultimately turns bot-generated streams into a revenue source. Meanwhile, the artist is left with skewed data and no real fanbase growth.
Recent changes to Spotify’s artificial streaming policy have raised new concerns. If you are bot attacked, you now risk having your track removed by your distributor.
Spotify’s 90% Artificial Stream Policy
💡 Spotify has stated that a song is flagged for removal when its bot streams exceed 90% of the total streams. They have since walked back this specific number. It’s still the best benchmark we have. By all metrics, this 90/10 rule still seems to be approximately the ratio they’re using to determine when to take action on these new artificial streaming penalties.
At first glance, removing songs with 90% bot streams may sound reasonable. After all, none of us want to compete with artists who artificially inflate their numbers. It’s the worst, right?
But think about it: for a song with 100,000 streams, 90,000 of those would have to be bots to trigger a removal under this rule. On the surface, it seems like a fair approach—but if that feels off, it’s because it is.
For high-profile artists like Drake, this 90% threshold is almost irrelevant. With millions of real listeners, any bot streams are likely to be “washed out” by genuine engagement, making them harder to detect. Spotify claims to be improving its bot-detection algorithms, but in practice, these policies tend to hit smaller artists the hardest.
Here’s why: if you’re a new artist with only 10 plays, it takes just 9 bot streams to reach that 90% threshold. A single bot attack can rack up that many artificial streams in minutes, leaving you with no chance to respond before Spotify flags your song. For smaller artists, bot attacks are particularly damaging because there’s often no existing listener base to balance out the impact.
How Bot Attacks Happen to Smaller Artists
Let’s think about some of the artists out there, just starting out, and having only a small following. While larger artists are also targeted by bot attacks, it’s smaller artists who suffer the most from them. However, we are all vulnerable to them – especially during a new release.
Let’s say your a smaller artist, though. You release a new song, and you manage to get a handful of friends or family members stream it during the first week, totaling around 10 real streams. If a bot attack happens during this time, those 10 streams are not enough to counterbalance the bot activity. As a result, Spotify may issue a takedown request to your distributor (like DistroKid) before you even realize there’s an issue.
This is why some artists have songs removed after a bot attack, while others don’t. It all depends on the ratio. If you have enough real streams to dilute the bot streams—meaning bot streams make up less than 90%—you might avoid a takedown, though your data will still be skewed.
The Risk for Emerging Artists
New artists are especially vulnerable. It is easy to accumulate a dangerous ratio of bot streams to real streams when you don’t have a large audience. Many new artists unknowingly sign up for sketchy promotion services, unaware of the long-term damage bot streams can cause.
Awareness about bot playlists and their negative impact is growing. The number of botted songs linked to artists willingly paying for bot playlist promotion is dwindling fast. It now probably represents a pretty small minority of the bigger artificial stream problem. These days, most artificial streams on Spotify result from bot attacks. They are not primarily due to willing participation in payola’s.
But Spotify argues that it is the other way around. They believe that bot attacks are extremely rare. Spotify believes that they happen so infrequently that it’s hardly even worth allocating resources to try and stop them. But that’s not at all reflective of what artists are seeing and experiencing.
And it’s just… a problem.
Many artists have taken to social media in recent months (Fall of 2024) to clap back at Spotify. Some artists are upset by Spotify’s stance on this problem. Spotify claims that most artificial streams result from willing participants in payola scams. I’m actually paraphrasing this a bit; their official statement is linked below. The takeaway is that Spotify’s stance on who’s responsible for the artificial stream problem comes off as a bit insulting to many. And also incredibly short sighted.
✍🏻 To put it in perspective, if your song has 10 streams and 9 of those streams are from bots, it’s an automatic take-down. Spotify’s new policies address the bot attack problem that artists have highlighted for a year. However, the policies may not be what many expected.
With a 90% artificial to 10% organic ratio allowed, it seems lenient at first. Still, these policies unfairly affect small artists the most, as they lack enough real streams to counteract the bot streams. In contrast, larger artists with consistent organic streams can absorb the impact of bot traffic.
This may not have been Spotify’s intention. However, smaller artists are suffering the consequences. Meanwhile, larger artists often avoid the newly enforced track removal.
The bigger problem that needs to be solved is obvious. We need these bot attacks to stop.
Ideally, Spotify would figure out how to better police the bot attackers. Others have suggested that Spotify needs to give artists an Opt-Out button for large, suspicious user playlists.
Consequences of Bot Attacks
An Excerpt Directly From Spotify:
The consequences for using these services
When we identify confirmed cases of artificial streaming or stream manipulation, we take actions that may include the withholding of associated royalties, the correction of public streaming numbers, and measures to ensure the artist or song’s popularity is accurately reflected in our charts.
In some cases, we can remove confirmed artificial streams from your data before your Spotify for Artists dashboard refreshes; in other cases, you may still see artificial streaming spikes in your Spotify for Artists data, even though associated royalties may be withheld. Spotify also reserves the right to remove manipulated content from the platform in the case of repeated or egregious artificial streaming.
We share monthly reports with labels and distributors about confirmed artificial streaming on our platform. Based on those reports, your distributor may take actions like issuing warnings or, in flagrant or repeated cases, removing your content from streaming services or suspending your account.
If this happened to you but you believe your streams were earned authentically, you should share information with your distributor or label about the methods used to genuinely promote the content in question. They’ll work with our team to review, and hopefully get the problem solved quickly.
Source Article: Spotify on Artificial Stream Policy Changes, 2024
Final Thoughts
The Motive Behind Bot Attacks?
This one doesn’t take much explaining.
It’s money.
They’re hoping you’ll pay them to stay in rotation on their trash playlist. That’s why they added you to it to begin with (and without your consent).
Remember this if you ever see a sudden increase in streams: Check if the playlist is published by Spotify. If it’s not, then it’s probably a bot attack. Even if you contact the company that playlisted you, you can disregard their explanations. They will probably try to show you graphs from ChartMetrics or Artist.Tools. They could also have a slick spiel about using “SEO” to drive organic plays. You can just disregard all of that. It’s definitely not on the level.
Regardless of what the company says, remember:
✍🏻 Pay-for-play (aka: a Payola scheme) is illegal. How ever they drive traffic to their playlists, you can be it’s being done in a sketchy way. Even if you don’t have any moral qualms with bot traffic (and, we hope you do), it doesn’t matter. Paid Playlist placements are still not a reasonable risk to take. It’s not worth having your songs removed – all for some meaningless vanity metrics.
Need Help With Helsinki?
For those who have already been bot attacked and don’t know what to do about it – we got you.
Solutions: Use the solutions button if you’ve already ended up on a bot playlist. We’ll show you how to fix that.
Prevention: Use the prevention button to learn how you can avoid being bot attacked in the future. (FYI, it’s super easy and actually works).
Stay in the loop,
– Music Scam Alert Staff
don’t get duped.
Leave a Reply