AI Used to Create Faux Surf Under Real Bands' Names

The indie surf music community felt under attack when AI-generated surf appeared on the market under the names of existing bands.

Recently, WTUL DJ and surf fan Hunter King discovered surf music generated by artificial intelligence (AI) and sold under the names of existing bands. He posted his efforts to find out who’s behind it and what can be done about it on his Storm Surge of Reverb blog. I’m reposting it with his permission.

I have also recorded an upcoming episode of my Twelve Songs of Christmas podcast focused on AI Christmas music because, like surf music, it’s easy to create passable AI versions. I’ll add a link here when the episode is up. - Alex

On July 28 this year, beloved Italian surf group The Bradipos IV made an alarming post on Facebook.

A fake album titled Surf Tides had been uploaded onto Spotify on their artist page. The music was AI-generated and aside from also being instrumental surf, it didn't really bear much sonic resemblance to the band's discography.

In the comments, I noticed two things: It was on several other platforms as well, including Apple Music and Qobuz (not Spotify), and Qobuz it listed its label as simply Hi-Tide. Hi-Tide Recordings is an established label with a lot of surf artists, but it almost always includes the word "Recordings" when it uses its name. I tagged them in the post, and label owner Vincent Minervino said he was looking into it.

This was pretty disturbing. I'd seen AI surf records, and I'd even seen this sort of thing done before including articles written about it, but it was surprising that it would hit our small, largely under-the-radar genre. That said, people more savvy than me were working on it. I was sure there had to be a Report button somewhere, I expected this to be a blip.

Months later, I saw a post from Dave Arnson, band leader behind the longstanding progressive surf group Insect Surfers reported something very similar. Immediately I noticed that the album art was a lot less generic: you could easily mistake this for a legitimate Insect Surfers album cover (the music, less so).

I checked back on The Bradipos IV album to see if it was still there. It was. In fact, if I clicked on the Hi-Tide link on Qobuz (the only streaming service I could find that let you see a label's discography), it listed both of these albums as well as one from modern exotica gropu Waitiki 7. Were these perpetrated by the same person? Some sort of targeted attack on surf musicians? And since the Bradipos IV album was still up there, it seemed to me that removing these albums wasn't as trivial as you'd expect.

But there had to be a way, and I wanted to find it. Really, I wanted to find out who this was, and find out why, but at the very least I wanted their means to do this cut off.

And if you're reading this article because you've been similarly attacked, I don't want you to hang on for that answer. I didn't find it, but I learned a lot.

I'm a radio DJ, and I've noticed that when our playlist system auto-recognizes something, it might put something in the label field starting with DK and a bunch of numbers, and I believe the DK stands for DIstroKid. I was hoping I could find similar clues, and while researching that, I found ISRC codes. These are basically unique identifier codes attributed to published songs by record labels, distributors, and individual artists to track their usage and royalties. Well that sounded great. I wanted to track where this is coming from, so this seems like the way to do it! I used an ISRC finder tool to look up songs on both fake albums.

The ISRC for one fake Insect Surfers song was NL-8RL-25-56384, and a fake Bradipos IV was NL-8RL-25-39954. The fact that the first seven digits, particularly the first five, are similar suggests that these are indeed related to each other. The first two are a country cole. NL is Netherlands. 8RL is a registrant code, so everything put out by this entity will have that. "Entity" is the word I use because I don't know if this is a code for an individual or a distributor. The "25" is just the year, so much less exciting. And from what I understand, the rest of the numbers can't really be "read."

On this same website where I looked this up, it had a link for a "Distribution checker". Hey, this is going to be easy! I put in the ISRC number and did not get a way to identify the distributor, but the results were illuminating nonetheless. It showed every platform that these songs were on: Amazon Music, Anghami, Apple Music, Awa, Deezer, FLO, Joox, KKBOX, Line Music, IHeartRadio, NetEase, Pandora, Qobuz, QQ Music, 7digital, Shazam, Soundcloud, Spotify, Tidal, Tiktok, Trebel, Youtube, Youtube Music, Youtube Shorts. Surprisingly, not Bandcamp.

That's a lot.

OK, back to the ISRC codes. After a lot of searching, I couldn't find any way to look up that "8RL" part. I looked up the Dutch authority for ISRC codes, called Sena, and it seemed all I could do from there was send them an email.

Except, was that really appropriate for me to do? I'm not in one of these bands. This is where Dave Arnson of the Insect Surfers took action. He emailed Sena and their email said something along the lines of, "Sorry, we can't help you. You should try to contact the distributor." Well yeah, that's the whole idea!

I was feeling a bit stuck, but the scammer wasn't. He uploaded two more albums, one "by" the Kilaueas and another "by" Jon & The Nightriders. Around this point Sunny Jake who has a surf radio show called The Drip and band The Surfmasters started a thread on the Surfguitar101 forums to draw attention to and hopefully root out the issue. If nothing else, it was gratifying to see others not directly affected by the issue similarly fired up, and useful to have one central place to discuss.

Meanwhile I changed my angle of attack. In addition to ISRC codes, these albums had UPC codes attached to them. You've probably heard that term before interchangeably with "bar code". The UPC isn't really the bar code; it's the 12-digit sequence that the bar code spits out. The thing you might not know is that UPC codes are assigned and tracked by an international authority called GS1. Unlike QR codes, you can't just make up a UPC code, not legitimately at least.

Using similar tools as before, I was able to find the UPC codes and while I didn't get a name, I got an address in The Netherlands. Amsterdam. I checked Google Maps and it looked like it was in a pretty commercial area, but who knows, maybe it's an apartment above a retail space. How would I know though? Should I send a Dutch friend to check it out? That seemed ridiculous, so I ran a web search on the address. There were several businesses listed at that street address, but one stood out: Downtown Music.

I hadn't heard of Downtown Music, but they have 19 offices spanning every continent except Antarctica. Although if you have that many offices, I assume you have a secret doomsday bunker there too. The "Services" tab of their site says "Downtown provides a vital bridge between creators and companies that produce, publish, distribute, manage and monetize music today."

So yeah, this is sounding like the plausible home of this UPC code. Oh wait. Down there at the bottom of the page it says CD Baby. Yes, Downtown Music is CD Baby's parent company. Since I don't see a direct way to utilize Downtown's services, I'm taking an educated guess that our scammer utilized CD Baby to distribute these albums on all these streaming sites at once.

I reported my findings to the Surfguitar101 Forum and to an email chain with the Insect Surfers and a few others. I sent an email to Downtown Music being very clear that I'm not directly involved in the bands this scammer is impersonating, but also providing links of bands disavowing the fake albums. I did not get a reply.

Meanwhile, every few days another fake surf album would drop. The fascinating and frustrating part of this was just how niche it was. I understand targeting surf music to some extent. Removing lyrics means one less thing to scrutinize, and people might be more tuned to find something off about generated vocals. But these were not fake albums by larger surf groups Los Straitjackets, The Ventures, The Surfaris or even modern touring groups like The Surfrajettes or Messer Chups. These were groups that by-and-large were known and appreciated primarily by surf music nerds.

Who knows, maybe these were just bands that ChatGPT spat out, but it felt like this scammer had some depth of knowledge and appreciation for the genre. Most of the album art reflected the visual language of the bands, and they were surprisingly missing many AI artifacts. Text looked good, AI frequently messes up guitars, but these were alright. I daresay they might have had a modicum of effort put in, but if this was some form of tribute, it was pretty tone-deaf!

In my email thread with the Insect Surfers, Dave Arnson was taking the one-by-one approach with streaming services. He sent me a lengthy chat log with Spotify. He successfully removed the album from his artist page, but that meant that the album had been moved to a different Insect Surfers artist page. But it appeared that he had spoken to a human. The Pyronauts managed to get theirs taken off of Apple Music. I was obviously happy to see progress being made, but this can't be the way to do it. Should every band go through the Spotify chatbot, then do the same thing for the other 20 services?

Meanwhile Mike Papageorgiou, founder of Green Cookie Records, who had released some Insect Surfers records, said he was reaching out to lawyers his label has used.

I was running out of ideas. CD Baby's website does have a section about fraud, but it seemed to assume that you knew it was CD Baby involved, which we didn't. Every tool I could find that *might* give me more details seemed to be subscription-based, and at a rate that only makes sense if it's your livelihood to navigate this stuff. I tried to think of people that might be in that space. I encouraged Jon Blair of Jon & The Nightriders, a victim of this himself, to reach out to people that helped him track down licensing rights for the documentary he worked on recently. I even bought one track off Qobuz in hopes that there might be clues in the ID3 tags.

Then the scammer made his big move. Fourteen fake albums announced at once, a bunch of them with release dates in the future. No albums yet, just album art, band names, and album titles. These fake albums would come from Blue Stingrays, The Sentinals, The Bomboras, Los Daytonas, Bang! Mustang!, The Diamondheads, The Torquays. The Penetrators, The Surf Trio, Surf Raiders, Los Twang! Marvels, Pollo Del Mar, The Secret Samurai, and The Aqua Velvets. All on the fake Hi-Tide label. The Sentinals were the first ‘60s era band I'd seen them target. They were on Del-Fi, whose catalog had been sold to Warner Music, so who knows, maybe that will trip an alarm.

And then the next day, *poof*. All of them were taken down. The page listing them is still viewable on Qobuz, but each links to a 404 page, and the distribution checker I had used previously only showed 2 or 3 obscure services, and when I checked one of them it wasn't even there. It was done!

But what did it? Did this sudden flurry trigger a bot check on CD Baby or the distributor? Or even one of the platforms it distributed to? Did one of the requests to take down an individual album listing trigger a message back to their distributor? Did Green Cookie's lawyers come through? If any of us knows, they haven't shared it.

That's why I'm still frustrated. As I dug into this, I hoped to find a blueprint that others could follow. We eventually had a community of people scratching away at this in a way that still felt pretty ineffective. If they had targeted a single technophobic musician, would the scammer have faced any resistance? Some of the bands they targeted were no longer active and had no social media presence. Would they even know that they were affected?

I had seen examples of this before, even articles written about it, but those articles hand-waved the resolution with "had them taken down." How? We don't know what happened on the other end. Can the scammer try again with a different distro? Can they just do it again on the same distro from a different email account? When that happens, would we be scrambling for weeks like last time?

Amidst all the talk about AI's potential gifts to society, we gloss over one of its biggest "strengths." AI is an excellent exploitation tool. What happened here—the ability for a random person to upload material under the name of an artist they have no claim to—likely has nothing to do with AI. I bet this kind of exploitation isn't even new. But until recently, the reward wasn't worth the effort, especially when that effort could be easily erased. But now that the effort is minimal, they have so little to lose, and I bet it's fun for them. They toss out an album, we freak out, they do it again, maybe giggle a bit. It's easy for them! And this is just one of infinite cases where that is likely true—where the thing holding back a scam used to be the logistics involved—and I bet new ones are emerging all the time. I bet this specific scam is only going to happen more. Why wouldn't it? I assume there could be legal ramifications for fraud (actual lawyers, I'd love your input) but somebody would have to find the fraudulent albums first and care enough to go after them.

We hear about how without guardrails in place, AI is going to disrupt in the bad way (was there ever really a good way?) the systems we rely on. Clearly, streaming services need to implement a process to deal with this sort of scam. There also needs to an easily findable mechanism to trace fraudulent recordings back to the distributor. It should be easier to take these down than to put them up.

I doubt the distributors will implement that process. The age of companies touting great customer support has been gone since, I don't know, the ‘90s, ever since Google came to dominate our web despite virtually no customer service to speak of. We already had ineffective chat bots to politely weed out the least determined before they escalate to the human helper. Now we have AI to fire that human helper.

This is what I want to say to you, musicians. The word streaming "service" is a lie. They are not here to serve you, though they may help make your music more findable. Just like so many other record executives in the history of recorded music, they're yet another pimp here to skim from what you bring to the table. There are people out there that genuinely think "I love music, I know great bands that aren't getting heard, I'm going to start a record label and do the legwork to get them noticed." Those people are great. To all the indie labels out there, love y'all, keep doing what you do. I don't think I even need to tell you that the executives of Spotify aren't those people.

I'm not telling you to quit these services. Tons of people, maybe even the majority of people out there, mostly listen to music via Spotify. This isn't even an article about Spotify! I'm just asking for you to treat your craft with dignity. Don't be complacent. Expect better from the services that leech from you. They should listen to you, they should help you, and they should protect you. They can afford it.

Postscript: After posting this, a reader believes he found the identity of the scammer. He'd rather not share the means that he used to find them, and I don't want to doxx the alleged scammer. The method he used to identify them is not something that I or most people have direct access to, so my general point that this is harder for the scammed than it is the scammer remains. I bring this up to say that if you were in one of the bands affected by this and you want to pursue this further, reach out.