How hackers can exploit Spotify algorithm to position an artist or song in the platform’s Top 50 Global playlist?

On March 25, the famous singer Anitta became the first Brazilian singer to reach the number one spot of the “Daily Top 50 Global” playlist on Spotify, when her song “Envolver” reached 6.4 million streams in just one day, most of them from Brazilian users.

Although this seemed like a great achievement for the young singer, cybersecurity specialists did not delay in identifying something strange behind these millions of views, ensuring that Anitta’s fans managed to hack the music platform to increase the reproductions of the song artificially.

A fan accounts movement

Apparently, it all started on March 14, when the Twitter account “QG da Anitta” began sharing messages inviting fans of the singer to do everything possible to increase her popularity on Spotify, creating multiple playlists with multiple accounts, changing accounts at least every 20 minutes.

To attract more users, the administrators of “QG da Anitta” announced a giveaway of Spotify Premium accounts. This campaign led to the creation of about 100 playlists including the song, some of these lists were identified as “Envolver #1”, “Envolver Stream Party” or “Envolver 20x”. Even the descriptions of these playlists specified the goal of Anitta’s fans: “Play the song only once a day, don’t turn on shuffle and turn up the volume,” one of these lists noted.

Adriano Ferreira da Silva Filho, a 19-year-old Brazilian, says he has actively participated in this campaign, which was incredibly easy: “If you just play the song repeatedly, Spotify will believe you’re a bot. That’s why you have to create playlists with different songs and alternate them with the song you want to promote.”

Although this practice could be considered a violation of its Terms and Conditions, Spotify has made no mention of this incident or the singer’s profile.

This is not an unreleased incident, as previously other fan groups have tried to boost the popularity of their favorite artists on Spotify. In 2021, the Brazilian Cyber Police shut down almost 100 websites for the purchase of bots aimed at increasing the statistics of any artist on Spotify, regardless of the fact that this is a practice prohibited by the platform and can be considered as electronic fraud according to the legislation of each country.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.