Royalty Hijacking: When Someone Steals Your Song on Spotify

July 3, 2026

Royalty Hijacking: When Someone Steals Your Song on Spotify

Royalty hijacking is when someone falsely claims ownership of a track (its master, its publishing or both) on a streaming or content platform, so that the royalties, or the takedown power, flow to them instead of the person who actually made the work. In its crudest form it is even simpler: someone re-uploads a direct copy, or a slightly modified version, of your song through a digital distributor and starts collecting the money. It is not new, but it appears to have grown alongside the flood of AI-assisted uploads: platforms now ingest enormous volumes of music, disputes are harder to adjudicate at that scale, and a fraudulent upload can hide in the noise.

If you have never heard the term, you are not alone. There is surprisingly little written about it, which is precisely why the stories tend to surface as personal accounts rather than industry coverage.

A real case: viral on TikTok, hijacked on Spotify

This is one of those accounts, shared by a creator on Reddit. Their AI-assisted music video had taken off on TikTok: over 500,000 views and more than 8,000 new followers, by their telling. They spent a week debating whether it was even worth paying a distributor to put the song on Spotify. Then a stranger messaged them: "I think someone stole your song".

It was not a cover, and not a short clip. By the poster's account, someone had uploaded the track to Spotify under their own name and had been collecting streams and royalties for around ten days before anyone noticed. The impostor had even copied the album artwork, simply swapping out the singer. The creator found out from a fan, not from any platform, and only then discovered that this scam is common enough to have a name.

How the scam plays out

Strip the story to its mechanics and you can see why it works so well.

You do the work. You produce a track, you post it somewhere, it starts to travel. Like the creator above, you may not have distributed it everywhere yet: releasing music on every platform costs money and takes decisions, and there is usually a gap between "public somewhere" and "released everywhere".

Someone else cashes in. A hijacker does not need your stems or your project files, and the source does not even have to be an audio file. The sound can be lifted straight from a public video or clip, exactly as happened here where the track was riding a viral TikTok music video, then pushed through a distributor as an audio release under their own name. From that moment they are, as far as the paying platform knows, the artist.

The platform sees it backwards. This is the part most creators do not expect. Spotify's internal record now shows, truthfully, that their user uploaded that song on that date. When you write in saying the track is yours, they do not know you. You have no upload on their service, or a later one. For all they know, you are the scammer, trying to hijack a track from a successful artist. That is not cynicism; it is symmetry. False claims are also a real abuse pattern, they carry consequences on every platform, and the disputed song is meanwhile generating revenue, of which the platform takes its cut. For this reason, no serious platform removes a track just because someone sent an email. They want proof, and the burden of producing it is on you.

You can escalate through the formal channels, and people do, sometimes with counsel involved. All of that takes time, and while it runs, the fraudulent copy stays live and keeps paying someone else, as it reportedly did for ten days in the story above.

The email you want to be able to send

Now replay the same scenario with one difference: before the track went anywhere public, you spent two minutes creating a timestamped fingerprint of the file with EMOZ, an independent third party. Your message to the platform stops being "trust me" and becomes something a reviewer can act on:

Subject: Unauthorized upload of an original track, independently verifiable proof attached

Attn: Copyright / Content Dispute team

I am the producer of the track "[Title]". It has come to my attention that this track has been uploaded to your platform by another account, without my consent, at [URL / URI of the infringing release], and that it is being monetized.

This upload diverts royalties from the original work and misattributes it. I request that you review it under your infringement process.

As evidence, I attach the original track file together with its timestamp certificate (PDF), issued by an independent third party. The certificate shows that this exact file existed, in this exact form, on [date], before the upload in question, and includes the steps for your team to verify this independently: recompute the attached file's fingerprint and match it against the public record, without relying on me or on the issuing service.

I confirm my good-faith belief that this use is unauthorized and that the information above is accurate. I can provide project files and further records on request.

[Name, contact details, links to your original post or release]

Where to send it: Spotify has a dedicated flow for reporting music uploaded without your permission backed by its infringement claim form; TikTok takes a Copyright Infringement Report; YouTube has a copyright removal request; and if you distribute through DistroKid, TuneCore, CD Baby or similar, your distributor runs its own dispute process, which is often the fastest lever of all.

Be clear about what this does and does not do. No attachment guarantees an outcome, and every platform runs its own process on its own clock. But reviewers triage, and a claim that arrives with independently verifiable, dated evidence starts from a different place than a bare accusation. It is quite possible that proof of this kind alone prompts a team to take your claim more seriously from the start, and in some cases to act on the disputed upload while they investigate. At minimum, it makes your claim immediately more credible, and credibility is what moves these queues.

Lock in the date before you release

The certificate in that email takes a couple of minutes to create. With EMOZ, it works like this:

1. Your track is fingerprinted in your browser. You select the finished file and a short, unique fingerprint (SHA-256) of those exact bytes is computed on your own device. Change one note and the fingerprint changes completely. The track itself is never uploaded: only the fingerprint leaves your machine, and it reveals nothing about the song.

2. EMOZ anchors the fingerprint on a public blockchain. The record is public, append-only and dated, so it cannot be quietly altered or backdated, by you, by EMOZ or by anyone else. That independence is the whole point: the date does not rest on your word, or on any single company's database.

3. You download the PDF certificate. It carries the fingerprint, the date and the on-chain reference, plus the steps to verify everything independently. The check works even without EMOZ: in a case like the one above, it means pointing to a public record dated before the impostor's Spotify release, and anyone, including a platform reviewer, can confirm the match on their own.

Applied to music, the habit is simple: timestamp the final master (and, if you want a stronger position, the project files too) before the track goes anywhere public.

What an EMOZ timestamp proves (and what it does not)

It is worth being precise here, because some services in this space are not.

An EMOZ timestamp proves that a specific file existed, unchanged, by a given date. It does not, by itself, prove authorship or ownership, and it does not stop anyone from re-uploading your song. Treat it as supporting evidence that corroborates your other records: distributor receipts, project files, drafts, correspondence. It is a complement to copyright registration, never a replacement for it, and nothing in this post is legal advice.

Its strength is narrower and more durable: it is an independent, mathematically verifiable record that any third party can check on their own. In a dispute that hinges on "who had this file first", that is precisely the kind of corroboration reviewers look for, and that almost nobody can produce after the fact. File dates can be edited in a few clicks, metadata can be rewritten, and even an edit history can be reconstructed by someone determined enough. A public, dated, tamper-evident record cannot.

A pre-release habit worth keeping

The Reddit story carries one more lesson. The most dangerous window is the gap between the moment a track becomes public anywhere (a TikTok, a preview, a demo sent around) and the moment your official release lands everywhere. That creator spent a week deciding whether Spotify was worth the distribution fee; someone else used that window to become "first" on the platform that pays.

The habit that closes that window is creating an EMOZ timestamp as part of finishing every track. It takes a couple of minutes and costs about the price of a pizza, a small price against a dispute like the one above.

  • Timestamp every track before it goes anywhere, not after a dispute starts. After the fact is too late by definition.
  • Keep your raw and project files: stems, session files, source assets. A reposter almost never has these, and they corroborate the timestamped master.
  • Your file should never need to be uploaded to be protected, and the record should be verifiable without the tool provider. This is precisely how EMOZ works.
  • Combine the dated original with distributor records and any formal registration. Each covers a different weakness of the others.

Your unreleased track never leaves your device

There is a special irony in uploading your unreleased song to some company's server in order to protect it. With EMOZ, that does not happen: the fingerprint is computed in your browser, on your device, and only the fingerprint is anchored. The track itself never leaves your machine, which is exactly what you want for material that has not been released yet.

If you release music, timestamp it before release day, every time. The one time you need it, it will be the only piece of evidence nobody can argue with.

Certificate Magnifier

Protect your idea

Secure your work with permanent,
verifiable ownership


Get Started for free
Certificate Magnifier