Spotify, one of the world’s most popular music streaming platforms, is co-opted by cyber criminals to promote pirated software, game cheats, and dubious websites. By exploiting Spotify’s playlists and podcast descriptions, these threat actors are boosting the visibility of their malicious content through search engine optimisation (SEO).
Cybercriminals have embedded keywords like ‘free download’ or ‘crack’ into Spotify playlists and podcast descriptions. These keywords are linked to external websites promoting illegal downloads or scams. For example, a now-deleted playlist titled ‘Sony Vegas Pro 13 Crack…’ directed users to suspicious websites claiming to offer free software versions.
Such platforms also often lure with promises of free content but deliver malware, adware, or scams instead.
BleepingComputer notes, Spotify’s web player indexed by search engines like Google, compounds the problem. As a result, users searching for specific software or game mods may stumble upon these malicious playlists and podcasts, inadvertently amplifying their reach.

The abuse isn’t limited to playlists. Fake podcasts, often featuring short, synthesised audio messages, are being used to promote spam links. These podcasts promise eBooks, audiobooks, and game cheats, urging users to click on suspicious links. These links often lead to phishing attempts, surveys, or risky browsers that could harvest user data.
For instance, podcasts promising cheat codes for popular games like GTA V or Ape Legends redirect users to shady websites such as ‘cheater.ninja.’ Similarly, eBook-related podcasts link to scam sites promoting downloads that often lead to malware or adware.
Interestingly, many of these spammy podcasts are published via third-party distribution services like Firstory. Such services facilitate the cross-platform distribution of podcasts but have become a backdoor for spammers.
Spotify confirmed the removal of the offending playlist and reiterated its stance against malicious content. “Spotify’s Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices,” a spokesperson said.
However, the company has yet to disclose whether additional measures are being implemented to curb such abuse.
In the News: ANI takes OpenAI to court over copyright infringement claims