Connect with us

NEWS

Suno’s Leaked Code Shows a Scraping Operation Fair Use Can’t Erase

Leaked Suno source code reveals it scraped over two million YouTube Music clips, adding a DMCA circumvention claim to its RIAA copyright lawsuit.

Published

on

Stolen Suno source code shows the AI music startup scraped more than two million YouTube Music clips to train its models, according to a hacker who breached the company last year. The leak, reported on July 15, 2026, names YouTube Music, Deezer, Genius and half a dozen other platforms as training sources Suno had never confirmed in its own public filings.

Record labels already suspected as much. What the leak adds is the name of the tool Suno used to get past YouTube’s anti-scraping defenses, and that single detail creates a legal claim capable of surviving no matter how a judge eventually rules on the bigger fair-use fight.

A Folder Named youtube_music Surfaces From the Wreckage

The hacker goes by the handle ellie.191. They used a supply chain attack built around the Shai Hulud npm worm to steal a Suno employee’s login credentials, then pulled source code dated 2023 and 2024 out of the company’s systems before Suno discovered the intrusion in November 2025.

The files include comments logging the scale of the harvest. One dataset file tied to YouTube Music listed 2,013,545 music clips pulled from the platform. Other files broke the haul down by hours of audio rather than file count, and the numbers span far beyond YouTube alone.

Source Volume in leaked files
YouTube Music 2,013,545 clips (113,879 hours)
Genius 17,615 hours of lyrics
Deezer 12,287 hours
Pond5 (stock audio) 62,117 hours
Jamendo 3,726 hours
IMSLP 19,514 hours
Podcasts via RSS feeds roughly 1 million hours across about 420,000 shows

The code also carried explicit scraping instructions, including a directive to filter out anything tagged as non-music before it reached the training pipeline. That level of specificity is what makes this leak different from two years of lawyers arguing over what Suno’s models were probably trained on.

Bright Data Enters the Picture

The leaked files name Bright Data, a commercial web-scraping infrastructure provider, as the service Suno used to route requests through rotating IP addresses and dodge YouTube’s bot detection. Code in the leak also included routines built specifically to search out acapella versions of songs, isolating vocal tracks for training.

That detail matters more than the raw scraping numbers. Under Section 1201 of the DMCA (Digital Millennium Copyright Act), circumventing a technical measure that guards access to copyrighted material is its own violation, provable without a separate finding of infringement and without a fair-use defense to fall back on. Suno could win the historic copyright argument in Massachusetts and still face liability purely for how it obtained the data.

That is not a theoretical claim. A New York federal judge already declined to throw out the DMCA circumvention counts against Udio, Suno’s closest competitor, in a May 2026 ruling, meaning nearly identical claims are already headed to discovery in a parallel case.

Suno’s public position has not changed. The case accusing Suno and Udio of mass infringement dates back to June 2024, and Suno has argued from the start that training on the open internet is transformative and legal.

Our goal has always been to help people create original new music, not replicate someone else’s.

A Suno spokesperson offered that line in a statement describing the company’s approach, which it calls Original Creation, By Design, adding that the platform deliberately avoids using artist names as training metadata.

Three Courtrooms, One Bad Month for Suno

The leak lands in the middle of an unusually crowded legal calendar. Three separate proceedings now touch the same underlying question of whether scraping the open internet to train a music model is lawful, and each is moving on its own timeline.

  1. June 24, 2024: The RIAA (Recording Industry Association of America) files copyright suits against Suno and Udio in federal courts in Boston and New York.
  2. November 2025: The hacker breaches Suno’s systems; the company later says it discovered the intrusion that month.
  3. November 25, 2025: Warner Music settles with Suno, taking a licensing partnership and Suno’s acquisition of Warner’s Songkick platform.
  4. May 21, 2026: Universal and Sony move to add 61,026 fingerprinted recordings to their Massachusetts complaint.
  5. June 30, 2026: The Massachusetts court resets its schedule, pushing dispositive motions to April 9, 2027.
  6. July 15, 2026: The leaked source code is published, detailing the scraping instructions.
  7. July 31, 2026: Munich’s Regional Court is due to rule in GEMA’s case against Suno.

Earlier trade coverage had pointed to a Massachusetts fair-use ruling landing this summer. That date has since moved. Court filings show dispositive motions are now due in April 2027, which pushes the marquee American ruling on AI music training a full year past when the industry expected it.

Germany moves faster. GEMA, the German royalty collecting society, represents more than 95,000 songwriters, composers and publishers domestically and holds a mandate covering more than two million rights holders worldwide. Its verdict against Suno is due July 31 in Munich, and under German law a loss there could be enforced immediately, even while Suno appeals.

Warner Settled While Sony and Indie Artists Fight On

Not every rights holder is playing the same hand. The leak’s fallout spreads unevenly across a list of parties who each have something different at stake.

  • Universal Music Group and Sony Music Entertainment remain plaintiffs against Suno in Massachusetts after Warner dropped out, and they are pushing to add 61,026 recordings identified through Audible Magic’s audio fingerprinting technology.
  • Independent artists are pursuing their own track. Country artist Tony Justice leads a proposed class action, Justice v. Suno, filed in June 2025; Suno’s motion to dismiss was argued in March 2026 and remains undecided.
  • Suno’s own subscribers had emails, phone numbers and partial Stripe payment records exposed in the same breach, and the company chose not to notify them individually.
  • Udio, Suno’s chief rival, faces nearly identical stream-ripping allegations, and its DMCA circumvention claims already survived a motion to dismiss.
  • GEMA gets the first verdict of the three proceedings, arriving in Munich at the end of this month.

Money keeps flowing to Suno regardless. The company raised $400 million at a $5.4 billion valuation in June 2026, up from a $2.45 billion valuation roughly seven months earlier, according to reporting on the round. Investors are pricing the legal exposure as survivable even as the numbers in front of judges keep climbing.

Where Judges Disagree on What Fair Use Means

Suno’s entire defense rests on a legal question the courts have not answered consistently, even in cases that have nothing to do with music.

  • Judge William Alsup, in Bartz v. Anthropic: ruled that training an AI model on copyrighted books was “spectacularly” transformative and protected as fair use.
  • A separate federal judge, in Kadrey v. Meta: reached the opposite conclusion on similar facts, criticizing that reasoning for brushing aside the market harm AI training can cause.
  • The US Copyright Office: concluded in a report that fair use does not excuse unauthorized training on expressive works like music when the output can substitute for the original in the market.

Suno’s own chief executive has leaned on the human-comparison argument publicly. Suno co-founder and CEO Mikey Shulman wrote in a 2024 blog post that AI training resembles “a kid learning to write new rock songs by listening religiously to rock music.” The labels reject that framing outright, arguing a commercial model that generates competing tracks at scale is nothing like a single listener.

Suno Stayed Quiet on the Data Breach

The same intrusion that exposed the training code also reached Suno’s customer database. The hacker obtained emails, phone numbers and partial Stripe payment details for hundreds of thousands of accounts.

Suno did not tell those customers. A company spokesperson described the incident as a limited security incident that was quickly contained, and said the exposed material was mostly outdated source code no longer in use. The company added it saw no obligation to alert users individually because it never stores full credit card numbers in Stripe.

Some affected users say they only learned about the November 2025 breach through this week’s reporting. That gap between an internal determination made months ago and public disclosure now sits alongside the copyright questions as a second front of scrutiny for the company.

Is Suno-Generated Music Legally Safe to Use?

Legally, generating a song on Suno carries more risk for the platform than for a casual listener, but commercial users are not fully in the clear. Labels have already flagged specific outputs as problematic, and Suno’s own filters have been shown to miss obvious workarounds, so anyone publishing AI-generated tracks for profit is stepping into unsettled legal ground.

The labels’ complaint points to a concrete example: prompting Suno with a description referencing 1950s rock and roll and Bill Haley reportedly produced output the labels say directly rips off Haley’s style and melody. Separate testing has also found that simple tricks, such as slowing a track down before uploading it as a reference, can slip past Suno’s copyright filters entirely.

None of that is settled by a court yet. It does mean the safest use of the platform today is for material nobody intends to defend in front of a judge.

Google has taken a different approach to the same underlying tension, tying AI training rights to Showcase fees in a pilot that pays publishers specifically for training access rather than leaving the question to litigation. That is the model labels say Suno should have followed from the start.

Munich rules first, on July 31. Whatever the Regional Court decides, the Massachusetts case that actually tests American fair use law will not reach a decision until 2027 at the earliest.

As the founder of Thunder Tiger Europe Media, Dr. Elias Thornwood brings over 25 years of experience in international journalism, having reported from conflict zones in the Middle East, Asia, and Africa for outlets like BBC World and Reuters. With a PhD in International Relations from Oxford University, his expertise lies in geopolitical analysis and global diplomacy. Elias has authored two bestselling books on European foreign policy and received the Pulitzer Prize for International Reporting in 2015, establishing his authoritativeness in the field. Committed to trustworthiness, he enforces rigorous fact-checking protocols at Thunder Tiger, ensuring unbiased, evidence-based coverage of worldwide news to empower informed global audiences.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending