Hacked Suno Source Code Reveals AI Music Startup Scraped YouTube
Hacked Suno Source Code Reveals AI Music Startup Scraped YouTube and Deezer, Bolstering Labels' Case

Hacked source code from AI music company Suno lists YouTube Music, Deezer and Genius among the platforms it scraped to build its artificial intelligence models, according to a report published Wednesday by 404 Media, adding new detail to allegations at the center of an ongoing copyright lawsuit brought by two of the world's largest record labels.

The code was obtained by a hacker who breached Suno's systems and shared the material with the publication. According to the report, the same hacker also accessed information on hundreds of thousands of Suno customers, including email addresses, phone numbers and Stripe payment details tied to their accounts.

The hacked material corroborates allegations made by Universal Music Group and Sony Music Entertainment, who are suing Suno for copyright infringement in a case coordinated by the Recording Industry Association of America. Suno has already acknowledged in a court filing that its training data was drawn from music available across the open internet, and the company has argued that training its AI models on copyrighted material qualifies as protected fair use under copyright law. In that filing, Suno described its training data as encompassing nearly all music files of reasonable quality accessible on the open internet, while claiming it respected paywalls and password protections in the process.

According to 404 Media, the hacked code names the specific sources Suno drew from and logs the volume of material collected from each. Internal comments in one file referenced pulling from platforms including Genius, YouTube Music, Freesound, Jamendo and Deezer, with a note indicating that non-music content would be filtered out of the resulting dataset. A file labeled "youtube_music" recorded that the system had ingested more than 2 million individual music clips.

The scale of material logged in the code was substantial. According to the report, Suno's datasets included more than 113,000 hours of audio logged under the YouTube Music label, plus an additional 152,000 hours logged separately as tagged YouTube Music content. The code also referenced more than 62,000 hours pulled from the stock media library Pond5, nearly 19,500 hours from the International Music Score Library Project, more than 17,600 hours from Genius, and over 12,000 hours from Deezer. In total, 404 Media reported the material amounted to at least several decades' worth of audio.

Other portions of the code reviewed by 404 Media showed Suno searching specifically for a cappella versions of songs on YouTube, an approach the publication said appeared designed to help isolate vocal tracks for training purposes. The code also indicated Suno used proxy infrastructure from a company called Bright Data to carry out the scraping of YouTube content, and separately used a service called PodcastIndex to compile roughly 420,000 podcasts, each with a minimum of five half-hour episodes, in an apparent effort to download close to a million hours of spoken-word audio. The publication said it remained unclear from the files exactly how Suno had gathered material from some of the other platforms named in the code.

The revelations add specificity to claims already at the heart of the record industry's lawsuit. In an amended complaint filed in September 2025, the RIAA accused Suno of stream-ripping recordings directly from YouTube and circumventing the platform's rolling cipher encryption, a technical safeguard designed to prevent unauthorized downloading of streamed content. According to 404 Media, the hacked data appears to confirm that specific allegation. The labels have argued that circumventing YouTube's protective measures constitutes a separate violation of the anti-circumvention provisions of the Copyright Act, distinct from Suno's fair-use defense, which applies specifically to the act of copying the material itself rather than to bypassing the platform's access controls.

The financial stakes in the case are considerable. The labels are seeking statutory damages of up to $150,000 per infringed work, in addition to penalties of up to $2,500 for each act of circumvention. In May, Universal Music Group and Sony asked the court to expand the scope of the case from 560 identified works to more than 61,000 works the labels say they identified within Suno's training data through audio fingerprinting technology, a change that would raise the theoretical maximum in statutory damages from roughly $84 million to more than $9 billion. The presiding judge has not yet ruled on that request.

In response to the report, a Suno spokesperson told 404 Media that the company's AI models had been trained on publicly available music files and related metadata accessible through third-party websites on the open internet. The spokesperson said Suno determined in November 2025 that it had experienced what it described as a limited security incident that was quickly contained, and that an internal investigation found the exposure primarily involved outdated source code no longer in active use at the company. The spokesperson added that no sensitive personal information had been compromised and that Suno does not have access to customers' full credit card numbers through its payment processor, Stripe. The company said it had determined that individual breach notifications were not required under applicable privacy laws, and that it had separately filed a training-data disclosure mandated under California law.

The hacker, who identified themselves to 404 Media using the name ellie.191, said they gained access by targeting a Suno employee with a supply-chain worm known as Shai-Hulud, which is designed to harvest credentials for GitHub and other cloud-service accounts. The hacker told the publication they had no specific motivation behind the breach, saying only that they enjoy hacking a wide range of targets.

The case against Suno has drawn in other parties beyond Universal and Sony. Jamendo, a Luxembourg-based music licensing platform named in the hacked code, filed its own copyright infringement claim against Suno on June 29 in the same Massachusetts court, alleging the company trained on a roughly 55,600-track dataset that was licensed only for non-commercial academic use, without securing a commercial license. Jamendo is seeking at least €17.8 million, or roughly $20 million, in damages. Warner Music Group, originally a co-plaintiff in the broader industry lawsuit, exited the case after reaching a settlement with Suno in November 2025 that included a licensing partnership and Suno's acquisition of the concert-discovery platform Songkick.

Suno, which raised more than $400 million in funding in June, has said it builds its AI models around a philosophy the company calls "Original Creation, By Design" and does not use artist names as a category of training metadata. A company spokesperson said Suno believes artists deserve both new opportunities and strong protections. The case remains ongoing as the court weighs the labels' request to significantly expand the scope of works at issue in the lawsuit.