The ultimate source for The New York Times’ story about Zohran Mamdani’s college application is an open secret. It’s an anime-loving neo-Nazi whose hobbies include furry drawings, posting fan art of a video game character, and hacking universities. On X, the alleged hacker is followed by New York Times freelancer Benjamin Ryan, who was the first byline on the Mamdani story.

The alleged hacker uses an online handle that is a racial slur, so I will be referring to them as the Anime Nazi; they have taken credit for five hacks of universities. Three of them, as first reported by Bloomberg, targeted the University of Minnesota, New York University, and Columbia University.  

Social media reviewed by The Verge — including X and fediverse accounts — shows a series of reposts of statements and images such as swastikas, “miss u hitler,” and “minorities have no place in our world.” The Anime Nazi themselves posted such things as “I am racist,” “I am violently racist toward black people,” and a picture of a unicorn sitting on a swastika.

On a post from November 5th, 2024, when then-presidential candidate Kamala Harris’ X account was encouraging people to vote, the alleged hacker’s account replied, “You will be executed.” The next post after that was “kill them all please, mr president.” When another X account asked the Anime Nazi if they were concerned about law enforcement, they replied with a quote of a post from President Donald Trump: “He who saves his Country does not violate any Law.”

The Anime Nazi appears to have been specifically targeting universities, often for admissions data. They claim to have stolen data from millions of people. The data include Social Security numbers, addresses, family members’ information, and citizenship status. Perhaps significantly, that information also includes self-reported race — meaning that someone who is, in their own words, “violently racist toward black people” has lists of people who identify as Black. 

The alleged hacker, in response to a request for comment, wrote that this story wouldn’t achieve anything but making The Verge look ridiculous and “giving funny publicity to me.” Most journalists, they claimed, “are smart enough to figure that out before publishing, so end up removing my name and any direct references to me.” They added, in a separate email, “My comment: her name is [slur].”

In what little reporting exists about the actual Columbia breach (and not what stolen data reveal about a mayoral candidate when he was 17 years old), the hacker has been said to be “politically motivated.” Bloomberg, which spoke to the hacker, reported that they are acquiring information about whether universities persisted in affirmative action admissions after the Supreme Court effectively banned the practice in 2023. Insofar as open racism can be said to be a political motivation, the hacker is indeed politically motivated. But it also has the effect of soft-pedaling the reason for repeated attacks on institutions of higher learning. The Anime Nazi is an activist like a Klansman is an activist.

This is important because journalistic best practices around the use of hacked materials is to contextualize the hacker’s motivation, if the materials are used at all. While it appears to be true that the hacker opposes affirmative action, it may be more relevant — particularly when the news article in question attacks a left-wing politician of color — that the hacker’s pseudonym is literally a racist slur.

The hacker says they redact SSNs and other personally identifying data before releasing information from the intrusions. In the case of the Minnesota hack, they claim, “I only posted (redacted) bare minimum to prove they’re breaking the law.” One of their admirers has claimed they are “the nicest possible hacker.” The redactions in the New York University data were imperfect, however, says Zack Ganot, the CEO of DataBreach.com. “He says he’s not trying to leak personal information,” Ganot says. “He did a lousy job.” Emails, names, and home addresses, among other personal identifying information, are available in the data from the NYU leak.

Ganot notes that the data is valuable; to his knowledge, the hacker hasn’t yet sold it. This isn’t necessarily surprising — that’s not the kind of damage they’re trying to do — but it also doesn’t mean the data is safe.

This alleged hacker’s racial animus aligns with the recent Republican war on higher education. It also aligns with a turn from certain Silicon Valley circles against elite universities. Universities aren’t just politically endangered — they are, in the hacker’s own words, “soft targets.” 

“Universities have basically the most vulnerable networks that exist in my experience,” the Anime Nazi wrote. “Massive networks with huge surface area and a lot of legacy systems.” They also generally spend less on security than private companies. Unless the hacker is caught or America’s universities seriously upgrade their security quickly, the Anime Nazi could very well strike again. 

So who are they?

By far the majority of the Anime Nazi’s posts are of Sachiko Koshimizu, a character from a video game called The Idolmaster Cinderella Girls. This character also appeared on the front page of 4chan — which adopted the nickname slur years ago — starting as early as 2017. The posts are largely fan art and highly repetitive, almost compulsive or bot-like; the same images are posted repeatedly. The Anime Nazi also likes to respond to other people’s posts of Sachiko, saying, “her name is [slur].”

In older posts, they say they submitted bug reports to various entities under their slur pseudonym, including the University of York and the BBC, in the hopes of having it permanently included on the website. Sometimes their followers will co-opt a phrase used by activists to raise awareness for Black women who are victims of police violence: “Say her name.” They do not mean Sachiko.

The Anime Nazi’s posts tend to appear during waking hours in Japan and Australia, according to an analysis by The Verge — though terminally online posters can (and often do) keep odd hours. When The Verge reached out for comment at 10PM in Japan, the Anime Nazi responded almost immediately, and continued to respond promptly after 1AM JST. However, the timestamps in their emails appeared to indicate that their computer is set to Greenwich Mean Time (the same time zone as London). 

One of the places they post is on a notoriously racist Mastodon instance called Poast, which gives us a few further clues — because the instance, where they allegedly served as a moderator for the “overnight” shift, was apparently hacked in 2023 and had its users’ direct messages seemingly leaked. 

The Anime Nazi’s current X account isn’t their first — an early post on their current account has a Twitter-era reply asking what happened to the other one. The Anime Nazi says they will DM on Mastodon. According to the allegedly leaked Poast DMs, the original account was deactivated by Twitter’s moderators — the hacker appealed and lost. There is one interaction left over from the previous account, in which a furry called Argyle Achilles thanks the Anime Nazi for fan art of his character. Argyle Achilles is somewhat infamous in the furry community for a video he made titled “Why We Need Racism.” The Poast leak also appears to contain DMs in which users often request that the hacker make them art.

Most legal and government references in the hacker’s posts appear to be to the US government, such as the National Security Agency and the US Cyber Command. The user appears to use American English, preferring “-ize” and “color” to “-ise” and “colour.”

Though the Anime Nazi is brazen, they don’t leave obvious clues to their identity. The posts on their accounts fall roughly into four categories: bragging about their alleged hacks, posts of Sachiko fan art, vicious racism, and commentary on hacking and code.  “I do ‘computer security’ for a living,” the Anime Nazi wrote in an October 2023 post. In April, the Anime Nazi noted that just after the NYU hack, police found “one redirector I logged into something from” and “physically shut down the device. within a few hours.”

“That response time’s actually impressive,” they went on. “It’s not for lack of trying.”

The posts about hacking are the most substantive. At one point, the Anime Nazi celebrates being followed by Harold T. Martin, an NSA contractor who stole government secrets for 20 years, accumulating at least 50 terabytes of data that was mostly “highly classified and related to hacking,” according to The Washington Post. In another post, the Anime Nazi wrote, “I see aspiring hacker in your bio friend,” before offering to help that poster learn to code. In 2023, they replied to cybersecurity reporter Kim Zetter, taking issue with a Kaspersky analysis of a spy platform: “Kaspersky pushing a ‘similarities to NSA’ angle really hard for some reason, even though it’s obviously not.”

There are also a significant number of posts bragging about the Anime Nazi’s alleged hacks. “I’m on TV,” they posted at one point, linking a YouTube video about the University of Minnesota’s data breach. They have posted legal complaints filed against New York University by people whose data they allegedly stole. They have also reposted someone with the handle Crémieux calling them the “nicest possible hacker.” That seems arguable.

On both the Mastodon and X accounts, the hacker takes credit for the three known university hacks — and two that have been, until now, unreported by the media. One, at the University of Mississippi, had to have been placed by someone or something with administrative privileges, according to Palo Alto Networks’ writeup of the hack. When the computer was rebooted, it played “Dixie” through the computer speakers and displayed, the Anime Nazi claimed, a full-screen image of a Confederate flag. The hacker also posted what appears to be a screen recording of the exploit in action. The malware sample in question was flagged by Kaspersky in 2024. The University of Mississippi did not respond to multiple requests for comment.

The target of the alleged hack at Miami University of Ohio is less clear; the hacker posted a screenshot they claimed showed they were inside the university’s systems “a couple years ago.” Miami University did not respond to a request for comment.

Both the NYU and Minnesota hacks spawned lawsuits, though the Minnesota suit was dismissed without prejudice in 2023. According to the complaint, the University of Minnesota was hacked in 2021 and didn’t notice until the Anime Nazi posted about it in July 2023. This hacking took place before the Supreme Court ruling outlawed affirmative action — and the data from the hack consequently cannot demonstrate the University of Minnesota was violating the law, due to the linear nature of time. This does somewhat undermine any remaining claims to “hactivism.”

At NYU, the Anime Nazi hacked the university’s actual website over spring break. For about two hours, NYU’s homepage displayed links to stolen data, as well as charts that allegedly categorized test scores on the SAT and ACT by race. At least 10 class action lawsuits have been filed as a result. The US has expansive and notoriously punitive anti-hacking laws — and these hacks are big boy crimes. The FBI declined to comment on this story.

During the Columbia hack, Trump’s face appeared on some computer screens across campus. That’s notable, because Columbia has been in the crosshairs of the Trump administration, which has frozen $400 million of funding while accusing the university of failing to protect Jewish students during protests against the Israeli war in Gaza. The government has targeted Columbia student protesters; one was snatched by ICE and imprisoned in a detention facility, others have had their visas revoked. (Meanwhile, the university has suspended, expelled, and revoked degrees from student protesters). 

It’s not just Columbia; elite universities have been targeted by the right broadly. Harvard’s student data has been subpoenaed, and its accreditation threatened by the Trump administration; right-wing activists had previously forced the resignation of president Claudine Gay, who had been the first Black president of Harvard. University of Virginia president James E. Ryan was forced out in June, after a battle with the Trump administration over the university’s diversity, equity and inclusion initiatives. At Johns Hopkins University, Stephen Miller’s America First organization lodged a complaint claiming that making the medical school free for students whose families make less than $300,000 amounts to “mask[ing] racial preferences behind income thresholds.”

The Republican offensive against and “wokeness” and “DEI” (diversity, equity, and inclusion programs) is part of a general movement to undo the Civil Right Act. It’s an extension of the Republican campaign against affirmative action, admissions policies meant to improve representation among groups that had previously been discriminated against. The Johns Hopkins suit widens the scope beyond taking down efforts towards racial equality, but is ultimately a much more honest expression of what the anti-affirmative action movement is about: to retrench universities as the gated playgrounds of the rich. 

Trump advisor and billionaire Marc Andreessen sent messages to a group chat in May saying, “The combination of DEI and immigration is politically lethal,” according to The Washington Post. “When these two forms of discrimination combine, as they have for the last 60 years and on hyperdrive for the last decade, they systematically cut most of the children of the Trump voter base out of any realistic prospect of access to higher education and corporate America.”

Andreessen also said that “my people are furious and are not going to take it anymore” and that “universities were ground zero of the counterattack.” The universities, he claimed, are “BOTH actively discriminating against us AND primary origin points and propagation vectors” for diversity policies he says are discrimination.

College admissions officers frequently have institutional priorities beyond test scores and GPA, according to US News and World Report, which maintains a list of the most-prestigious universities in the US. That may include recruiting athletes, musicians, or artists who may not otherwise meet admission requirements; it may also include legacy admissions, or maintaining a mix of in-state and out-of-state students.

In university admissions, one group is consistently discriminated against: women. For more than 20 years, admissions officers have put “a thumb on the scale to get boys,” as The New York Times puts it. There, the institutional goal is to maintain a desirable gender balance. Discrimination in favor of men does not appear to be something that interests either Andreessen or the Anime Nazi.

The focus on elite universities obscures something else. Many schools have more relaxed admissions policies, and some admit every student who applies. This is to say nothing of community colleges and trade schools. If Americans want “access to higher education,” they’re not short of options — at least, if they have the money for it.

But elite universities are places where power concentrates, which may be why the right wing is so interested in who gets to attend. People who attend those schools often have the connections to take prestigious jobs, especially political office. Which makes the pivot from admissions data broadly to the admissions files of specific individuals — like Zohran Mamdani — a new, more dangerous turn from the hacker. How many other future politicians are in that data? And how disruptive might it be to leak, say, their admissions essays?

The New York Times, which published the story about Mamdani’s Columbia application, made no mention of the Anime Nazi in its report. The Mamdani data is credited to “Crémieux,” a publicly known pseudonym for Jordan Lasker, a prominent internet eugenicist. As noted above, Lasker, under this pseudonym, has called the Anime Nazi “the nicest possible hacker.” Lasker is among the Anime Nazi’s followers and has openly thanked the hacker for their work, saying of the NYU hack in March, “I hope you manage to do this to more universities.” Lasker wrote about the Columbia hack on June 24th and was, according to The New York Times, the intermediary by which the paper received Mamdani’s hacked Columbia application. Reporting from Mother Jones suggests Lasker may have a neo-Nazi history of his own.

Benjamin Ryan, the first byline on the Times’ story about Mamdani, follows the alleged hacker on X. Ryan is the only non-staffer on the story and also the only non-political reporter. He typically writes about science for the Times, and often about trans kids in his newsletter. Ryan is a subscriber of Lasker’s email newsletter, Cremieux Recueil, according to the “reads” section of the Substack app. It is not terribly difficult to figure out why Ryan is credited on the story — he is the reporter most likely to have gotten ahold of the application. Ryan did not respond to a request for comment.

It’s not unusual for journalists to use hacked materials, or those from less-than-savory sources. But best practices around hacked materials means being judicious about what to use, and giving the audience context about what the hack was meant to accomplish. It is difficult to believe The New York Times doesn’t know that — after all, a great deal of discussion around the ethics of using data from hacks sprang from the paper’s coverage of leaked emails from a hack of Hillary Clinton’s private server. In its story about Mamdani, The Times says the hack “appears to have been carried out in order to see if Columbia was still using race-conscious affirmative action in its admission policies after the Supreme Court effectively barred the practice in 2023,” but that’s it.

The Times account makes no reference to the Anime Nazi. It does not even identify Lasker by name, nor does it note that his pseudonym is a reference to a politician who excluded Muslims from French citizenship. (Mamdani is Muslim.) Mamdani is one of Trump’s new obsessions; the president has threatened to arrest the mayoral candidate, falsely suggested Mamdani is in the US illegally, and suggested that if Mamdani is elected, New York City’s federal funding might be at risk.

The alleged hacker took credit for the story. “This wasn’t some targeted thing based on ‘beef’ in the first place,” the Anime Nazi posted on July 7th. “It was basically an accident.” After noticing Mamdani’s application, the Anime Nazi told a chat about it “because it was funny and it all spiraled from there.”

The Anime Nazi also reposted someone saying, “I don’t really care what Mamdani put on his college admissions, the idea that a guy on Poast could prank Columbia and get The New York Times newsroom to start eating itself alive is hilarious to me.” 

The New York Times declined to comment on whether the paper knew there was a social media account taking credit for the hack, whether the ultimate source of the reporting was the Anime Nazi, the comments made by the Anime Nazi’s social media accounts, whether Ryan was the source of the scoop, or whether Ryan informed the paper of Lasker’s identity beyond the pseudonym. Instead, spokesperson Charlie Stadtlander provided a July 4 X thread from Patrick Healy, the assistant managing editor for standards and trust at the paper, and previous reporting from Lachlan Cartwright’s Breaker Media. An email address associated with Lasker did not return a request for comment.

The source of the leaked application was obvious to the Anime Nazi’s followers. Curtis Yarvin, personal friend of Vice President JD Vance and neo-monarchist, commented on a screenshot of a Chris Hayes post from Bluesky, saying, “He’s upset they’re not crediting [Anime Nazi].” Another person — a pseudonymous but influential account followed by Elon Musk, Yarvin, Lasker, and others — seemed to believe The New York Times knew about the Anime Nazi, posting, “It’s incredible opsec to have a hacker name so offensive that news media can’t even refer to you by your pseudonym and they have to go through your designated ‘intermediary’ instead.”

If all these crimes are indeed attributable to the Anime Nazi, the Columbia hack and Mamdani leak represent significant escalation. The Columbia hack happened as the school was under political pressure; the Mamdani leak occurred as Trump made him an administration adversary. The alleged hacker quotes Trump publicly as a way of exonerating themselves: “He who saves his Country does not violate any Law.” It is not difficult to imagine the alleged hacker aligning themselves even more closely with the Trump administration’s whims moving forward — either because they agree with Trump’s ideology or because they are hoping to stay out of jail.

It has certainly occurred to some of the Anime Nazi’s followers that a hack can be used to humiliate political enemies. Derek Park — a cofounder of Nextnet, Inc, an AI company for life science researchers — tagged the alleged hacker into a discussion about getting ahold of Supreme Court Justice’s Ketanji Brown Jackson’s LSAT score. Park did not respond to a request for comment.

Scrolling through the Anime Nazi accounts was taking a bath in cruelty, contempt, and hate. Notably missing from those posts was anything like joy or happiness. It was further confirmation, if anyone needed it, of the observations in “Who goes Nazi?”, an essay by Dorothy Thompson published in 1941. “Kind, good, happy, gentlemanly, secure people never go Nazi,” Thompson wrote. “Those who haven’t anything in them to tell them what they like and what they don’t—whether it is breeding, or happiness, or wisdom, or a code, however old-fashioned or however modern, go Nazi.” That’s as true of security professionals as it is of anyone else.

Additional reporting by Sarah Jeong.

Updated 12PM ET: Updated to more specifically identify Zack Ganot, who is the CEO of Databreach.com — which is wholly owned by Atlas Privacy.

Sure, everyone hates record labels — but the AI industry has figured out how to make them look like heroes. So that’s at least one very impressive accomplishment for AI.

AI is cutting a swath across a number of creative industries — with AI-generated book covers, the Chicago Sun-Times publishing an AI-generated list of books that don’t exist, and AI-generated stories at CNET under real authors’ bylines. The music industry is no exception. But while many of these fields are mired in questions about whether AI models are illegally trained on pirated data, the music industry is coming at the issue from a position of unusual strength: the benefits of years of case law backing copyright protections, a regimented licensing system, and a handful of powerful companies that control the industry. Record labels have chosen to fight several AI companies on copyright law, and they have a strong hand to play.

Historically, whatever the tech industry inflicts on the music industry will eventually happen to every other creative industry, too. If that’s true here, then all the AI companies that ganked copyrighted material are in a lot of trouble.

Can home prompting kill music careers?

There are some positive things AI music startups can accomplish — like reducing barriers for musicians to record themselves. Take the artist D4vd, who recorded his breakout hit “Romantic Homicide” in his sister’s closet using BandLab, an app for making music without a studio that includes some AI features. (D4vd began creating music to soundtrack his Fortnite YouTube montages without getting a copyright strike for using existing work.) The point of BandLab is giving more musicians around the world the opportunity to record music, send it into the world, and maybe get paid for their work, says Meng Ru Kuok, the CEO of the app’s parent company. AI tools can supercharge that, he says.

That use, however, isn’t exactly what big-time AI companies like Suno and Udio have in mind. Suno declined to comment for this story. Udio did not respond to a request for comment.

Suno and Udio are designed to let music consumers generate new songs with a few words. Users type in, say, “Prompt: bossa nova song using a wide range of percussion and a horn section about a cat, active, energetic, uptempo, chaotic” and get a song, wholesale, without even writing their own lyrics. The idea that most listeners will do this regularly seems unlikely — making music is more work than just listening to it, even with text prompts — as does the idea that AI will replace people’s favorite human artists. (Also, the music is pretty bad.)  

A lot of listening is passive consumption, like a person putting on a playlist while doing the dishes or studying, or a business piping background tunes to customers. That background music is up for grabs — not by consumers, but by spammers using these tools. They’re already generating consumer-facing slop and putting it on Spotify, effectively crowding out real artists.

That seems to be the major use case for these apps. Generating a two-minute song on Udio costs a minimum of eight credits; free users get around 400 credits monthly; for $10 a month, you’ll get 1200, the equivalent of, at most, 150 songs. Spotify Premium individual costs $12 a month and gets you just about everything ever recorded, plus audiobooks. Also, it takes many, many fewer clicks to listen to Spotify than it does to generate your own songs — so if you’re looking for something to listen to while you cook, Spotify is just easier.

But the math there changes if you’re looking for background music for your YouTube videos — or anything else that’s meant to be listened to publicly. That means AI music threatens people who support themselves by making incidental music for advertisements, or recording “perfect fit content” for Spotify, or other, less-glamorous work. Taylor Swift’s career isn’t endangered by AI music — but the real people who make the background music for Chill Beats to Study To, or the hold music you hear on the phone, are.

“I wouldn’t want to be [new-age musician] Steven Halpern and have my future career based on meditation music,” says David Hughes, who served as CTO for the Recording Industry Association of America (RIAA) for 15 years. He now works as a tech consultant for the music industry at Hughes Strategic. “AI flooded the market with it. There’s no business making it anymore.”

As in other creative industries, AI music tools are poised to hollow out the workaday middle of the market. Even new engineering tools have their downsides. Jimmy Iovine, who eventually founded Interscope Records and Beats Electronics, started his career as an audio engineer before making his name by producing Patti Smith’s Easter. This is kind of like starting in the mail room and becoming the CEO; if more of the engineering work is done by AI, that removes career paths. The next Jimmy Iovine might not get his start, Hughes says. “How does anyone apprentice?”

And it’s (possibly) illegal

About a year ago, the major labels brought suit against Suno and Udio. The fight is about training data; the labels say the companies stole copyrighted work and violated copyright law by using it to build their models. Suno has effectively admitted it trained its AI song generator on copyrighted work in documents filed in court; so has Udio. They’re saying it was fair use, a legal framework under which copyrighted work can be used to create new work. 

Virtually every creative industry is in some kind of similar fight with AI companies. A group of authors is suing Meta, Microsoft, and Bloomberg for allegedly training on their books. The New York Times is suing Microsoft and OpenAI. Visual artists have sued Stable Diffusion and Midjourney; Getty Images is also suing Stable Diffusion; Disney and Universal are suing Midjourney. Even Reddit is suing Anthropic. Training data is at issue in all the suits.

So far, the legal takes on AI have been contradictory, and at times, baffling. There doesn’t seem to be a consistent through line, so it’s hard to know where the law will ultimately end up. Still, music has its own legal history that comes to bear — from unauthorized sampling. That may mean it’s entitled to stronger protections.

In Bridgeport Music v. Dimension Films, a case about NWA’s sample of Funkadelic’s “Get Off Your Ass and Jam,” the US Court of Appeals ruled that the uncompensated sampling was in violation of copyright law. In the decision, the court found that only the copyright owner could duplicate the work — so all sampling requires a license. Some other courts have rejected that ruling, but it remains influential. There’s also Grand Upright Music v. Warner Bros. Records, in which the US Southern District of New York ruled that Biz Markie’s sample of Gilbert O’Sullivan’s “Alone Again (Naturally)” was copyright infringement. The written opinion in the case begins, “Thou shalt not steal.”

“Some of the sampling cases have suggested that sound recordings might be entitled to stronger protections than other copyrighted works,” says James Grimmelmann, a professor at Cornell Law School. Those protections may extend beyond sampling to generative AI, especially if the AI outputs too closely resemble copyrighted work. “From that perspective, music becomes kind of untouchable. You just can’t do this kind of work on it.” 

Music is also complicated — since performances are bound up in rights of publicity. In the case of the fake Drake track, the soundalike may violate Drake’s right to publicity. Artists such as Tom Waits and Bette Midler have won suits against more mundane human soundalikes. Proving that someone meant to violate Drake’s right to publicity might be even more straightforward if the lawsuit contains the prompt.

As in other AI fair use cases, one of the key questions is whether a derivative work, such as “BBL Drizzy,” is intended to replace or disrupt a market for an original one. In 2023, the Supreme Court ruled that Lynn Goldsmith’s copyright had been infringed on by Andy Warhol when he screenprinted one of her photos of Prince. One of the key factors was that Vanity Fair had licensed Warhol’s work instead of Goldsmith’s — and she received no credit or payment.

In May, Register of Copyrights Shira Perlmutter released a pre-publication report that found that AI training in general was not necessarily fair use. In the report, one of the factors considered was whether an AI product supplanted the use of the original. “The use of pirated collections of copyrighted works to build a training library, or the distribution of such a library to the public, would harm the market for access to those works,” the report said. “And where training enables a model to output verbatim or substantially similar copies of the works trained on, and those copies are readily accessible by end users, they can substitute for sales of those works.”

This may be an easier case for music companies to make than, let’s say, ad writers. (What copywriter wants to admit they’re so uncreative they can be replaced by a machine, first of all?) Not only are there fewer of them, which allows them to easily negotiate as a bloc, it’s simple enough to point to the output of AI music singing Jason Derulo’s name, or mimicking “Great Balls of Fire.” That’s pretty clear-cut.

Another crucial factor — one that matters particularly to the music industry — was lost licensing opportunities. If copyrighted works are being licensed as AI training data, doing a free-for-all snatch and grab robs rights holders of their ability to participate in that market, the report notes. “The copying of expressive works from pirate sources in order to generate unrestricted content that competes in the marketplace, when licensing is reasonably available, is unlikely to qualify as fair use,” the report says.

Recently, Anthropic got a ruling in a copyright case that differs from this analysis. According to Judge William Alsup of the Northern District of California, using books for training data is fair play — with two big caveats. First, any inputs must be legally acquired, and second, the outputs must be non-infringing. Since Anthropic pirated millions of books, that still leaves the door open for massive damages, even if using the books to train isn’t wrong. 

When it comes to the Suno and Udio suits, the RIAA alleges illegal copying on the front end and infringing outputs on the back end, Grimmelman says. Suno and Udio can introduce evidence to rebut those allegations, but the ruling isn’t ideal to knock down the RIAA’s suit. It’s also not clear Suno can rebut those allegations. “Suno’s training data includes essentially all music files of reasonable quality that are accessible on the open Internet, abiding by paywalls, password protections, and the like,” its lawyers wrote in the filing arguing Suno’s training data was fair use. While Udio admits it may have used some copyrighted recordings, its response to the suit doesn’t mention how they were acquired; if Udio bought those songs, under the Anthropic case’s reasoning, it might be off the hook.

But that’s not the only pertinent ruling. The very next day, in a case where authors alleged Meta had infringed on their copyright by training on their books, Judge Vince Chhabria directly addressed Alsup’s ruling, saying it was based on an “inept analogy” and brushed aside “concerns about the harm it can inflict on the market for the works it gets trained on.” While Chhabria found in favor of Meta, he noted that it was because of bad lawyering on the part of the authors’ team.

Still, the finding is better for music companies on the input side, because it doesn’t draw a distinction around piracy, Grimmelman says. It is much, much worse for Suno and Udio on the output side. “Chhabria holds that ‘market dilution’ — creating lots of works that compete with the plaintiffs’ works — is a plausible theory of market harm,” he says in an email after the ruling. That’s also in line with the copyright office’s memo.

Suno and Udio have some other trouble; some generative AI companies have been licensing artists’ works. By offering nothing for works that other companies have licensed, they are messing up the market. “The fact that there are existing licensing deals for music training is relevant, if that market is better-developed than the market for licensing books,” Grimmelman says. Chhabria’s opinion points out that it’s quite difficult to license books for training, because the rights are so fragmented. “Either finding that there is a market that copyright owners should be able to exploit, or finding that there isn’t one, is circular, in that the court’s holding tends to reinforce its findings about the market.”

That effectively stacks the deck against Suno and Udio, and any other music companies that didn’t license their AI training data. Music licenses for AI training cost between $1 and $4 per track. High-quality datasets can cost from $1 to $5 per minute for non-exclusive licenses, and from $5 to $20 per minute for exclusive licenses. Transcription and emotion labeling, among other factors, garner higher prices.

And unlike in other industries, music already has an IP copyright and collection system, notes Kuok, of the BandLab recording app. The app has its own AI tool called SongStarter, which lets people who are making music begin with an AI-generated track. Kuok favors licensing music for AI training, and making sure musicians get paid.

“We live in a world where everything is licensed,” Kuok says. “The solution is an evolution of what existed before.” How to collect, who collects, and how much gets collected strikes Kuok as being open questions, but licensing itself is not. “We work in an all-rights-reserved world where we believe copyright is an important institution.”

To address that, BandLab has options for its licensing program. Artists can say they are open to AI licensing, which means they’ll be contacted if a company wants to license their work. If they agree, their work is then bundled with an assortment of other artists’ approved works for the licensing deal, which BandLab negotiates on their behalf. Kuok says Bandlab is discussing training deals now, though he declined to give specifics about the financial components of those deals, or who he was in talks with, 

Kuok did say there were some other things he considers in negotiations. “It’s important what the use is for,” he says. “That has to be specified. These are fixed-term contracts, fairly large deals, worth six figures over a multiyear period.” He recommends maintaining as much control as possible over copyrighted work to avoid diluting the value of existing IP.

That may be why Suno and Udio are reportedly in talks with the majors to license music for training their models. Other AI companies do already. Ed Newton-Rex, formerly of Stability AI, told me all the music he’d worked with at Stability was licensed; he even quit his position as a vice president at Stability after the company decided training on copyrighted data was fair use. He’d been working on the systems since 2010, and licensing had been the norm until fairly recently, he told me. 

“Everyone knew it was the law,” he says. “Everyone knew it was required.”

But after ChatGPT came out, some music AI companies thought they might also just grab whatever existed and let the courts sort it out. “I don’t think it’s fair use,” he says. “Given that gen AI generally competes with what it’s trained on, it’s a bad thing to take creators’ works and outcompete them.” Newton-Rex has also demonstrated ways to get Suno in particular to output music that’s strikingly similar to copyrighted work. That, too, is a problem.

“I don’t think there’s an outcome where this winds up being all fair use,” says Grimmelman.

Correction, July 1st: This story originally identified the CEO of BandLab as Kuok Meng Ru. His name is Meng Ru Kuok.