Skip to main content
TechnologyJul 16, 2026· 3 min read

Suno, a hacker reveals the code: this is how he plundered YouTube, Deezer, and Genius

In recent hours, a hacker has disclosed the source code stolen from Suno, one of the most popular AI music generation platforms online, and this material shows in detail where the company sourced its data to train its models. The reconstruction comes from 404 Media, which received the data directly from those who conducted the attack. Until today, Suno had avoided revealing the composition of its training archives, and the leaked code is, in fact, the first concrete clue about the material used for training audio models.

Scoop: The AI music generator Suno was hacked. Hacker shared source code that shows how the tool was made and part of the music and podcasts that were scraped to create it. Decades worth of music, lyrics, and podcasts from YouTube, Deezer, Genius & more 404media.co/hack-reveals...

![image or embed] — Jason Koebler (@jasonkoebler.bsky.social) 15 July 2026, 16:02

The sources of the scraping, listed in the comments of the code, include YouTube Music, Deezer, and Genius, along with stock music libraries Pond5, Jamendo, Freesound, and the IMSLP sheet music archive. There is also spoken content: through RSS feeds, Suno apparently scraped podcasts as well. The source code, traceable to 2023 and 2024, contains instructions for retrieving audio and some numbers regarding the scale of the operation.

A file dedicated to YouTube Music records 2,013,545 clips already acquired by the latest update. Another lists the hours collected for each archive: 113,879 hours from YouTube Music, over 152,000 hours in a parallel collection of labeled tracks, 62,117 from Pond5, 17,615 from Genius, 19,514 from IMSLP, and 12,287 from Deezer, with smaller figures for Jamendo, Freesound, and the lyrics from MuseScore. In total, we are talking about decades of recorded music.

A cappella vocals and proxies to bypass YouTube

Part of the code specifically searched for the a cappella versions of tracks on YouTube, likely to isolate the clean vocals for input into the model. To bypass the anti-scraping defenses of the platform, Suno reportedly relied on Bright Data, a company that sells infrastructure and data collection services through proxies. There is also the podcast chapter: utilizing the PodcastIndex tool, the code identified 420,000 podcasts with at least five half-hour episodes, aiming to download about a million hours.

Suno has come under scrutiny from several legal actions by the record industry, and in court, it has already admitted to having trained on "substantially all reasonably accessible music files on the open network," totaling "tens of millions of recordings," defending the practice as fair use. However, the RIAA argues that the company deliberately circumvented YouTube's protections through stream ripping, which its lawyers qualify as a violation of the DMCA as well as the platform's terms of service. Until now, the accusations rested on Suno's admissions; the code reveals the mechanism behind those admissions.

The breach and customers never notified

The attacker, who signs as "ellie.191", claims to have accessed by targeting an employee with the worm Shai-Hulud, a supply chain attack that allows for the collection of GitHub and cloud service credentials. From there, it would have also reached the customer list: hundreds of thousands of email addresses and phone numbers, along with payment information on Stripe. Some users contacted by 404 Media confirmed their subscription to the service and that they had never received any notification regarding the breach. When asked about their motivations, the author replied that they do not have a specific reason: "I like to hack anything."

Suno confirmed the incident, downplaying it. It refers to a "limited and quickly contained security incident" from November 2025, primarily concerning "obsolete source code no longer in use," with no compromise of sensitive personal data; it specifies that it does not have access to full credit card numbers on Stripe and believed, considering the limited nature of the data involved, that individual notifications to users were not required under applicable privacy regulations. On the legal front, positions remain divided: some labels have already reached a licensing agreement with the platform, while others are still pursuing legal litigation.