A popular music news site is alleging that a secretive Bulgarian outfit has managed to game Spotify’s playlist system and receive $1 million from the company, without breaking the law.

The strange operation, which has not been identified as a collective or individual by Music Business Worldwide who broke the story, managed to swindle the streaming giant by uploading third-party playlists, creating an estimated 1,200 fake accounts to play the music non-stop, and cashed out to the tune of seven-figures through Spotify’s payouts system.

Dubbed “click fraud” by MWB,  the shadowy Bulgarian group apparently uploaded a playlist of 500 30-second songs (the minimum amount of time for Spotify to register a song as “played”) and allowed the 1,200 fake accounts to stream the music 24/7 for a month. While it is possible that some of the 1,200 paid listeners were real, Music Business Worldwide believes that the swindlers were more likely eating the $120,000 subscriber cost for the $1million in dividends it would pay out. Since the Bulgarian outfit uploaded original music, used it’s own paid accounts to stream the tunes and never outright deceived the streaming giant, it appears the group acted lawfully although lawyers for Spotify are taking a closer look at the case,

With an average payout of $0.004 per play and the nearly 500 songs playing without pause for a month, the scammers hit 72 million plays resulting in $288,000 in revenue per month, or if they used a bot to “skip” songs after the mandated 30 seconds that would be $415,000 in revenue for the month. Those numbers are for a single playlist and it has been estimated that the scam ran for about four months.

The two identified playlists were blandly titled “Soulful Music” and “Music From The Heart.” “Music From The Heart” reached No.84 on Spotify’s global list, and No.22 on its US-only rankings, according to Music Business Worldwide. “Soulful Music” hit No.35 on Spotify’s confidential global chart and No.11 in the US, both positions were higher than any major-label owned playlist.

“All the while, it looks pretty plain that somebody was using purchased library music to extract hundreds of thousands, perhaps millions, of dollars, out of a royalty pool that would have otherwise gone to them and their artists,” a source told MBW. “You can’t completely blame Spotify for this, because every one of these accounts was presumably attached to verifiable income.”

In September, a major label executive grew suspicious of the playlist when Spotify released its regular revenue roundups to the industry. The executive alerted Spotify who then deleted most of the playlist’s tracks.

The streaming giant did not confirm the swindle but responded to MBW with the following statement “We take the artificial manipulation of streaming activity on our service extremely seriously. Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. We are continuing to invest heavily in refining those processes and improving methods of detection and removal, and reducing the impact of this unacceptable activity on legitimate creators, rights holders and our users.”

The Bulgarian operation is certainly not the only scam being run on the platform, but is most notable due to its scale. Without investigating each of the 30 million tracks on Spotify, it seems unlikely the streamer will be able to rid the entire catalog of these types of scams that currently do not appear to break any laws.