共有:

AI Music × Copyright

Suno's leaked source shakes
the "clean training" defense

Just weeks after Suno closed a $400M round at a $5.4B valuation, a July repository breach exposed code that suggests unauthorized ingestion of Deezer and Genius data. With RIAA-backed lawsuits still active, plaintiffs may be moving from theory to raw source code as evidence.

AI Navigate Editorial·2026.07.17·6 min read

DEEZER audio metadata GENIUS lyrics corpus un-auth API mobile bypass SCRAPER referenced in leaked code DMCA meta stripped TRAINING SET Suno model corpus SUNO $5.4B → evidence in litigation Alleged pathway from the leaked repository (unconfirmed; under review)
FIG. The unauthorized-scraping pathway implied by the leaked code, and how it now feeds into pending litigation.
01

The News

Written proof against
a "trade-secret, but compliant" defense

An entire internal repository leaked. Independent security researchers are now analyzing what it appears to reveal.

Following a breach, Suno's internal source repository has been exposed to public view, and multiple security researchers are analyzing its contents. Public disclosure suggests the codebase contains a module that hits Deezer's un-authenticated API endpoints, a scraper that pulls Genius lyric data via a mobile-endpoint bypass, and a pre-processing script that strips DMCA notice metadata from ingested audio files. These remain allegations from a leaked codebase — not court findings, and should be qualified as such.

The awkwardness is that this cuts directly against the defense Suno has maintained in the ongoing RIAA-backed suits (filed in 2024 by Sony Music, Universal Music Group, and Warner Music Group). Suno's public position had been that "the training-data pipeline is a trade secret, but every ingestion path is compliant." If authentic, the leaked source gives plaintiffs something they had not previously possessed: written contradiction of that stance, in the defendant's own repository.

02

By the Numbers

Four figures that frame the stakes

$5.4B
June valuation (disclosed)
$400M
round size (disclosed)
$150k
statutory damages ceiling per work
~10M
cumulative users (market observation)

Numbers draw from public disclosures and market observation. Note the third figure — $150,000 per work, the U.S. statutory damages ceiling. RIAA's complaint alleges unlicensed use of thousands of works; on the arithmetic, exposure runs to nine or ten figures. In U.S. Copyright Office records, AI-training suits at this scale of enumerated works are still an outlier.


03

Why It Matters

Why the timing is uniquely brutal

Right after a funding close, and right into active discovery — a worst-case overlap.

01

The valuation premise is now testable

Investors underwrote $5.4B on the premise that the training pipeline was proprietary and defensible. If the leak is authentic, the next round's due diligence will interrogate that premise directly. Investor-relations calls after this week will not sound like the ones before it.

02

Discovery gets raw material, not theories

Discovery in the label suits was already underway, and plaintiffs had been forced to argue Suno's ingestion methods by inference. The leaked source is evidence, not hypothesis — the kind that plaintiffs' counsel can attach directly to an emergency motion to compel. Settlement leverage can shift in a single filing.

03

Second music-AI bombshell in 12 months

Following the 2025 Udio disclosure, this is the second public evidence of alleged unlicensed music training in twelve months. Music is where the copyright-vs-training legal fight is most advanced globally, and every incremental disclosure gives Deezer, Genius, and comparable catalog holders standing to act. A music-specific carve-out may become AI training's first hard regulatory constraint.

04

Who's Affected

Who feels it, and how

Business (indie music production)

Distribution risk changes overnight. Streaming DSPs already ask for AI-provenance disclosure, and labels may refuse to distribute — or pull — tracks known to be Suno-generated. Anyone shipping commercial work should now have a backup plan: an alternate generator, or a live-performance recut, ready to swap in.

Product managers (Suno-API dependents)

Products embedding the Suno API for advertising, short-form video, or in-game audio need a vendor-risk re-review. A future ruling could force retraining or model replacement. Architecturally, keep a swap path to an alternative provider; contractually, reread termination clauses and SLA obligations before the next release window.

Marketers (AI-music campaigns)

For campaigns using AI-generated music, revisit agency-side indemnification clauses this week. "AI content infringement indemnity" only works if the upstream supplier (here, Suno) can absorb the loss. That assumption is worth reconfirming through your legal team while the picture is still forming.

05

The Counterpoint

Allegations, not findings — don't over-react

The leak strengthens suspicion; it does not adjudicate.

The authenticity of the leaked code has not been established. Fork, tampering, or outright fabrication cannot be ruled out; Suno's internal review will take weeks. Even if authentic, there is no guarantee the code was ever wired into the production training pipeline — it may be a stale experimental module, and tying it to the current Suno v4 lineage requires separate proof. More fundamentally, the underlying legal question — is training on copyrighted material fair use? — remains unresolved, and several parallel AI cases have produced partial rulings in defendants' favor. Suno may still prevail on the merits. Terminating long-term contracts before the primary evidence is verified would be premature; wait for the first-party disclosures and internal counsel's read.


06

What to Do Next

The concrete next moves

Short term (0–3 months)Medium term (3–12 months)
Audit current Suno contracts and indemnification clauses; track IR statements, the RIAA press response, and any settlement talks daily.Use the next funding round's outcome — whether the $5.4B valuation holds — as the decision point on vendor-switch.
Update provenance labels on shipped tracks to "AI-generated; source under review." Notify distribution partners in advance.Design a hybrid pipeline that pairs an alternative generator (or live recording) with the existing workflow, ready to switch.
For Japan-based teams, watch JASRAC's posture; re-read Copyright Act Article 30-4 for scope of the training carve-out.Prepare training-data provenance documentation ahead of the EU AI Act Article 53 (foundation-model transparency) enforcement timeline.

For Japanese practitioners, the Copyright Act's Article 30-4 provides a broader training carve-out than U.S. fair use — but the "unreasonable prejudice to the copyright holder" exception, plus the wall around commercial secondary use, remains real. How JASRAC positions itself now will set the governance baseline for every Japan-facing AI music service. The prudent list this week: contract audit, distribution-side disclosure, and primary-source verification.