Fake DistroKid / TuneCore / CD Baby music distribution subscription expired or distribution fee unpaid with music removed from Spotify, Apple Music, and all streaming platforms and royalty payments stopped phishing

Phishing emails impersonating DistroKid, TuneCore, or CD Baby claiming the music distribution subscription has expired, the annual distribution fee payment has failed, music has been removed from all streaming platforms, or streaming royalty collection has been stopped — directing victims to renew or pay through a credential-harvesting portal. A high-impact attack category targeting independent musicians who depend on streaming royalties as income. Key facts: (1) DistroKid serves 2M+ independent artists with Musician ($22.99/year) and Musician Plus ($39.99/year) plans that distribute music to 150+ streaming platforms including Spotify, Apple Music, Amazon Music, YouTube Music, TikTok, and Tidal — a 'DistroKid subscription expired, your music has been removed from all streaming platforms' email is the most devastating possible message for a working musician because it implies complete loss of streaming presence and all royalty income simultaneously; (2) The distribution renewal model is the exact attack surface: DistroKid, TuneCore, and CD Baby all use annual fees (DistroKid: per-artist annual, TuneCore: per-release annual, CD Baby: one-time + annual streaming fee) and send legitimate renewal reminder emails — attackers copy this notification format exactly because musicians have already seen real renewal emails; (3) TuneCore serves 1M+ artists with per-release annual fees ($9.99/single, $29.99/album per year) and genuinely removes music from stores when annual fees lapse — the 'tracks removed from digital stores, royalty payments stopped' hook directly mimics TuneCore's real takedown behavior; (4) CD Baby is the oldest digital distributor (founded 1998, 200,000+ artists) with a different model (one-time fee + 9% royalty split or Pro flat-rate) — a 'CD Baby distribution fee overdue' phishing email targets artists who may have older accounts and less frequent contact with billing; (5) The target population is highly vulnerable: independent musicians often operate as sole proprietors with a single payment card, use personal Gmail accounts for all business, and are emotionally invested in their music catalog — a threat to streaming presence creates immediate panic that overrides careful sender-domain inspection; (6) Credential impact extends beyond the distribution platform: DistroKid uses a standard email/password login that is frequently reused across music industry platforms including SubmitHub, Groover, SoundCloud, Bandcamp, and music blog contact forms — a DistroKid credential compromise typically exposes multiple music platform accounts. Warning signs: sender not distrokid.com, tunecore.com, or cdbaby.com; genuine DistroKid billing at distrokid.com; TuneCore at tunecore.com/account; CD Baby at members.cdbaby.com.