404 Media

2025-09-29 13:00:05

How Ruby Went Off the Rails

For the past couple of weeks, a community of developers who use the programming language Ruby have been closely following a dramatic change in ownership of some of the most essential tools in its ecosystem with far reaching impacts for the worldwide web.

If you’re not familiar with Ruby or the open source development community, you probably haven’t heard about any of this, but the tools in question serve as critical infrastructure for gigantic internet services like GitHub, Shopify, and others, so any disruption to them would be catastrophic to those companies, their users, and vast swaths of the internet.

On September 19, Ruby Central, a nonprofit organization that manages RubyGems.org, a platform for sharing Ruby code and libraries, asserted control over several GitHub repositories for Ruby Gems as well as other critical Ruby open source projects that the rest of the Ruby development community relies on. A group of open source developers who had contributed to those projects and maintained them for years had their permissions suddenly revoked. When these developers announced on social media that their access was taken away, many Ruby developers saw the decision as a betrayal of their years-long contributions to the Ruby ecosystem and open source principles more generally. Others accused Ruby Central of succumbing to corporate pressure from companies like Shopify, which they claimed wanted more control over the project.

In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid

I’ve spent the last week talking to people who had direct involvement with Ruby Central’s decision, the contributors who were ousted, and developers in the Ruby community. I’ve heard accusations of greed, toxic personalities, and stories about years-long feuds between people, at times in open disagreement, who ultimately govern some of these important open source tools.

RubyGems.org and other critical Ruby tools have so far not been interrupted during this transition, but the incident sheds light on a basic truth about the internet and open source development: Much of the technology we use every day and take for granted is being maintained by a small number of developers who are not compensated for that work or get paid very little when compared to salaries at big tech companies. Open source development continues to make much of the internet possible, but as some of these tools become more important and financially valuable, they’re subject to more scrutiny and pressure from the community, organizations, and companies that rely on them.

“In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid, and once you start introducing formal organizations and employees and nonprofits and lawyers and all this kind of complexity,” Mike McQuaid, developer of the popular package manager Homebrew, which is built with Ruby, told me. McQuaid has talked to and offered to mediate between Ruby Central and the ousted maintainers. “This is a textbook case of what happens when there's this conflict between what companies want, what nonprofit individuals want, how much responsibility people have when they take money, who gets control and when. How much democracy versus just ‘I have the power to do something, therefore I'm going to do it.’”

With Ruby developers can download and use self-contained packages of code that add different functionalities to a Ruby project. These packages are called gems, and are distributed primarily via RubyGems.org, where developers can upload gems they’ve developed or download gems from other developers.

The ability to download gems and plug them into different projects is very useful and convenient for Ruby developers, but can create complications. Different gems are developed by different teams and are updated at different times with bug fixes and new features, and might not necessarily be compatible or play well with one another as they evolve.

This is where Bundler comes in. As its website explains, “Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.” So, for example, if a developer is building a Ruby project and wants to use gems X, Y, and Z, Bundler will pull the versions of those gems that are compatible with one another, providing developers an easy solution for what Bundler describes as “dependency hell.”

Bundler is an open source project that was initially developed by Yehuda Katz, but the GitHub repository for the project was created and was administrated by André Arko. In 2015, Arko also founded a nonprofit trade organization named Ruby Together, which raised funds from developers and companies that use Ruby in order to maintain Bundler and other open source tools.

I will not mince words here: This was a hostile takeover

RubyGems.org, the site and service, is governed by Ruby Central, a nonprofit founded in 2001, which also organizes several Ruby conferences like RubyConf and RailsConf. In 2022, Arko’s Ruby Together and Ruby Central merged, “uniting the Ruby community’s leading events and infrastructure under one roof,” according to Ruby Central’s site. Bundler’s and RubyGems.org’s work often overlapped both in their goals and the developers who worked on them, but operated across two different GitHub organizations, each with its own repositories. To streamline development of these open source projects, Bundler also joined the Ruby Gems GitHub organization in 2022.

In 2023, Ruby Central established the Open Source Software Committee, which according to its site oversees RubyGems, Bundler, and RubyGems.org, focusing on infrastructure stability, security, and sustainability.

A confusing and central point of disagreement between Ruby Central and the maintainers it ousted on September 19 is rooted in the merging of Ruby Together and Ruby Central and the difference between Rubygems.org the service, essentially an implementation of the Ruby Gems codebase on an AWS instance, which both parties agree Ruby Central owns and operates, and the Ruby Gems the codebase that lives in the same GitHub organization as Bundler.

According to a recording of a mid-September Zoom meeting which I obtained between Marty Haught, Ruby Central’s Director of Open Source, Arko, and the other ousted contributors, Ruby Central maintains that the codebase and GitHub organization became its responsibility when Ruby Central merged with Ruby Together in 2022. The ousted contributors’ position is that members of Ruby Central, like Haught, can be owners of the GitHub organization, but that ownership of the RubyGems codebase and other projects in the GitHub organization belong to the contributors, who don’t have a detailed governance model but historically have governed by consensus.

Arko made this argument to me in a recent interview, but also outlined that argument in a blog post, where he also shared the merger agreement between Ruby Central and Ruby Together. It shows that Ruby Together would dissolve and that Ruby Central would be in charge of raising and allocating funds for development, but does not explicitly say Ruby Central takes ownership of the RubyGems and Bundler projects or the GitHub organization.

To make matters even more complicated, Arko was at once a contributor to these open source projects, a contributor to RubyGems.org the service, an owner of the GitHub organization, and an advisor to Ruby Central’s Open Source Software Committee.

In May, Arko resigned his position as an advisor to Ruby Central’s Open Source Software Committee, but continued his work as a contributor. Arko told me he resigned his advisory role because of Ruby Central’s last minute invitation of David Heinemeier Hansson, better known online as DHH, as a keynote speaker at RailsConf.

Arko told me he objected to that decision because of DHH’s “horrifying, racist, misogynist, politics” and DHH’s “personal vendetta” against him. In 2021, back at Motherboard, we reported that many employees at DHH’s company, Basecamp, quit after his decision to ban any discussion of politics at work, which many employees saw as squashing discussion about race, bias, and diversity. Arko told me that DHH’s “personal vendetta” against him stemmed from Arko not wanting to support a certain feature DHH wanted added to Bundler, after which DHH demanded Arko be removed from the Ruby Together board.

The current controversy erupted on social media on September 19, when one contributor to the open source projects in the RubyGems and Bundler GitHub organization, Ellen Dash, announced that Haught, Ruby Central’s Director of Open Source, revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams. At that moment, their permissions and access to the GitHub organization were revoked, meaning they could no longer make any changes or contributions to the code, and Haught, representing Ruby Central, took control.

“I will not mince words here: This was a hostile takeover,” Dash said in a public “goodbye” letter they shared online. “I consider Ruby Central’s behavior a threat to the Ruby community as a whole. The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.”

The news was seen by many developers in the Ruby and open source community as betraying the dedication and labor that Dash, Arko, and other maintainers put into these tools for years.

Ruby Central, meanwhile, describes the move as one centered around security.

“With the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end,” Ruby Central said in an explanation of its decision. “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work. These changes are designed to protect critical infrastructure that power the Ruby ecosystem, whether you are a developer downloading gems to your local machine [or] a small or large team who rely on the safety and availability of these tools.”

404 Media has covered the kind of recent supply chain attacks targeting open source projects that Ruby Central is referring to. Earlier this month, a critical JavaScript development tool Node Package Manager (NPM), was targeted by a similar supply chain attack. But not everyone in the Ruby development community bought the explanation that security was at the heart of the recent moves. One reason for that is a public statement from a Ruby Central board member and treasurer Freedom Dumlao.

On Substack, Dumlao apologized for the sudden change and how it was communicated.

“If Ruby Central made a critical mistake, it's here,” he wrote. “Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors have been made more apparent? Probably. But I remind you we don't have a ‘communications team’, no real PR mechanism, we are all just engineers who (like many of you I'm sure) go heads down on a problem until it's solved.”

Dumlao reiterated that RubyGems and Bundler are critical infrastructure that are now increasingly under the threat of supply chain attacks, and said that the companies that rely on them “count” on Ruby Central do everything it can to keep them and their users safe.

However, Dumlao also said that Ruby Central was under “deadline” to make this change.

“Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going,” Dumlao wrote.

In a September 22 video message in response to criticism about its decision to remove maintainers, Ruby Central’s executive director Shan Cureton described a similar dynamic. She said “sponsors and companies who depend on Ruby tooling came to us with supply chain concerns” and that “Our funding and sponsorships are directly tied to our ability to demonstrate strong operational standards. Without those standards in place, it becomes harder to secure the support needed to keep maintainers paid, organize events, and provide resources for developers at every stage of their journey.”

Since Shopify is one of the primary sponsors and funders of Ruby Central, this led some in the Ruby community to believe that Shopify was exerting pressure on Ruby Central to make this change.

“That is not how it happened, and I wish I had been more careful with my wording in that blog post,” Dumlao told me in a Linkedin message when I asked him if Ruby Central was under pressure from Shopify to make these changes.

I just don't think that there's any other plausible explanation than Shopify demanded this.

After I gave Dumlao my number so we could do a phone interview, I got an email from Cindi Sutera, who was recently brought on as a spokesperson for Ruby Central.

"Ruby Central’s mission is to keep the infrastructure that Rubyists rely on stable, safe, and trustworthy,” she told me. “As part of a routine review following organizational changes, we identified a small number of accounts whose privileges no longer matched current role requirements. The Board voted that it was imperative to align access with our privilege policy to keep the infrastructure that the Ruby community depends on stable. This is our mission.”

Sutera said that the board approved “a temporary administrative hold on certain elevated permissions” while it finalized operator agreements and governance roles.

“To move quickly and transparently, we imposed a clear deadline to complete operator agreements and close gaps,” she said. “We could have communicated earlier that we felt it necessary to move quickly and wish we could have given the community more time to prepare for this action. And now, here we are committed to completing this transition for the stability and security of the Ruby Gems supply chain. More updates are coming as we work through security protocols and stabilization efforts.”

“There’s literally only one company providing the money that is keeping Ruby Central open, and it is Shopify,” Arko told me. “And so I just don't think that there's any other plausible explanation than Shopify demanded this.”

When I asked Arko why he thought Ruby Central removed him, if it wasn’t for security reasons, Arko said: “totally unprovable speculation is Shopify’s CEO is best friends with DHH, who hates me.” DHH is also a Shopify board member.

“Thanks for the invitation, but not my place to weigh in a lot on this while they're working through these changes,” DHH told me in an email when reached for comment. “But I support them taking steps to secure and professionalize the supply chain work they're doing.”

Shopify did not reply to a request for comment.

As this episode spread on social media, I talked to several people associated with Ruby Central who told me the board was acting in the interest of the RubyGems and the Ruby community. Two sources who asked for anonymity for fear of retaliation said that Arko was difficult to work with, questioned how he used funds raised by Ruby Together, and claimed that a new Ruby version manager he’s working on, rv, means he has a conflict of interest with his work on RubyGems and Bundler.

Arko acknowledged to me he heard he’s been difficult to work with in the past. He said that sometimes he’s been able to reach out to people directly and resolve any issues, and that sometimes he hasn’t. He rejected the other allegations, and said that Ruby Together’s financials have always been public.

“It has always been fully public, and the amount has been fixed at $150 an hour for 10 years,” he said, referring to the amount contributors got paid to work on Bundler. Arko added that nobody has ever been paid for more than 20 hours a week, and that the most he’s been able to raise in a single year is $300,000 to pay eight different contributors. “Nobody has gotten a raise for 10 years.”

"As a matter of policy, we don’t discuss individual personnel,” Sutera, the Ruby Central spokesperson, said when I asked if Arko was removed from the GitHub organization because of his previous behavior. “Our recent actions were organization-wide governance measures aimed at aligning access with policy. Our priority is maintaining a stable and secure Ruby Gems supply chain."

McQuaid, the developer of Homebrew and who followed the controversy, told me that even Arko’s harshest critics wouldn’t deny the contributions he’s made to the Ruby community over the years.

Regarding Arko’s blog post about his removal, McQuaid told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”

The fundamental disagreement here is about who “owns” the GitHub organization that houses Bundler and RubyGems. Technically, Ruby Central was able to assert control because Hiroshi Shibata, a member of the Ruby core team and one of the contributors who has owner-level permissions on the GitHub, made Haught, who revoked the others’ access, an owner as well. Any owner can add or remove any other owner, but when Ruby Central’s board voted to make this change Haught acted immediately and removed Arko, Dash, and others.

However, Arko fundamentally disagrees with the premise that Ruby Central has the right to govern the GitHub organization in any way, and believes that it has always belonged to the group of contributors who had access up until September 19.

Arko said that even if Ruby Central gave him his permissions back, he would not consider the matter resolved until Ruby Central stopped claiming it owns Bundler “but I am definitely not going to hold my breath for that one.”

“When people really care, they're passionate and they're enthusiastic and they argue, and that often looks like drama,” McQuaid, the developer of Homebrew, said when I asked what he thinks this entire affair says about the state of open source development. “But if I had to pick between having the enthusiasm and the drama or losing both, then I'd probably pick the enthusiasm and the drama, because in some ways, the system is somewhat self correcting. Even the stuff that's going on right now, people are having essentially a very public debate about what role do large companies or nonprofits or individual maintainers have in open source. To what extent does someone's level of contribution matter versus what type of person they are? I think these are valuable discussions to be having, and we're having them in the open, whereas if it was in a company, this would all be in a meeting room or with an HR department or in a leadership offsite or whatever.”

A board member's perspective of the RubyGems controversy

What a week it's been as a Ruby Central Board Member.

^{Freedom Dumlao (Freedom’s Substack)}

404 Media

2025-09-10 13:16:15

How Lofi Girl Became a Chill Beats Empire

Tens of thousands of people, at any given time, are idly listening to the ambient, muted beats that accompany the Lofi Girl livestream: in solo studying sessions, taking tests in a classroom, and using the tunes as a stand-in for white noise to aid sleep. The livestream, which is one of the longest running live broadcasts on YouTube, is often hiding in browser tabs, leaving the perpetually busy Jade (the Lofi Girl) to lazily take her notes behind whatever Wikipedia page or spreadsheet you’ve got open. But she is always there, the googly eyes stuck to her headphones wobbling as she looks up from her notes, to peek in on, to study with, or to chill to—the details of the music become secondary to the vibe.

From a single livestream that’s been running in some form since 2017—the YouTube channel, which was started in 2015, was called ChilledCow before the iconic rebrand—Lofi Girl has grown into an empire. To put that growth into perspective, ChilledCow had 1.6 million YouTube subscribers in 2018, a number that grew to 5 million in 2020. Now, the channel has more than 15 million subscribers. The soundtrack of Lofi Girl’s brand of chill is pervasive, and the ubiquity of her aural and physical aesthetic made Jade a big business, her essence seeping into wider culture; Nissan harnessed the vibe to sell its electric car, Will Smith to sell hoodies, and even U.S. president Donald Trump in a maniacal attempt to sell his administration’s “Big Beautiful Bill.” Lofi Girl—the company—leverages its influence itself, expanding from simply a YouTube channel into an advertising arm, merchandising enterprise, and full blown record label.

To reach this success over the past 10 years, Lofi Girl has had to adjust. Its success in making music that’s appealing to everyone changed the kind of music that’s coming out of the channel. While Lofi Girl once firmly fit within the genre of lofi hip hop, known for pairing relaxed—but still thumping—beats with nostalgic sound samples, its music has largely dropped the hip hop. Lofi Girl's music is now simply its own genre: lofi, where the soft, tonal consistency means it can be hard for the average listener to even see its works as distinct songs. The drum beats of the "chill beats to relax/study to" sometimes even take a backseat to the rounded, flighty melodies Dr. Jenessa Williams, a music and fan culture researcher at Stanford University, called Lofi Girl a “deeply valued background noise community.”

“Music consumption is shifting,” a Lofi Records label manager, who goes by Berrkan Bag online, told 404 Media in an email. “Short-form and scroll-driven platforms have changed how people engage with lo-fi. Some of the long-form, narrative visuals that helped define the genre are being challenged by algorithmic trends.”

He added that lofi itself is maturing as the genre redefines “itself between functional background music and meaningful creative expression.”

March marked 10 years since creator Dimitri Somoguy started the ChilledCow YouTube channel that would eventually become Lofi Girl. It started as a place to broadcast lofi hiphop beats, set to a looping video clip of Shizuku Tsukishima, the young girl protagonist from Studio Ghibli’s 1995 animated film Whisper of the Heart. The stream was taken down in 2017 over copyright concerns over the character’s usage, and that’s where Jade came from: ChilledCow hired Colombian artist Juan Pablo Machado to create an original character. Jade’s been the face of lofi beats on YouTube since, and so it makes sense the channel was renamed from ChilledCow to Lofi Girl in 2021. The current stream started in July 2022, making this particular broadcast one of the longest running livestreams on YouTube. The record would have been longer if it weren’t for a Digital Millennium Copyright Act takedown notice from 2022 that forced the Lofi Girl YouTube channel to go dark. (YouTube later called the DMCA notice “abusive.”)

Lofi Girl has never been the only place with beats to study or relax to—a genre that’s since become both a phenomena and a meme: Actor Will Smith has chill beats to quarantine to; Chillhop Music, which precedes even ChilledCow, has chill beats to farm Elden Ring runes to; you can even study with Waluigi—for more than 11 hours!—to the sound of somewhat chaotic lofi hip-hop. The aesthetic popularized by Lofi Girl is a mixture of muted, anime clips with music that’s engaging enough without distracting from whatever task a person is doing in the background. The Lofi Girl channel, as a whole, is by far the most popular place for lofi music, and has been for a while.

Today, there are more than a dozen streams of different lofi themed music running concurrently, several of which have thousands of people listening at any given time. Dozens of YouTube videos, both branded content and an emerging narrative about Jade and a new character, Synthwave Boy, a neighbor whose intertwined story is slowly unravelling over short videos. The company, which has about 20 employees, not including its hundreds of collaborators, according to a Lofi Girl representative, expands from there. Lofi Records is the in-house record label that’s published thousands of songs on its YouTube channel and on vinyl. Lofi Studio, an art team that makes Lofi Girl’s branded content, pumps out regular collaborations and brand deals. And then there's Lofi Girl Shop, which sells, among other things, vinyl records, a recreation of Synthwave Boy’s bomber jacket and purple beanie, and a plush orange cat. Lofi Girl is expanding into gaming, too. Lofi Girl has three official Fortnite maps: one in which you can, dressed as Darth Vader or Peely Bone, walk about a recreation of Jade’s bedroom; another that’s a Lofi Girl simulator; and a third that’s a parkour game called Only Up.

It’s no coincidence that the Lofi Girl channel blew up exponentially during the pandemic. People were spending a lot of time online, of course, but the channel offered a predictable constant. The music even edges on sleepy. YouTube creator Peter Tagg told 404 Media he has it playing for hours in the background multiple days a week—it's a salve that's beneficial for studying and even as a sleep aid. It’s always there, and the music is curated in such a way that you’re never really surprised by what you’re hearing, which can be comforting and not distracting. Williams, the music researcher, told 404 Media that Lofi Girl's aesthetic taps into "the psychology of productivity mirroring," which is a technique in which people motivate themselves to do a task by having another person around.

Williams says the music itself can often become secondary to the familiar, comforting vibe for Lofi Girl listeners. “Lofi Girl appeals most to young music fans who love and consume lots of different kinds of music, but appreciate the Lofi Girl specifically because it gives them something predictable in an evermore chaotic world,” she said. “Musical discovery via the Lofi Girl is certainly possible, but you’re unlikely to encounter anything truly surprising or cortisol-spiking, and I think—whether one sees this as a positive or not—that's why it has become so popular.”

Lofi music was originally more hip hop than anything else, popularized by two artists in particular: J Dilla and Nujabes. It’s a genre defined by nostalgia, drum beats, and melancholy sound—but as Lofi Girl, the channel, got more popular, the hip hop influence started to slide away in favor of reverb-heavy, ethereal music with simple drum beats. Producer and Lofi Girl collaborator Phil Morris Lesky, who publishes under the name Lesky, told 404 Media that the music he creates for Lofi Girl, specifically, is “more its own thing now. The rhythm section takes a little bit of a backseat. It’s more about arrangement.”

Though it clearly resonates with a mainstream audience, some in the lofi hip hop community criticize Lofi Girl for its role in anonymizing the music and stripping out its hip hop influence. Another Lofi Girl collaborator, who asked to remain unnamed as to not jeopardize an ongoing relationship with the brand, likened it to Muzak—a brand of background music designed to be unobtrusive for use in retail stores. “That’s kind of what happened with lofi music,” they said. “It’s no longer artists making sounds they want, rather, it’s a record label trying to curate an experience for, like, coffee shops.” (One prominent lofi hip hop musician, bsd.u, cheekily criticized lofi streams like Lofi Girl with a song called “all my homies hate 24/7 lofi streams.”)

This collaborator said Lofi Girl has a Discord server for musicians, and that’s where the company solicits music for its livestream. Often, Lofi Girl asks musicians to write to a specific theme—be it medieval, Halloween, synthwave, or for the vague “asian” radio channel, just make it lofi. The company often provides a playlist of music to emulate, they say. Then, a musician can submit music to Lofi Girl in hopes it gets chosen. Lesky and lofi producer Julien Pannetier, who goes by VIQ, aren’t bothered by the themed submission system. Lesky said it's easy to know exactly what the label is looking for. No guesswork involved. There’s less creative freedom, Pannetier told 404 Media, “but that can also be a driving force.”

The aforementioned anonymous Lofi Girl collaborator doesn't see it that way: “It’s really a policing of aesthetics and sounds that keeps artists from actually taking creative risks.”

It’s designed to be palatable to everyone. “The whole livestream on YouTube, the playlist growth on Spotify, without any judgement or critique, is creating a homogeneous sound that’s basically easily categorized,” Lesky said. “People understand it quickly. It’s really search engine-optimized. They have a huge influence.”

What this adds up to is big business for Lofi Girl. A YouTube channel of Lofi Girl’s size alone can bring in millions of dollars a year from YouTube’s ad revenue program. (Though Lofi Girl’s live streams aren’t interrupted by ads like lots of YouTube videos, they’re preceded by them. That, plus ads on dozens of other videos on the Lofi Girl channel that aren’t livestreams make a ton of money.) The popularity of the channel, and its ability to harness a vibe that resonates with everyone, is what’s driving Lofi Girl’s successful push into advertising. Over the past few years, Lofi Studio has been hired to create branded content that pulls a piece of the respective company into the Lofi Girl world. Lofi Girl’s marketing studio created a one-hour YouTube video created for Alien: Isolation, butinstead of Jade and her bedroom, it’s an alien on an anime-rendered spaceship, complete with Jones the cat perched at Nostromo’s window. For Lofi Studio’s Starfield collab, the company remixed the Microsoft game’s soundtrack, and set the video in a cozy little starship. No cat, but the robot does have its own cozy cup of coffee.

It works so well that other brands are trying to mimic the aesthetic.

Nissan debuted a four-hour YouTube video in 2023 to advertise its electric car Ariya. Its inspiration is obvious, swapping Jade for a dark-haired woman in a leather jacket who’s vibing to lofi beats from a car instead of a bedroom. None of this was created by Lofi Studios. Advertising company The Mayda Creative Co. and animation studio Titmouse created the YouTube video and its art, but ran the ads on Lofi Girl content. It’s got more than 18 million views. Will Smith’s quarantine beats slapped on, or, if you’re less generous, ripped off the aesthetic of Lofi Girl in this way. Dr. Steven Gamble, lecturer of digital humanities at the University of Southampton who writes about hip hop and the internet, told 404 Media that Smith’s fashion brand Bel-Air Athletics posted the video as Lofi Girl was taking off during the pandemic. “When things are popular and there’s an audience that has commercial potential, that’s what people do,” he says. Smith and Bel-Air Athletics positioned the video as "chill beats to quarantine to"—but it’s really “chill beats to buy his hoodies to,” Gamble told 404 Media. Nissan and Smith did not respond to a request for comment.

Tip Jar

The big difference, though, is that Smith’s chill beats are seemingly as low effort as possible, just licensing some existing music. Lofi Girl’s amalgamation of companies makes it so the company’s team of 20 employees (and hundreds of contracted musicians and artists) can do most everything in house, then hire artists to create the music central to its channels. That often benefits the musicians who drive the Lofi Girl channel, three artists that spoke to 404 Media said. The artists declined to share specifics, but said that Lofi Girl’s rates are standard for the industry. The money Lofi Girl musicians get isn’t from the ad revenue tied to the YouTube channel, but from the playlists it hosts on places like Spotify and Apple Music.

Lesky said the “playlist power and ecosystem behind the brand” drives a lot of exposure to his music. “I just really appreciate the opportunity the label and channel has given me from the beginning,” he said. “They were one of the first outlets that shared my music and it kicked off from there. It kicked off a career that sustained me for years now.”

The New York Times, in 2018, declared that 24/7 channels like ChilledCow and Chillhop Music were “unlikely to have a broad impact on the music industry,” representing “an underground alternative to the streaming hegemony of Spotify and Apple Music.” They were wrong. Lofi Girl’s core audience might not be able to name a single artist broadcast during a livestream (even if it is driving listeners to Spotify and paying dividends for artists). They may not have even known Lofi Girl has a name. But Lofi Girl is hardly underground. The company signed an administrative publishing deal with Warner Music Group in 2024, putting Warner in charge of licensing, royalties, copyright and other admin work. (Still, Pannetier said his experience with Lofi Girl was the opposite of the wider music industry, which he described as “very closed off and elitist.”)

For better or for worse—it all depends on who you’re asking—Lofi Girl is no longer the “pirate radio station” that took over YouTube in 2018. Lofi Girl is no longer just your study buddy. She’s an enterprise.

Correction: This article previously linked to a study published in Scientific Research Publishing. We've removed that link because the journal doesn't meet our editorial standards.

WARNER CHAPPELL MUSIC FRANCE SIGN ADMIN PUBLISHING DEAL WITH LOFI RECORDS - Warner Music Group

Warner Chappell Music France, the music publishing arm of Warner Music Group,. . .

^{WCM Communications (Warner Music Group)}

404 Media

2025-08-21 13:29:58

Inside the Underground Trade of ‘Flipper Zero’ Tech to Break into Cars

A man holds an orange and white device in his hand, about the size of his palm, with an antenna sticking out. He enters some commands with the built-in buttons, then walks over to a nearby car. At first, its doors are locked, and the man tugs on one of them unsuccessfully. He then pushes a button on the gadget in his hand, and the door now unlocks.

The tech used here is the popular Flipper Zero, an ethical hacker’s swiss army knife, capable of all sorts of things such as WiFi attacks or emulating NFC tags. Now, 404 Media has found an underground trade where much shadier hackers sell extra software and patches for the Flipper Zero to unlock all manner of cars, including models popular in the U.S. The hackers say the tool can be used against Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other brands, including sometimes dozens of specific vehicle models, with no easy fix from car manufacturers.

💡
Do you know anything else about people using the Flipper Zero to break into cars? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

These tools are primarily sold for a fee, keeping their distribution somewhat limited to those willing to pay. But, there is the looming threat that this software may soon reach a wider audience of thieves. Straight Arrow News (SAN) previously covered the same tech in July, and the outlet said it successfully tested the tool on a vehicle. Now people are cracking the software, meaning it can be used for free. Discord servers with hundreds of members are seeing more people join, with current members trolling the newbies with fake patches and download links. If the tech gets out, it threatens to supercharge car thefts across the country, especially those part of the social media phenomenon known as Kia Boys in which young men, often in Milwaukee, steal and joyride Kia and Hyundai cars specifically because of the vehicles’ notoriously poor security. Apply that brazeness to all of the other car models the Flipper Zero patches can target, and members of the car hacking community expect thieves to start using the easy to source gadget.

Upgrade to continue reading

Become a paid member to get access to all premium content
Upgrade

Inside the Underground Trade of ‘Flipper Zero’ Tech to Break into Cars

^{Joseph Cox (404 Media)}