I get that it's fraud. People who want to be fraudulent will be testing this though. What if it were a less clear number - 20,000 times? 5,000 times? All it takes is one musician with a friend who has even limited coding experience to make it reasonably sophisticated.
Fraud is always combatted by making it cost-prohibitive, not impossible. You could write a botnet that plays a random song via 1,000 user accounts 24/7 that looks imperceptible.
It's the same issue Google had with black hat search results. They try to make life hard for people who break the rules and generally don't affect people who follow the rules.
And as long as there's a reasonable alternative, they have a financial incentive to keep the service from onerous restrictions.
Not trying to be dismissive or assume too much, but I genuinely think that Spotify probably runs some analytics to have a general understanding of what low, medium, and high human usage profiles look like. I mean, it just seems logical to me. Most of these cases seem so extreme that even cursory review would indicate suspicious activity.
