In January 2024, a finance employee at Arup‘s Hong Kong office joined a video call with what appeared to be colleagues and the company’s CFO. Everyone on screen was a deepfake. By the end of the call, the employee had authorised 15 wire transfers totalling USD $25.6M across five accounts.
That’s what industrialised deepfake generation looks like in practice. Attack kits cost $5. Professional impersonation services are available on Telegram. The commercial platforms producing synthetic content that’s statistically indistinguishable from real footage are the same ones enterprise marketing teams use every day. This is a threat intelligence briefing on the supply side of that problem — the economic model, the major attack vectors, and why the gap between generation and detection isn’t a temporary problem. It’s structural. This article is part of our complete guide to AI content authenticity and the watermarking mandate. For vendor evaluation of detection tools, see the deepfake detection market analysis.
What Is a Deepfake — and How Is It Different from a Manipulated Video?
A deepfake is synthetic media — video, audio, or image — generated by deep learning models that produce convincing impersonations of real individuals or fabricate events that never happened.
A shallowfake is a different thing entirely. The 2019 Nancy Pelosi video — slowed down to make her appear impaired — is the canonical example. No AI involved. Just video editing software. That distinction matters for detection: shallowfakes leave editing artefacts that traditional forensics can catch. Deepfakes generate new content that defeats those methods entirely.
The first generation of deepfakes used GANs — Generative Adversarial Networks. Two neural networks compete iteratively until the generator can fool the discriminator consistently. The GAN architecture dominated until roughly 2022–2023. The problem it created for detection is structural: every time researchers published a detector, they effectively set the target that the next generation of generator models would be built to beat.
Diffusion models — Stable Diffusion, Sora, DALL-E 3, Runway Gen-3 — produce outputs from learned statistical patterns rather than iterative competition. The result: fewer tell-tale visual artefacts than GANs, and outputs that are statistically harder to detect. The Deepfake-Eval-2024 study found state-of-the-art detectors dropped 50% in AUC on video, 48% on audio, and 45% on images when tested against current deepfakes. Every new generative architecture is a new detection problem. That’s the accuracy ceiling this creates for detection tools.
How Much Does a Deepfake Attack Actually Cost in 2026?
The supply side operates across three tiers, and accessibility is the whole point.
The entry tier is dark web and Telegram distribution. Group-IB research documents attack kits from USD $5 — deepfake image services at 10–50, synthetic identities for up to $15. A 60-second deepfake video that cost $30,000 in compute five years ago can now be produced with 5–50 of API credit in minutes.
The mid tier is Telegram-based professional services. An MIT Technology Review investigation documented 22 active Telegram communities running open storefronts for KYC-evasion tooling in Chinese, Vietnamese, and English. Pricing: 30–60 for a basic virtual camera Android build, 100–300 for stolen-identity bundles, 500–2,000 for “VIP” services tailored to specific institutions. Binance, BBVA, and Revolut were explicitly named in the marketing.
The third tier — commercial platforms — is the part that often surprises people. HeyGen and Synthesia produce multilingual synthetic video through standard enterprise subscriptions. ElevenLabs and Resemble.AI clone voices from seconds of audio. These are not dark web tools. They are the same platforms enterprise marketing teams use. The vendor market responding to this demand is detailed separately.
How Did the Arup $25.6M Deepfake Fraud Succeed?
A finance employee at Arup’s Hong Kong office received a WhatsApp message purportedly from the UK-based CFO, requesting a confidential transaction. Suspicious, the employee joined a video call. On screen: the CFO and several colleagues. All deepfakes, generated from footage of real previous meetings. The employee authorised 15 wire transfers across five accounts totalling USD $25.6M. The fraud surfaced weeks later when the employee verified with London headquarters. None of the funds have been recovered.
The attack succeeded because real-time video was convincing enough to defeat human verification and there was no protocol requiring out-of-band confirmation for high-value transfers.
The near-misses tell the same story. In July 2024, attackers impersonated Ferrari CEO Benedetto Vigna using AI-generated voice cloning on a WhatsApp call. The attempt failed when an executive challenged the caller with a question about a book the real CEO had recommended — social context the AI couldn’t supply. WPP CEO Mark Read was impersonated in May 2024 via voice clone plus Microsoft Teams video; staff escalated before any money moved. Both attacks were stopped by process, not technology.
The FBI extended this picture in 2025: widespread use of voice spoofing and deepfakes during remote job interviews resulted in approximately $13M in documented losses. Any process relying on video or audio to verify identity is exposed.
Why Is Voice Cloning Now the Fastest-Growing Enterprise Attack Channel?
Voice became the most weaponised deepfake modality in 2024. A few seconds of publicly available audio — an earnings call recording, a LinkedIn video — is enough to produce a convincing impersonation with tools like ElevenLabs. Off-the-shelf voice cloning services cost less than USD $10 a month.
Pindrop analysed over 1.2 billion calls across its contact-centre customer base. Their headline finding: deepfake fraud attempts grew by +1,300% year on year in 2024, moving from roughly one attempt per month to seven per day. Synthetic voice attacks at insurance companies were up 475%; at banks, up 149%.
CrowdStrike‘s 2025 Global Threat Report records vishing — voice phishing powered by voice cloning — at +442% growth between the first and second half of 2024. By Q4 2024, 0.33% of all contact-centre calls contained a synthetic voice, up 173% from Q1 that year.
Voice outpaces video attacks for practical reasons: lower compute, easier telephony deployment, no visual channel required. Any contact centre, audio-only verification protocol, or executive with publicly available voice recordings is part of the attack surface. For vendor evaluation of voice deepfake detection tools, the picture is covered in the detection market analysis.
How Are Deepfakes Being Used to Defeat KYC Identity Verification?
KYC bypass attacks inject face-swap deepfakes or native virtual camera (VCam) streams into identity verification pipelines to pass Know Your Customer checks fraudulently. The VCam attack replaces the phone’s real camera feed with a software-defined video stream of the impersonated person performing whatever liveness motion the system requests. The KYC app reads the spoofed feed and approves the session.
iProov’s 2025 Threat Intelligence Report documents the scale: face-swap attacks up +300% compared to 2023; VCam attacks up +2,665%. Attackers have shifted to a method that defeats camera-layer liveness checks that only verify whether a video signal is live, not whether it originates from actual camera hardware.
The tooling is available on Telegram for $30 for a basic VCam Android build. A scam operation running 1,000 fraudulent accounts per week at $30 in tooling cost is spending $30,000 to unlock potentially tens of millions in laundering capacity. Sumsub reports deepfakes account for 11% of all global fraud activity in 2026, up from 7% in 2024.
Liveness detection — verifying genuine human presence rather than just a live video signal — is the primary defensive layer. iProov‘s Genuine Presence Assurance (GPA) approach uses active challenges like random head movements and on-screen colour flashes that pre-built deepfake video struggles to defeat. The constraint is practical: tighten liveness rules enough to filter VCam attacks and you start rejecting genuine customers. And onboarding-funnel attrition is a growth metric every FinTech watches closely.
Why Does the Supply Side of the Adversarial Economy Structurally Outpace Defence?
The asymmetry is economic, architectural, and temporal. All three matter.
On cost: attack kits from $5, professional services from $100, commercial subscriptions accessible to anyone. Enterprise-grade detection infrastructure costs orders of magnitude more. That cost gap doesn’t close.
On architecture: a detector trained on GAN-generated deepfakes from 2020 does not recognise diffusion-model deepfakes from 2025. A 2024 study on adversarial attacks showed that lightweight attacks based on simple 2D convolutional filters are sufficient to bypass state-of-the-art facial detection systems. A 2025 University of Edinburgh study demonstrated that AI fingerprints can be removed with adversarial post-processing and, more problematically, transplanted onto authentic content to misclassify real footage as synthetic.
On speed: Stable Diffusion released five major versions in 24 months. Sora went from v1 to v2 in nine months. Detectors train in months — by the time a system reaches production, the adversary is already a version ahead. As the accuracy ceiling research shows, every detector published effectively sets the target that the next generation of generator models will be built to beat.
Gartner’s September 2025 survey of 302 cybersecurity leaders found 62% had experienced a deepfake attack in the past 12 months. A 2024 Gartner forecast projects that by 2026, 30% of enterprises will consider identity verification unreliable in isolation. This is mainstream enterprise risk now. Understanding the full context of the watermarking mandate and adversarial economy is essential for building a proportionate response strategy.
What Is the Liar’s Dividend — and Why Does It Matter Beyond Direct Fraud?
The liar’s dividend is a concept from Bobby Chesney and Danielle Citron’s 2019 California Law Review paper. In a world where convincing deepfakes exist, anyone can deny inconvenient evidence by claiming it was AI-generated — and that denial has become credible. Deepfakes do not merely introduce falsehoods; they erode the mechanisms by which organisations establish shared understanding of what is real. This concept is developed in the detection arms race article — referenced here as a downstream consequence of the adversarial economy.
The threat runs in two directions. First, authentic evidence becomes deniable: recordings without a verifiable chain of custody can be challenged simply by raising the possibility of AI manipulation — no proof of tampering required. Second, genuine content becomes suspect: as awareness of deepfakes grows, bad actors can more easily dismiss any inconvenient proof as fabricated.
This extends well beyond fraud prevention. Board communications, regulatory submissions, audit evidence, legal proceedings — any context where video or audio is relied upon as proof is affected. UNESCO frames this as a “crisis of knowing itself”.
EU AI Act Article 50(4) requires disclosure of AI-generated content from August 2, 2026. The obligation applies to the business deploying the AI system, not just the model provider — meaning businesses using third-party AI tools to generate realistic video or audio may have compliance obligations they haven’t assessed. US state-level deepfake legislation is proliferating in parallel. The enterprise compliance implications are covered separately.
The risk isn’t only that an attacker succeeds. The threat landscape itself undermines the reliability of your organisation’s internal communications and evidence, regardless of whether any fraud occurs. For a complete overview of all aspects of AI content authenticity — from regulatory obligations to technical approaches and compliance implementation — see our complete overview of AI content fraud and watermarking.
Frequently Asked Questions
What is deepfakes-as-a-service and how does the criminal supply chain work?
DFaaS is a tiered criminal and commercial supply chain. Attack kits from $5 on dark web and Telegram, professional bespoke services at 500–2,000, and commercial platforms — HeyGen, Synthesia, ElevenLabs — with dual legitimate and criminal use through standard subscriptions. An MIT Technology Review investigation identified 22 active Telegram channels operating as open storefronts, with Group-IB documenting the broader supply chain across dark web markets.
What is the difference between a deepfake and a shallowfake?
A shallowfake uses conventional video editing tools — speed manipulation, splicing, re-contextualisation — without generative AI. A deepfake uses deep learning (GAN or diffusion models) to synthesise entirely new content. The distinction matters because detection tools trained to identify GAN artefacts fail on diffusion model outputs, and shallowfake detection methods are ineffective against AI-generated content.
How does a $5 deepfake attack kit work?
Dark web and Telegram-distributed attack kits bundle pre-trained deepfake models or templates with guidance on target selection and instructions for deployment — targeting KYC or identity verification pipelines. KYC-specific bypass kits are priced around $30 on Telegram and are documented to target named financial platforms including Binance, BBVA, and Revolut.
What is a native virtual camera (VCam) attack and why is it driving iProov’s statistics?
A VCam attack inserts a synthetic video stream directly into a video call pipeline at the operating system or driver level, bypassing camera-layer liveness checks that only verify whether the signal is live. This defeats conventional liveness detection that doesn’t verify the camera hardware itself — the specific mechanism behind iProov’s +2,665% growth figure in this attack category.
Can your organisation’s video call processes be protected against real-time deepfakes?
Partial protection is available through out-of-band verification protocols (pre-agreed code words, callback to a known number), process controls requiring dual authorisation for high-value transactions, and liveness detection verifying genuine human presence. No technical control provides complete protection against real-time deepfakes in 2026. Process controls are the most immediately deployable defence — the Ferrari and WPP near-misses demonstrate that an unscripted verification question stops attacks that technology cannot.
Does the EU AI Act create compliance obligations related to deepfakes?
EU AI Act Article 50(4) requires disclosure of AI-generated content, effective from August 2, 2026. The obligation applies to the business deploying the AI system, not just the model provider. Businesses using third-party AI tools to generate realistic video or audio may have independent compliance obligations regardless of intent to deceive. US state-level deepfake legislation is proliferating in parallel.
Where can I find vendor evaluation for deepfake detection tools?
Vendor evaluation — accuracy benchmarks, false-positive rates, integration complexity, regulatory certification — is covered in the deepfake detection market analysis. Pindrop, iProov, and CrowdStrike are cited in this article for their published threat intelligence statistics, not as endorsements.
