Skip to content
THREAT INTELLIGENCE BRIEFING — FEBRUARY 2026
$0
in reported cybercrime losses — and deepfake fraud is an accelerating contributor
FBI IC3 2024 Annual Report · 859,532 complaints · 33% increase year-over-year
⚠ One deepfake attack every 5 minutes
Scroll to explore↓
01 — Centerpiece Case Study
The Arup Deepfake Heist
Hong Kong, February 2024 — the most instructive deepfake fraud case to date
$0
stolen via a single deepfake video conference — every participant was AI-generated
Initial Contact
A finance employee in Arup's Hong Kong office received a message purporting to be from the company's UK-based CFO, requesting participation in a "confidential transaction" video call.
The Deepfake Call
The employee joined a video conference in which the CFO and multiple colleagues appeared on camera. All participants — their faces, voices, and mannerisms — were AI-generated deepfakes. The call was convincing enough that the employee did not question the identities.
The Transfer
Following instructions received during the call, the employee executed 15 wire transfers totaling HK$200 million (~US$25.6 million) to five different bank accounts.
Discovery
The fraud was discovered approximately one week later when the employee checked with Arup's head office and confirmed that no such transaction had been authorized.
Recovery Attempt
Singapore's Anti-Scam Centre and Hong Kong police responded within 48 hours, freezing most of the funds before they could be fully laundered.
Investigation
Hong Kong police traced the attack to organized criminal networks in Southeast Asia with access to sophisticated real-time deepfake technology.
Key Lesson
A single procedural control — requiring a callback to a pre-registered number before executing any wire transfer — would have prevented this entire $25.6M loss. The attackers relied entirely on the employee trusting the visual and auditory evidence of the video call.
02 — The Arsenal
Taxonomy of Deepfake Technology
8 categories of synthetic media, from free tools to near-perfect fakes
Face Swap
Replaces one face with another in images/video
Free – $50/mo
Tools: DeepFaceLab, FaceSwap, Roop. Free open-source tools available. Used in celebrity impersonation scams, identity fraud, and non-consensual intimate imagery.
Voice Cloning
Replicates a person's voice from 3–10 seconds of audio
Free – $22/mo; criminal toolkits ~$5
Tools: ElevenLabs, Resemble.AI, VALL-E, OpenVoice. Top attack vector: cheap, fast, and convincing. Powers CEO fraud, grandparent scams, and political interference.
Face Reenactment
Animates a target face using source expressions/movements
Free – $100 API
Tools: First Order Motion, LivePortrait. Real-time capable. Enables live video call impersonation — the technique behind the Arup $25.6M heist.
Lip Sync
Synchronizes mouth movements to arbitrary audio
Free open-source
Tools: Wav2Lip, VideoReTalking. Often combined with voice cloning for convincing video impersonation. Used in political disinformation campaigns.
AI-Generated Images
Creates photorealistic images of non-existent people
Free – $30/mo
Tools: Stable Diffusion, Midjourney, DALL-E 3, Flux. Free local deployment possible. Powers synthetic identity fraud, fake profiles, and 98% of deepfake content (NCII).
Text-to-Video
Creates entirely synthetic video from text prompts
$12 – $100/mo
Tools: Sora, Runway Gen-3, Kling. API access available. Emerging threat for fabricated evidence, disinformation campaigns, and staged scenarios.
Full Body Puppeteering
Controls full body movements of a target
$200 – $500/mo GPU
Tools: Motion transfer models, vid2vid. Requires significant compute. Used for sophisticated impersonation where body language matters.
Document Forgery
Creates synthetic ID documents and credentials
$15 – $100 per document
Tools: ChatGPT/Grok image generation, specialized tools. As little as $15 for a fake ID in ~30 minutes. 2% of detected fake documents in 2025 were AI-generated. Powers KYC bypass and synthetic identity rings.
Technology Accessibility Curve (2017–2026)
From PhD-level expertise to no skills required
Threat level:
Low
Medium
Critical
Bar = relative ease of access
2017–18
Research
PhD-level
2019–20
Early Adopt
Strong tech skills
2021–22
Democratized
Moderate skills
2023–24
Consumer
Minimal skills
2025–26
Industrial
No skills required
Harder to create → → → Easier to create
03 — Threat Landscape
Six Categories of Deepfake-Enabled Threats
Documented incidents, losses, and case studies across each attack vector
$25.6M
Financial Fraud
↑ +456% YoY in crypto sector
CEO/CFO voice cloning, wire transfer scams, and BEC enhancement. One attack every 5 minutes in 2024.
Read more +
UK Energy Firm (2019)
~$243K stolen via CEO voice clone — first documented deepfake financial fraud.
Arup Hong Kong (2024)
$25.6M via multi-participant deepfake video conference. All participants AI-generated.
Zoom Face-Swap (2024)
$622K stolen using real-time face-swapping during a Zoom call with a senior executive.
38
Political Disinformation
↑ 38 countries affected since 2023
Election interference, voter suppression, and the "Liar's Dividend" where authentic evidence is dismissed as fake.
Read more +
Slovakia Election (2023)
Audio deepfake released during 48-hour media blackout contributed to pro-Russian candidate's victory.
Biden Robocall (2024)
AI voice urged Democrats not to vote. Creator charged with 26 counts, fined $6M by FCC.
India BJP (2024)
Official deepfake propaganda via WhatsApp; deceased politician "appeared" at a 2024 conference.
700%
Identity Theft & KYC Bypass
↑ Deepfake fraud up 700% in Q1 2025
Synthetic identity creation, AI-generated fake IDs ($15 each), and biometric bypass targeting financial services.
Read more +
ProKYC Tool (2024)
Underground tool marketed for bypassing KYC with synthetic faces and live video of fake identities.
AI Fake IDs (2025)
$15 for a convincing fake ID in ~30 minutes. 2% of all detected fakes are now AI-generated.
Voice Biometric Bypass
Voice cloning defeats voice-based authentication at banks and financial institutions at increasing rates.
$650M
Romance Scams & NCII
↑ 98% of deepfakes are NCII
Real-time deepfake video calls for romance fraud. 98% of all deepfake videos are non-consensual pornography targeting women.
Read more +
Taylor Swift (Jan 2024)
AI-generated explicit images reached 47M views on X before removal. Catalyzed NO AI FRAUD Act.
Yahoo Boys (2024–26)
Groups use real-time deepfake video calls and AI personas for romance scams lasting months.
Child Sextortion
19.6% of children in western Europe report unwanted sexual interactions online. AI drives surge in cases.
8+
Celebrity Impersonation
↑ Growing across all platforms
AI-generated celebrity endorsements for scam products, crypto fraud, and unauthorized advertising across social media.
Read more +
Tom Hanks
AI-cloned voice and face used in health product ads on Facebook/Instagram. Hanks publicly warned fans.
MrBeast
Deepfake video offering fake iPhone giveaways spread across platforms.
Elon Musk
Deepfake videos promoting fake crypto investments and giveaway scams.
$21M
Grandparent Scams
↑ 25 indicted in largest ring
AI-cloned grandchildren's voices used to extract emergency payments from elderly victims. 3 seconds of audio is enough.
Read more +
Canadian Ring (2021–24)
$21M stolen across 46 US states. 25 Canadians indicted. Call centers raided June 2024.
Delhi Extortion (2023)
Elderly man paid Rs 50,000 after receiving AI-cloned audio of a child pleading for help.
St. Louis (2024)
AI-faked daughter's voice used in attempted scam; victim recognized it before paying.
04 — Defense Playbook
Incident Response & Recommendations
A 7-step framework, industry risk profiles, and stakeholder-specific action plans
7-Step Incident Response Framework
STEP 1
DETECT
Security Ops
Immediate
STEP 2
HALT
Employee + Mgr
< 5 min
STEP 3
VERIFY
Employee
< 15 min
STEP 4
PRESERVE
IT Sec / Legal
< 1 hour
STEP 5
ESCALATE
CISO / Legal
< 1 hour
STEP 6
REPORT
Legal / Compliance
< 24 hours
STEP 7
LEARN
CISO / Training
< 1 week
⚠ For wire transfer fraud, the first 48 hours are crucial for fund recovery.
Industry Risk Profiles
Financial Services
KYC bypass, BEC fraud, wire scams
Injection-attack detection, multi-factor verification, behavioral analytics
Healthcare
Deepfake doctors, telehealth fraud
Provider identity verification, liveness detection, claims anomaly detection
Media & Journalism
Fabricated footage, fake sources
C2PA provenance, source callback verification, forensic analysis
Legal
Deepfake evidence, witness impersonation
Digital evidence authentication, expert witness requirements
Government
Official impersonation, election interference
FBI alert monitoring, communication provenance, SemaFor tools
Insurance
Fraudulent claims, synthetic evidence
AI-powered claims verification, metadata analysis
Recommendations by Stakeholder
| Priority | Action | Rationale |
|---|---|---|
| CRITICAL | Mandate callback verification for all wire transfers >$10K | Would have prevented Arup $25.6M loss |
| CRITICAL | Deploy AI-powered deepfake detection on identity verification | KYC bypass is the primary financial fraud vector |
| HIGH | Fund red-team exercises with deepfake scenarios | Test organizational resilience before attackers do |
| HIGH | Establish executive impersonation monitoring | Detect unauthorized use of executive likenesses proactively |
| MEDIUM | Join C2PA coalition and implement content provenance | Future-proof media authenticity infrastructure |
| Priority | Action | Rationale |
|---|---|---|
| CRITICAL | Implement injection-attack detection on biometric systems | Software-based attacks bypass the camera entirely |
| CRITICAL | Deploy multi-factor auth for all high-value transactions | Voice and face are no longer reliable single factors |
| HIGH | Integrate deepfake detection APIs into verification pipelines | Automated detection at scale (Reality Defender, Sensity) |
| HIGH | Monitor dark web for exec voice/video samples | Early warning of impending attacks |
| MEDIUM | Implement C2PA content provenance in media workflows | Establish chain of custody for organizational media |
| Priority | Action | Rationale |
|---|---|---|
| CRITICAL | Never execute sensitive actions based solely on video/audio | Deepfake video calls are now indistinguishable from real |
| HIGH | Report suspicious communications immediately | Early reporting enables rapid response |
| HIGH | Minimize public sharing of voice/video content | Reduces raw material available to attackers |
| MEDIUM | Participate in deepfake awareness training | Build recognition skills and reporting instincts |
| Priority | Action | Rationale |
|---|---|---|
| CRITICAL | Establish a family code word for emergency calls | Defeats voice cloning impersonation |
| CRITICAL | Hang up and call back at a known number | Spoofed calls cannot receive callbacks |
| HIGH | Set social media to private; minimize public voice/video | Reduces cloning material (3 seconds is enough) |
| HIGH | Never send money via wire/crypto/gift cards for urgent requests | These payment methods are unrecoverable |
| MEDIUM | Educate elderly family members about AI voice scams | Grandparent scams specifically target the elderly |
05 — The Detection Gap
Humans Are Losing the Detection Race
Can your team tell the difference? The data says no.
Human Detection
0%
accuracy on high-quality video deepfakes — worse than a coin flip
VS
Machine Detection
80–98%
on known deepfake types — but novel techniques continuously evade current models
Detection Tool Landscape (9 Vendors)
If humans can’t detect deepfakes, who can? These vendors are building automated defenses.
| Vendor | Modalities | Deployment | Primary Use Case | Key Differentiator |
|---|---|---|---|---|
| Sensity AI | Image, video, audio | Cloud API, on-prem | Enterprise threat intel | Up to 98% accuracy; monitoring + analysis |
| Reality Defender | Image, video, audio, text | Cloud API, SDK | Enterprise, government | Multi-modal; DARPA-backed; 2-line integration |
| Pindrop Security | Audio (voice) | Cloud API, call center | Call center fraud | Audio-specific; real-time monitoring |
| Microblink | Image (ID docs, biometrics) | Cloud API, SDK | KYC/identity verification | Identity-centric; ties to ID verification |
| Intel FakeCatcher | Video (face) | On-device | Real-time video analysis | Physiological signal analysis (blood flow) |
| Microsoft Authenticator | Image, video | Cloud | Media workflows | Frame-by-frame confidence scoring |
| Resemble AI Detect | Audio | Cloud API, on-device | Audio deepfake detection | Watermarking + detection in one platform |
| DeepMedia | Video, image | Cloud API | Content moderation | Real-time video manipulation detection |
| C2PA Standard | All (metadata) | Embedded in media | Content provenance | Open standard; Adobe, Microsoft, Google, BBC |
No single tool covers all attack vectors. Organizations should deploy layered detection — document verification + voice auth + video analysis + content provenance.
DARPA Detection Pipeline
The government bet early on detection research — now it’s reaching the private sector.
2017–21
MediFor
DARPA
Statistical detection
2021–25
SemaFor
DARPA + Kitware
Semantic analysis
2024
DEF CON Demo
AI Village
Public showcase
Mar 2025
DSRI Transition
UL Research
R&D collaboration
May 2025
Aptima
Commercial
Market deployment
06 — Global Regulation
Regulatory Landscape by Jurisdiction
A patchwork of approaches from comprehensive to non-existent
| Jurisdiction | Key Legislation | Approach | Key Provisions | Enforcement |
|---|---|---|---|---|
| United States (Federal) | NO AI FRAUD Act (proposed); FCC TCPA ruling | Sector-specific; no comprehensive law | AI robocalls illegal; proposed labeling & provenance | FCC fined robocall creator $6M; state prosecutions active |
| US States | 40+ bills introduced; CA AB 3211; PA Act 125 | State-by-state patchwork | CA: mandatory watermarks; PA: AI CSAM criminalized | PA AG charged 6+ individuals; growing prosecution |
| European Union | EU AI Act (2024) | Comprehensive, risk-based | Synthetic media provisions; provenance requirements | Phased implementation through 2027 |
| United Kingdom | Online Safety Act (2023) | Sector-specific, principle-based | Platform duties of care; NCII criminalized | Ofcom enforcement; criticized as insufficient for AI NCII |
| China | Deep Synthesis Regulations (2023) | Government-mandated | Real-name auth; algorithm audits; visible labeling | Active enforcement |
| India | Draft IT Rules (2025) | Platform-focused | Visible labeling; 3-hour takedown for flagged content | Pending implementation |
| South Korea | Revised sexual violence laws (2024) | Criminal penalties | 5+ year sentences for deepfake porn creation | Active: 5-year sentence for ~400 deepfake porn videos |
Enforcement Gaps
- No comprehensive US federal deepfake law — reliance on patchwork state laws
- First Amendment tensions — deepfake laws face free speech pushback
- Evidentiary challenges — courts lack protocols for authenticating digital evidence
- Cross-border jurisdiction — creators often operate from different jurisdictions than victims
07 — The Escalation
From Research Lab to Industrial Weapon
How deepfakes went from academic curiosity to $25.6M heists in 7 years
2017
First "deepfakes" subreddit; face-swap papers published
Technology enters public awareness
The term "deepfake" originates from a Reddit user who shared AI-generated face-swap videos. Academic papers on generative adversarial networks (GANs) begin circulating.
2019
UK energy firm CEO voice clone
First major financial fraud incident
~$243,000 stolen
AI-generated voice tricked an executive into wiring funds, marking the first documented case of deepfake-enabled financial fraud.
2020
Microsoft Video Authenticator launched
First major corporate detection tool
Microsoft releases a tool that analyzes photos and videos to provide a confidence score on whether media has been artificially manipulated.
2021
DARPA MediFor concludes; SemaFor begins
Government pivots from statistical to semantic detection
DARPA recognizes that purely statistical detection can be evaded with limited resources, pivoting to semantic-level analysis that understands meaning and context.
2022
Open-source tools proliferate
Democratization threshold crossed
DeepFaceLab, Roop, and other free tools become widely available, lowering the barrier from PhD-level expertise to moderate technical skills.
2023
Slovakia election deepfake; fraud attempts spike 3,000%
Political weaponization + industrial-scale fraud
3,000% SPIKE
Audio deepfake of a Slovak politician released during a 48-hour media blackout contributes to election outcome. Fraud attempts increase 3,000% globally and 1,740% in North America.
JAN 2024
Biden robocall in New Hampshire primary
First criminal prosecution of political deepfake in US
AI-generated voice of President Biden urged Democrats not to vote. Creator Steve Kramer charged with 26 counts and fined $6 million by FCC.
FEB 2024
Arup $25.6M deepfake video conference fraud
Largest single-incident financial loss
$25.6 MILLION
Finance employee tricked via live video conference with deepfaked CFO and multiple colleagues — all participants were AI-generated.
FEB 2024
FCC ruling: AI robocalls illegal under TCPA
First major US regulatory response
FCC unanimously classified AI-generated voice cloning robocalls as "artificial" under the TCPA, enabling state AG prosecution.
JAN 2024
Taylor Swift explicit deepfakes go viral
47M views; NO AI FRAUD Act catalyzed
AI-generated explicit images spread across X (Twitter), prompting White House alarm and bipartisan Congressional action on the NO AI FRAUD Act.
2024
38 countries experience election deepfakes
Global political interference at scale
3.8B PEOPLE EXPOSED
82 political deepfakes targeting public figures documented across 38 countries in a 12-month period, affecting populations totaling 3.8 billion.
2024
ProKYC underground deepfake tool discovered
Criminal-as-a-service for identity fraud
Purpose-built tool discovered by Cato Networks, marketed specifically for bypassing KYC identity verification with synthetic faces and live video.
Q1 2025
Deepfake fraud up 700%; 8M deepfakes online
Industrialization era begins
8 MILLION DEEPFAKES
Volume explosion from 500,000 in 2023 to 8 million by 2025. Fraud attempts increase 700% in Q1 2025 alone.
MAR 2025
25 Canadians indicted for $21M grandparent scam ring
Largest voice-cloning fraud prosecution
Call centers in Montreal used AI-cloned grandchildren's voices to convince elderly victims across 46 US states to pay fake bail fees.
MAY 2025
DARPA awards Aptima commercialization contract
Government detection tech enters private sector
Critical inflection point: DARPA-funded media forensics research begins transition to commercially deployable tools through Aptima partnership.
JAN 2026
WEF “Unmasking Cybercrime” report
“Identity has become synthetic, scalable, and weaponizable”
World Economic Forum's comprehensive report on deepfakes identifies three-tier threat model: individual fraud, organized rings, and state-sponsored operations.
FEB 2026
AMA CEO warns of deepfake doctors in healthcare
New sector-specific threat vector emerges
The American Medical Association identifies deepfake impersonation of physicians as "a threat to public health" in telehealth and social media contexts.
08 — What’s Coming
Future Threat Trajectory (2026–2028)
Five emerging threats — color-coded by urgency
2026–2027 Imminent
Indistinguishable Realism
Advances in generative models (Sora 2 and beyond) will make deepfakes indistinguishable from reality for most humans. Detection will rely entirely on provenance and AI tools.
2026–2027 Imminent
Automated Social Engineering
AI-powered scam bots, synthetic job candidates, and coordinated multi-channel attacks will proliferate. Attacks will be personalized and persistent.
2026–2028 Imminent
Trust Crisis
Without robust provenance and detection, society risks a “complete lack of trust” in digital interactions, with profound implications for democracy, commerce, and security.
2027–2028 Near-term
Regulatory Convergence
Expect convergence toward provenance mandates, rapid takedown rules, and global standards for synthetic media labeling and verification.
2026–2028 Near-term
Courts Under Siege
AI-generated deepfake evidence in legal proceedings will force adoption of standardized digital evidence authentication protocols. Judges already struggle to identify fakes.
The Single Most Important Recommendation
Mandate callback verification through a separate pre-established channel for all wire transfers and sensitive actions — regardless of how convincing the video or audio appears.
⚠ Mandate Callback Verification
This single procedural control would have prevented the $25.6M Arup loss and the majority of deepfake-enabled financial fraud.