In a heist straight out of a cyberpunk novel, a multinational company’s Hong Kong office fell victim to an unprecedented $25 million theft, orchestrated through a sophisticated deepfake scam—a stark reminder of the emerging threats at the intersection of artificial intelligence and cybercrime.
The elaborate con unfolded as an employee at the Hong Kong branch of the multinational firm received a communication from an individual purporting to be the company’s UK-based chief financial officer. The message, which raised the employee’s suspicion as it mentioned a “secret transaction,” was the prelude to a meticulously planned fraud.
Despite initial doubts, the employee’s wariness was overcome by the seemingly authentic video conference that followed, featuring a digital recreation of the CFO alongside other colleagues. In this orchestrated illusion, the participants were nothing but deepfakes—convincingly simulated images and voices of real individuals crafted using AI technology and publicly available footage. The unsuspecting victim, in the presence of familiar faces and voices, executed 15 fund transfers totaling HK$200 million to five separate bank accounts.
The scam was unearthed after a week when the employee reached out to the company’s headquarters for confirmation, leading to the chilling realization that the video call had been a ruse. Hong Kong police, who have not disclosed the name of the affected company due to the ongoing investigation, confirmed that this incident marked the first of its kind in the city involving deepfake technology used to simulate a multi-person video conference.
This case adds to a growing list of crimes utilizing deepfake technology, which has seen a staggering increase in fraudulent attempts, as reported by identity verification company Onfido—a 3,000% rise between 2022 and 2023. Cybersecurity experts have been sounding alarms, as deepfakes shatter the assumption that live audio or video cannot be manipulated, urging organizations to enhance their security practices and employee training.
One security professional highlighted that “this was an elaborate crime,” pointing out that cybersecurity protections must evolve to combat phishing on communication platforms like Teams, Slack, and Zoom. This also requires reinforcing physical security protocols, as technology often lags behind criminal ingenuity.
Moreover, the police have offered practical tips for verifying identities in video calls, like asking participants to move their heads or answer identity-confirming questions, particularly when financial transactions are involved. They also suggested the introduction of an encrypted key pair system for employees to authenticate parties in digital meetings securely.
Hong Kong police are taking proactive measures to counteract the threat, planning to enhance their alert system for the Faster Payment System (FPS), aiming to issue warnings for transactions linked to known scams.
The incident serves as a stark warning to both corporate and individual Internet users: as technology evolves, so do the methods of criminals who seek to exploit it for malicious purposes. With deepfake technology becoming more accessible and convincing, the need for heightened vigilance and robust cybersecurity measures has never been more critical. As these AI-driven threats loom larger, awareness and education around such scams will be vital in preventing future digital deceptions.
Relevant articles:
– Deepfake scammer walks off with $25 million in first-of-its-kind AI heist
– Deepfake video conference convinces employee to send $25M to scammers
– Employee loses $25M of firm’s funds after call with deepfake colleagues
– Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’