Arup — $25M stolen via deepfake CFO video call
An Arup employee in Hong Kong was convinced to send $25M across 15 transactions by a video conference in which attackers deepfaked the CFO and multiple colleagues in real time.
What happened
The employee received a phishing email requesting a confidential transaction. They were then invited to a video call where deepfake videos of the CFO and multiple other executives appeared. The fakes were convincing enough that the employee authorized the transfers before verification.
Timeline
Attacker initial reconnaissance of target employee and leadership.
Phishing email + video call with deepfaked executives.
Employee executes 15 transfers totaling $25.6M HKD.
Fraud discovered; investigation opens.
Root cause
Social engineering augmented by real-time deepfakes defeated the employee's normal verification instincts. No technical control failed — the attack exploited human trust.
Impact
- $25M+ stolen
- Industry-level warning about deepfake social engineering
- Catalyst for enterprise deepfake-defense tooling
Directly, no — this is not a code or infrastructure attack. Category-level, Securie's L36 deepfake-defense layer (roadmap) addresses meeting-platform integration. The practical defense today is out-of-band verification for any high-value transaction.
Lessons
- Real-time deepfakes are production-quality in 2024+
- Video alone is no longer verification
- High-value transactions need out-of-band confirmation (phone, signed message, in-person)
- Train employees that 'video meeting' is not verification