Original Pictures
Deepfake fraud prevention with provenance signing

Deepfake Fraud Prevention: the $25.6M Arup Lesson and How Provenance Stops It

Definition: Deepfake fraud prevention is the practice of cryptographically signing executive communications, financial calls, and identity media at capture so any synthetic impersonation arriving later is identified by the absence of a valid provenance chain.

TL;DR: In January 2024 Arup lost $25.6 million to a deepfake CFO video call. Six months later a Ferrari executive foiled a voice clone by asking about a book. The defense is not detection, it is provenance at the source: sign authentic executive media so the fake is the one with no manifest.

How Arup lost $25.6 million

A finance employee in Arup's Hong Kong office joined a video call that appeared to feature the London CFO and familiar colleagues, all synthetic. Recognizing faces and voices, the employee made fifteen transfers totaling about HK$200 million, roughly US$25.6 million, to five accounts. Three things failed at once: identity verification relied on recognition rather than cryptography, process allowed large transfers over video without out-of-band confirmation, and no signing infrastructure existed to prove the CFO was actually present.

How Ferrari caught it with a book

In July 2024 a Ferrari executive took a call imitating CEO Benedetto Vigna's accent and asking for an urgent transfer. Suspicious, the executive asked the title of a book Vigna had recently recommended. The caller could not answer. It worked, but it was a human firewall, not a system. Signed and watermarked authentic communications would have turned a trivia quiz into a manifest check.

Why detection is the wrong primary defense

Post-hoc detection is an arms race the detector side loses, because every public detector trains the next forger. Provenance inverts the asymmetry: a forger must reproduce the certificate, the timestamp, the anchor, and the identity assertion, not just the pixels. That raises the cost from minutes with free tools to compromising a hardware security module and a public blockchain at once.

The Original Pictures defense stack

Sign every earnings call and executive video at the encoder with c2pa.created and a CAWG identity assertion, embed an AudioSeal watermark at sample-level localization, and anchor the manifest hash to Bitcoin. When a suspicious call arrives, the recipient app checks for the manifest; its absence escalates to out-of-band confirmation.

The incident behind this

Arup deepfake CFO scam, January 2024, Hong Kong: about US$25.6 million across 15 transfers to 5 accounts. Arup's CIO Rob Greig later said he reproduced a deepfake of himself with free tools in about 45 minutes. Sources: CNN (16 May 2024), Fortune, Financial Times.

Implementation

from originalpictures import client
op = client(api_key=ENV['OP_KEY'])

# Sign an executive earnings call
op.sign(media='q1-earnings-call.wav',
        producer='Acme Corp IR',
        identity={'type': 'cawg.identity_claims_aggregation',
                  'verifiedIdentities': [{'type': 'cawg.affiliation', 'name': 'Acme Corp'}]},
        watermark='audioseal', anchor=True)

# Verify an incoming recording
v = op.verify('suspicious-call.wav')
if v.provenance_score < 0.95:
    alert_security_team(v)

Regulatory mapping

RegimeEffectiveBiteWhy it applies
FFIEC guidanceLiveEnforcement actionSigned comms reduce BEC risk
NIS2 (EU)Oct 2024EUR10M or 2%Financial services critical entity
SEC cyber rulesDec 2023Disclosure obligationMaterial deepfake-enabled fraud

FAQ

Does this work for live calls?

Yes. AudioSeal added streaming support, embedding a watermark in real-time voice with low latency. Live verification buffers a few seconds of audio for detection.

What if an attacker trains on my signed recordings?

The watermark does not stop cloning; it stops the clone from passing as authentic. A synthetic voice will not carry the live capture-moment watermark or the original manifest.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: Human vigilance does not scale. Sign executive media at the capture moment, watermark it, and anchor it, so the fake is always the one without a valid chain.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.