On 15 June, the US Department of Justice and Homeland Security Investigations seized the deepfake sites CFake.com and SOCFake.com under the Take It Down Act, the first criminal domain seizures under that statute. It was a three-country operation across the US, France and Italy, with French police arresting a suspect in Nice on 10 June and seizing cryptocurrency tied to the operation. Back in issue #1 I wrote that image-deepfake enforcement had a removal regime with civil penalties while voice had nothing. Eight weeks on, the image side has moved from civil warning letters to criminal seizures and an arrest.
On 26 June, an 86-year-old in Sault Ste. Marie, Ontario, lost CAD$900,000 after a Facebook advert showed a deepfake of Canadian Prime Minister Mark Carney promising that a small investment would be "backed by the Bank of Canada." She remortgaged her condominium for CAD$300,000 to keep feeding it. In her words: "I saw an ad on Facebook of Mark Carney telling me if I invested $350 Canadian, it would be backed by the Bank of Canada."
The asymmetry that runs through every issue of this newsletter just sharpened. Non-consensual intimate imagery now triggers coordinated international seizures. Financial deepfake fraud, the celebrity-endorsement video scam that emptied a pensioner's savings, gets a consumer-awareness leaflet. There is no Take It Down for "a deepfake of a head of state sold me a fake bond." The platform that ran the advert and processed the money faces no per-incident penalty schedule.
The detection gap maps onto it exactly. Almost every detection product I cover is aimed at the enterprise: the contact centre, the KYC desk, the video-conference bridge. The Carney scam touched none of them. It ran through a consumer's Facebook feed, where there is no detection layer at all, no fraud team, no callback policy, no vendor.
Image deepfakes get seizures. A pensioner gets a leaflet and a CAD$300,000 mortgage she will not get back.
This is the shape of deepfake harm in 2026. The money and the tooling sit in the enterprise. The volume and the unprotected victims sit with consumers, hit by video and voice clones of people they trust, on platforms that monetise the advert and carry none of the loss.
Attacks and incidents
- Ontario pensioner loses CAD$900,000 to a deepfake Carney advert, 26 June. Covered in the lead. The detail that should stick: this was a paid Facebook advert, not an organic post. The distribution channel was an ad network that took money to deliver it.
- Shufti forecasts a 3,900% jump in deepfaked ID-document attacks, 22 June. Annualising January to May data, Shufti's Deepfake Fraud Index projects a 3,900% rise in forged-document attacks and a 495% overall deepfake-fraud increase year on year. Synthetic identity now accounts for 42% of AI fraud, face swaps 17.6%, document deepfakes 11.9%. Vendor data with a commercial incentive, so weight it accordingly, but the direction is the KYC story of the year.
- Silent Ransom Group adds physical break-ins to its vishing playbook, 5-7 June. Mandiant tracked UNC3753 running IT-helpdesk vishing against US legal and financial firms from January to May, then, when the phone calls failed, physically entering offices posing as IT technicians. Attack to extortion in under one business day. The human help desk remains the door, by phone or in person.
- Scattered Spider context. The two guilty pleas led last week's issue. Sentencing is set for July. The thread connecting all three of these items: the breach is a person, not a model.
New generation models (voice, video, image)
- Wan-Streamer v0.1, Alibaba, 23 June. The one to actually worry about. A real-time, full-duplex interactive avatar built as a single transformer that interleaves text, audio and video, at roughly 200ms model-side latency and 550ms end to end, so it watches, listens and replies at the same time rather than taking turns. It is a research preview, but the direction is the point: this is the video-call equivalent of real-time voice cloning. A single real-time interactive model collapses a scripted, pre-rendered deepfake call into something an attacker could hold a live conversation through.
- Kling 3.0 Turbo, Kuaishou, 17 June. Fast video generation, 3 to 15 seconds at 720p or 1080p, multi-shot prompting, and native audio with lip-sync in five languages, at roughly CNY 0.8 to 1 per second. Cheap, multilingual, lip-synced video bait is now a per-second commodity.
- Seedance 2.0 gets native 4K, ByteDance, 23 June. True 3840x2160 output with 10-bit colour. Native 4K matters for the defence side because it removes the upscaling artefacts that many video detectors quietly rely on.
- Chatterbox Multilingual v3, Resemble AI, 10 June. Open-source (MIT), 25 languages, sub-300ms first-byte latency. Its PerTh neural watermark is embedded by default and designed to survive Opus and G.711 telephony codecs, editing and resampling. A rare case of an open model shipping provenance with the capability. The catch is in the trenches section below.
Defence side
- Modulate ships AI music detection, 24 June. A three-model ensemble with a claimed 95% precision across 76 genres on internal tests. That is the vendor's own benchmark, so treat it as directional. Notable because audio detection is being pushed beyond speech.
- Ofcom finds watermarks strip under basic edits, 4 June. Buried in Ofcom's 2026/27 AI Strategy is a finding that watermarks can often be removed after simple editing. A technically literate regulator putting this in writing should give pause to anyone building a compliance plan on watermark verification alone.
- AT-ADD challenge (ACM Multimedia 2026). The All-Type Audio Deepfake Detection challenge extends evaluation beyond speech to singing, music and environmental sound. The community admitting the generators crossed media boundaries first.
Regulation and policy
- US: first criminal Take It Down seizures, 15 June. Covered in the lead. Civil enforcement has now escalated to criminal asset seizure with an international arrest.
- US: FAIR Act introduced, 15 June. Senators Merkley and Padilla proposed criminalising AI-generated election deception. 31 states have deepfake election laws; there is still no federal one.
- US: Washington's broad deepfake personality law took effect 10 June. SB 5886 now covers all AI digital replicas of any person, the widest right-of-publicity deepfake law in the US.
- UK: two private actions against AI deepfakes. Labour MP Jess Asato filed a High Court claim against xAI, and Graham Norton won a US court order unmasking anonymous deepfake accounts. Litigation is filling the gap statute has not.
- EU: Article 50 clock still running. Transparency obligations apply from 2 August.
Deals and moves
- Banks are repricing deepfake risk, KPMG, 25 June. 84% of banking executives are increasing AI-specific cybersecurity spend, 32% already use AI biometrics and 72% plan to within three years. The budget is moving, mostly toward identity and KYC rather than telephony.
- Detection capital stayed quiet this week. The asymmetry between generation capital and detection capital holds.
From the trenches
What I am seeing this week building DeepBlocker. Two items sit in direct tension, and the tension is the lesson. Resemble's Chatterbox v3 ships a watermark built to survive telephony codecs. Ofcom, the same fortnight, publishes a finding that watermarks strip under basic edits.
Watermarking is a provenance tool for honest publishers. If a legitimate studio or a compliant TTS vendor wants to declare "this audio is synthetic," a robust watermark like PerTh is a good way to do it. But provenance is opt-in by the generator. The fraudster cloning a CEO does not reach for the model that watermarks by default. They reach for one of the dozens that do not, or they strip the mark, or they record the output through an analogue hop and re-encode it. Watermark verification answers "did an honest party label this," never "is this real."
For telephony that distinction is everything. A call arrives over an 8 kHz codec from an unknown number. There is no metadata, no signed manifest, no cooperating generator. The only thing you actually have is the audio. So detection-by-artefact, scoring the waveform in the codec it arrived in, still has to carry the load that watermarking cannot. Provenance is a label on the honest. Detection is the lock on the door. Do not let a vendor sell you the first as if it were the second.
Worth reading
- DOJ seizes CFake and SOCFake under the Take It Down Act (BleepingComputer, 15 June 2026). The enforcement milestone.
- An 86-year-old lost CAD$900,000 to a deepfake Carney advert (BNN Bloomberg, 26 June 2026). The human cost of the unprotected consumer channel.
- Shufti's Deepfake Fraud Index (Biometric Update, 22 June 2026). The KYC and synthetic-identity numbers.
- Wan-Streamer v0.1 (Alibaba, arxiv, 23 June 2026). The clearest signal of where video deepfakes are heading.
- Ofcom's 2026/27 AI Strategy and the watermark finding (Broadband TV News, 4 June 2026). The regulator quietly admitting watermarks are fragile.
If you saw something this week I missed, reply or connect with me on LinkedIn. Forward this to one person who cares about voice AI safety.