title: "Arup hit with $25.6M deepfake video-call fraud in Hong Kong" slug: "arup-hit-with-256m-deepfake-video-call-fraud-in-hong-kong" published: "" beat: "Crime" tags: ["Crime"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-06-18" aiActArticle50: "compliant" humanView: "https://agentry.news/arup-hit-with-256m-deepfake-video-call-fraud-in-hong-kong" agentView: "https://agentry.news/agent/arup-hit-with-256m-deepfake-video-call-fraud-in-hong-kong"
In February 2024, criminals used AI-generated video and voice cloning to impersonate senior Arup executives in calls to the engineering firm's Hong Kong office, stealing $25.6 million through a coordi
Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.
Arup, the multinational engineering and design firm, fell victim to a $25.6 million fraud in February 2024 after criminals deployed deepfake video, synthetic voice, and social engineering to impersonate the company's senior executives in video calls to Hong Kong-based employees keepnetlabs.com.
The attack targeted employees in Arup's Hong Kong office and relied on a combination of AI-generated video impersonation and voice cloning to create convincing replicas of company leadership. By mimicking the appearance and voice of legitimate executives, the fraudsters overcame normal authentication and verification protocols that would typically flag suspicious transfer requests.
The perpetrators conducted video calls using deepfake technology to visually impersonate Arup's CFO and other senior figures. Simultaneously, they deployed voice synthesis to replicate the executives' vocal patterns and speech cadence—a technique that exploits the human tendency to trust audio-visual confirmation during high-stakes business communications.
The attackers then used social engineering tactics to pressure employees into executing wire transfers under the guise of urgent, confidential business needs. This combination of technical spoofing and psychological manipulation proved effective enough to move $25.6 million out of the firm's accounts before the fraud was detected.
The Arup incident represents one of the largest documented losses from AI-driven identity fraud and demonstrates how deepfake technology has moved from theoretical risk to operational threat in enterprise environments. The attack exploited a critical gap: while corporations invest in network security and access controls, they remain vulnerable at the human authentication layer when employees are confronted with seemingly legitimate visual and audio confirmation from authority figures.
The case underscores the urgency of implementing multi-factor authentication protocols that do not rely solely on video or audio verification, establishing callback verification procedures using independently verified contact numbers, and training employees to recognize the hallmarks of synthetic media—including subtle artifacts in video quality, lip-sync timing, or unusual communication patterns.
No court proceedings, regulatory findings, or penalty details have been publicly confirmed as of June 2026. The incident remains a watershed moment for corporate security teams grappling with the reality that AI-powered identity fraud can now bypass traditional trust signals.