AI deepfakes impersonate Arup executives, steal $25.6M in Hong Kong

The Theft

In February 2024, scammers used AI-generated deepfake video and audio to impersonate Arup Group Ltd.'s CFO and other executives during a video conference call with a finance employee at the British engineering firm's Hong Kong office. The employee was instructed to authorize 15 transfer orders totaling approximately $25 million USD to multiple Hong Kong bank accounts controlled by the fraudsters. The transfers went through before the scheme was detected.

Arup, a multinational design and engineering firm headquartered in London, confirmed the incident publicly on May 2, 2024. The Hong Kong Police Force simultaneously issued a statement describing it as the first documented case of deepfake-based CFO fraud in the territory.

How the Attack Worked

The scammers' method combined video deepfake generation with voice cloning technology. The employee participated in what appeared to be a legitimate video conference with multiple "participants." The fraudsters had pre-verified their identities through chat beforehand—a detail that lent credibility to the call. During the video meeting, the fake executives issued instructions to execute the wire transfers, which the employee processed.

The deepfake technology was sophisticated enough to pass real-time scrutiny in a video call format, suggesting the attackers either used high-quality synthetic media or intercepted and manipulated live video feeds. No details have been disclosed about the specific AI systems or tools used to generate the deepfakes.

Investigation and Recovery

The Hong Kong Police Force opened an investigation immediately. As of May 2024, no arrests or charges had been reported, and no suspects were publicly identified. The investigation remained ongoing with no updates disclosed through 2026.

Arup stated it was working with Hong Kong banks to attempt recovery of the stolen funds, though the status of those recovery efforts has not been disclosed. The firm confirmed that no client data was breached in the incident. Following the fraud, Arup enhanced its cybersecurity training for employees.

The Hong Kong Police issued public warnings about deepfake risks in the wake of the case, highlighting the emerging threat this technology poses to corporate finance operations.