Anastasiya Novikava
Copywriter
Summary: In just 5 months of 2026, dark web posts on deepfakes surpassed all of 2025. The rise of deepfake-as-a-service can make impersonation fraud easier.
New data from the dark web shows that deepfake-as-a-service has become one of the fastest-growing areas of underground cybercrime this year. In the first 5 months of 2026 alone, discussions about deepfake fraud already exceeded the total for all of 2025 by 39%. If the current pace holds, DFaaS discussions for the full year will be roughly 3.3 times the total for 2025.
Deepfake-as-a-service (DFaaS) is a market label for turnkey voice cloning, face swapping, synthetic videos, virtual cameras, fake documents, and synthetic profiles sold on the dark web. The trend might point to a new wave of business email compromise (BEC) attacks that use AI-generated video and audio.
Cybercrime-as-a-service discussions hit 74% of the 2025 total in just 5 months
NordStellar tracked 9,234 dark web posts that discussed cybercrime-as-a-service in 2025. Between January and May of 2026, that number reached 6,866—already 74% of last year’s total—in just 5 months. Deepfake-as-a-service (DFaaS) discussions led the increase.
“The rapid growth in popularity of deepfakes-as-a-service is likely accelerated by advancements in generative AI, which help cybercriminals in two ways: by speeding up the creation of deepfakes and making them hyper-realistic,” says Vakaris Noreika, cybersecurity expert at NordStellar. “Ultimately, this service lowers the barrier to entry for deepfake technology, enabling threat actors to deploy highly deceptive attacks on a larger scale, regardless of their personal technical skills.“
Deepfakes power a new era of “fake boss” scams
The rise in DFaaS could have direct consequences for businesses, especially when it comes to business email compromise (BEC) and CEO fraud.
BEC remains one of the most financially damaging online crimes. The FBI’s examples include fake vendor bank account changes, a CEO asking an assistant to purchase gift cards, and fraudulent wire instructions in real estate deals.
Before AI, fake boss scams used to stop at email, but that’s no longer the case. The FBI, FinCEN, and Europol describe AI-generated voice and video impersonations of executives as tools that increase trust and pressure victims into making payments. Hackers can pair these deepfakes with traditional BEC tactics to build more convincing impersonations of vendors, colleagues, and executives.
The FBI reports that business email compromise was the second most costly type of cybercrime in 2025. The Internet Crime Complaint Center (IC3) recorded 24,768 BEC complaints and more than $3 billion in losses—an 11% increase from the $2.7 billion reported in 2024.
“Deepfakes can be used to elevate business email compromise attacks to make them even harder to spot. Instead of fake payment instructions in an email, employees can now be targeted via highly realistic video and voice calls impersonating partners or managers asking them to transfer funds,” Noreika explains. “As AI tools grow more sophisticated, deepfakes are evolving rapidly. It is now easier than ever to create convincing video or audio that lacks the usual telltale signs of AI generation, making it extremely challenging for users to spot the deception, especially when a sense of urgency is involved.“
Hackers often deploy these attacks to obtain fake payments, steal confidential documents, or break into a company’s network for a larger attack. Advanced BEC campaigns rely on extensive research. For example, hackers may strike when the recipient is expecting an invoice.
How the broader cybercrime statistics break down
Deepfake cybercrime is on the rise, but traditional cybercrime services show mixed results. DDoS-as-a-service discussions grew by 23% in 2025, and malware-as-a-service discussions grew by 33%. However, stealer-as-a-service posts dropped by 56%, phishing-as-a-service talks dropped by 24%, and ransomware-as-a-service posts declined by 9%.
In the first 5 months of 2026, DDoS-as-a-service discussions already reached 2,862 posts, which is 115% of the total for the entire year of 2025. Malware-as-a-service discussions reached 1,454 posts, accounting for 57% of the 2025 total. Phishing-as-a-service posts reached 53% of its 2025 total; ransomware-as-a-service posts—51% of its 2025 total; stealer-as-a-service posts—35% of its 2025 total.
If the current pace holds, the following categories are projected to increase:
- DDoS-as-a-service: up 176%
- Malware-as-a-service: up 37%
- Phishing-as-a-service: up 27%
- Ransomware-as-a-service: up 22%
The only category projected to decrease is stealer-as-a-service, which is expected to drop 16% from 2025.
How to defend against deepfakes
To resist deepfakes, a cybersecurity strategy should focus on prevention and employee education. Organizations cannot control whether cybercriminals target them, but layered measures can make BEC attacks harder to pull off.
“The more details and access attackers obtain, the easier it is for them to craft highly realistic, targeted attacks,” says Noreika. “Monitoring the dark web for leaked company information is a critical step in preventing cybercriminals from finding credentials to breach accounts or data to use as intel.“
Employee education on BEC attacks is vital. A positive cybersecurity culture matters just as much.
“Attackers take advantage of their targets by creating a sense of urgency,” Noreika says. “Even if employees are aware of cybercriminals’ tactics, slowing down to double-check a request that’s coming from a person of authority can be daunting to most, especially if deadlines are tight. Efficiency shouldn’t come at the expense of possibly exposing the company to a cyberattack, and employees should feel safe and empowered to raise red flags when something is off, and take some time to inspect the request before diving headlong.“
A strong strategy can limit the damage if attackers do succeed and gain access to a company’s network. Network segmentation and multi-factor authentication can stop attackers from moving through the network and block their access to sensitive resources.
Methodology
The NordStellar platform was used to analyze discussions from dark web forums and monitored Telegram channels. The source data covers 6 tracked categories across as-a-service offerings. For each category, NordStellar retrieved post counts from January through May of 2026, as well as for 2024 and 2025.
The data shows discussion volume, not necessarily active services. But sustained high volume is a reliable indicator of market activity.
Disclaimer. This analysis is based on detected activity and is for informational purposes only. It does not constitute professional advice or a guarantee of security. All third-party trademarks and references remain the property of their respective owners and are used for identification purposes only.
