New analysis from NordStellar shows dark web discussions about deepfakes as a service reached 924 posts in the first five months of 2026 — a 39 per cent increase over the 663 posts recorded across all of 2025. The growth outpaces the broader cybercrime-as-a-service category, which has already hit 74 per cent of last year's full-year total in the same window.
NordStellar tracked 9,234 dark web posts discussing cybercrime as a service across 2025. Between January and May 2026 alone, that figure reached 6,866. Within that category, deepfakes as a service is growing fastest — and the numbers are increasingly relevant to enterprise security teams rather than just individual users.
"The rapid growth in popularity of deepfakes as a service is likely accelerated by advancements in generative AI, which help cybercriminals in two ways — by speeding up the creation of deepfakes and making them hyper-realistic," said Vakaris Noreika, cybersecurity expert at NordStellar. "Ultimately, this service lowers the barrier to entry for deepfake technology, enabling threat actors to deploy highly deceptive attacks at a larger scale, regardless of their personal technical skill set."
The most direct business risk is to business email compromise (BEC). Noreika argues that deepfakes are now moving impersonation beyond email into audio and video — letting attackers simulate video calls with fabricated colleagues or managers to pressure employees into transferring funds. The FBI ranked BEC as the second costliest cybercrime of 2025, with company losses exceeding $3 billion, an 11 per cent increase on 2024's $2.7 billion.
The stakes are concrete. Engineering firm Arup, documented by the World Economic Forum, lost $25 million after an employee transferred funds following a video call in which all other participants were AI-generated deepfakes.
NordStellar's recommended countermeasures focus on two layers: reducing the intelligence available to attackers, and building a culture where employees feel empowered to pause on urgent requests. Dark web monitoring for leaked credentials limits the material attackers use to craft convincing approaches. On the human side, Noreika argues that efficiency pressure should not override security scrutiny — employees need explicit permission to slow down when something appears off, particularly when a request appears to come from a figure of authority.
NordStellar's analysis covered underground forums and monitored Telegram channels across six cybercrime-as-a-service categories, tracking monthly post counts from January 2024 through May 2026.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
