the scary part is how easy this would be to do right now, especially for a larger, higher-profile company. leadership is almost synonymous with an online presence in the form of podcasts, interviews, youtube videos, conference talks. combine that with public photo-sharing app profiles, and you're in business.

Yeah C-suite execs are often on quarterly investor calls and those calls are made public as a matter of record aren't they?

It's a sophisticated attack for sure, but the data collection really isn't too difficult now. A minute or two of audio is sufficient for voice, and a single good image.

It seems that only the voices were deep-faked, and the video material was from genuine calls and downloaded before the attack: https://news.rthk.hk/rthk/en/component/k2/1739119-20240204.h...

$25 mil was on the stake.

It would easily be worth it spending $1m on the perfect setup.

Only if it works >4% of the time.

Only if you intend to run the scam only once, or if all of the work is completely bespoke and not reusable for future attacks.

That seems unlikely. I'm pretty sure there's actually a lot of economies of scale here, where the attackers' pipelines will become vastly more efficient and higher quality over time, with each attack requiring less manual work.

The most likely explanation is the employee responsible here was actually the one who stole the money.

spearphaking?