Comedyhacker Exposes How Criminals Create Deepfakes from Stolen Data in Minutes

Security researchers at Comedyhacker have revealed how criminals are exploiting stolen personal data to generate convincing deepfake content in a matter of minutes, raising urgent questions about the scale of digital identity theft. The investigation, led by Clement Manyathela and Tobias Schroedel, found that existing data breaches are being recycled to fuel a growing marketplace for synthetic media. The findings landed amid mounting concerns about the weaponisation of personal information across financial institutions and social platforms.

How the Deepfake Pipeline Works

Comedyhacker's analysis showed that stolen datasets—often containing names, phone numbers, and biometric fragments—can be fed into readily available software to produce video and audio forgeries. The process, according to the report, takes under ten minutes from start to finish. Criminals no longer need technical expertise; automated tools handle the heavy lifting, making high-quality deepfakes accessible to anyone willing to pay. The researchers documented several underground forums where such services are advertised and sold.

The data used in these operations typically originates from breaches at major platforms, loyalty programmes, and financial service providers. Once aggregated, the information allows bad actors to bypass basic identity verification checks used by banks and fintech companies. Schroedel noted in his findings that the bar for conducting fraud has dropped significantly as a result.

The Scale of Stolen Data Available

Researchers identified datasets containing millions of records circulating on criminal marketplaces. These records include selfies, voice clips, and personal identifiers that can be combined to create synthetic identities. The volume of available data means fraudsters can operate at scale, targeting multiple victims simultaneously. Comedyhacker estimates the underground economy for such data now runs into hundreds of millions of dollars annually.

The implications extend beyond financial fraud. Politicians, executives, and public figures face heightened risk of reputation attacks using fabricated video evidence. The technology's accessibility means even non-state actors can produce content designed to manipulate public opinion ahead of elections or corporate announcements.

Industry Response and Verification Gaps

Financial institutions and technology platforms have invested heavily in detection tools, but the Comedyhacker team argues these measures lag behind generation capabilities. Manyathela pointed to gaps in current Know Your Customer processes, which still rely heavily on static data points like dates of birth and government ID numbers. Those identifiers, once stolen, become nearly worthless as proof of identity.

Some companies have begun exploring multi-factor biometric verification, including liveness detection during video calls. However, deployment remains uneven, with smaller operators lacking the resources to implement robust countermeasures. The researchers called for standardised industry protocols to address the weakest links in the verification chain.

Regulatory Pressure Mounts

Law enforcement agencies in Europe and North America have started treating deepfake-enabled fraud as a priority. Europol's latest organised crime threat assessment specifically mentions synthetic media as a growing enabler of financial crime. In the United States, the FBI has issued advisories warning businesses about criminals using deepfakes to impersonate executives during video conferences.

Regulators face the challenge of crafting rules that curb misuse without stifling legitimate applications of artificial intelligence. The European Union's AI Act includes provisions on deepfake transparency, requiring clear labelling of synthetic content. Enforcement remains difficult, however, given the borderless nature of the internet and the speed at which criminal networks adapt.

What Happens Next

Comedyhacker plans to release a full technical report in the coming weeks, detailing the specific tools and methods observed in criminal networks. The organisation has shared its findings with relevant authorities and platform operators. Industry groups are expected to convene emergency sessions to discuss voluntary standards for identity verification.

Watch for legislative proposals in the United States and United Kingdom that could mandate stricter reporting of data breaches feeding into synthetic media operations. The next three months will likely see renewed pressure on platforms to detect and label AI-generated content before it spreads. Criminals are already refining their techniques—staying ahead will require constant vigilance and faster information sharing between the private sector and law enforcement.