DeMark: A Query-Free Black-Box Attack on Deepfake Watermarking Defenses

TL;DR

DeMark is a novel query-free black-box attack that exploits latent-space vulnerabilities in deepfake watermarking schemes, significantly reducing detection accuracy while maintaining image quality, and exposing weaknesses in current defenses.

Contribution

This paper introduces DeMark, the first attack to target deepfake watermarking defenses without queries, revealing their vulnerabilities and challenging their assumed robustness.

Findings

DeMark reduces watermark detection accuracy from 100% to 32.9%.

Current defenses like super resolution and adversarial training are largely ineffective.

Latent-space manipulations can bypass existing watermarking schemes.

Abstract

The rapid proliferation of realistic deepfakes has raised urgent concerns over their misuse, motivating the use of defensive watermarks in synthetic images for reliable detection and provenance tracking. However, this defense paradigm assumes such watermarks are inherently resistant to removal. We challenge this assumption with DeMark, a query-free black-box attack framework that targets defensive image watermarking schemes for deepfakes. DeMark exploits latent-space vulnerabilities in encoder-decoder watermarking models through a compressive sensing based sparsification process, suppressing watermark signals while preserving perceptual and structural realism appropriate for deepfakes. Across eight state-of-the-art watermarking schemes, DeMark reduces watermark detection accuracy from 100% to 32.9% on average while maintaining natural visual quality, outperforming existing attacks. We further evaluate three defense strategies, including image super resolution, sparse watermarking, and adversarial training, and find them largely ineffective. These results demonstrate that current encoder decoder watermarking schemes remain vulnerable to latent-space manipulations, underscoring the need for more robust watermarking methods to safeguard against deepfakes.