This work addresses the insufficient robustness of audio deepfake detection (ADD) systems against realistic adversarial attacks. We propose the first transferable GAN-based adversarial attack framework that integrates self-supervised audio representations (wav2vec 2.0) with a multi-discriminator architecture. Our method jointly optimizes adversarial examples for cross-model transferability and perceptual fidelity under white-box, gray-box, and black-box settings—overcoming the traditional trade-off between generalizability and audio quality. Experiments on ASVspoof2019 show that state-of-the-art ADD models’ accuracy drops to 26% (white-box), 54% (gray-box), and 84% (black-box). Furthermore, cross-dataset attacks induce significant performance degradation. This study establishes a more operationally relevant benchmark and a novel paradigm for evaluating the security of ADD systems in practical deployment scenarios.

Audio deepfakes pose significant threats, including impersonation, fraud, and reputation damage. To address these risks, audio deepfake detection (ADD) techniques have been developed, demonstrating success on benchmarks like ASVspoof2019. However, their resilience against transferable adversarial attacks remains largely unexplored. In this paper, we introduce a transferable GAN-based adversarial attack framework to evaluate the effectiveness of state-of-the-art (SOTA) ADD systems. By leveraging an ensemble of surrogate ADD models and a discriminator, the proposed approach generates transferable adversarial attacks that better reflect real-world scenarios. Unlike previous methods, the proposed framework incorporates a self-supervised audio model to ensure transcription and perceptual integrity, resulting in high-quality adversarial attacks. Experimental results on benchmark dataset reveal that SOTA ADD systems exhibit significant vulnerabilities, with accuracies dropping from 98% to 26%, 92% to 54%, and 94% to 84% in white-box, gray-box, and black-box scenarios, respectively. When tested in other data sets, performance drops of 91% to 46%, and 94% to 67% were observed against the In-the-Wild and WaveFake data sets, respectively. These results highlight the significant vulnerabilities of existing ADD systems and emphasize the need to enhance their robustness against advanced adversarial threats to ensure security and reliability.