To address unauthorized source identity appropriation in Deepfake face-swapping under pure black-box settings, this paper proposes an active identity-obfuscation defense that operates without access to the target face-swapping model. By injecting identity-aware perturbations into the source face, the method renders it unrecognizable to downstream swapping systems, thereby preventing identity forgery. Key contributions include: (1) the first pure black-box active defense paradigm explicitly designed for source identity protection; (2) a dynamic weighted identity loss that significantly enhances cross-model generalization; and (3) a shallow-feature fusion-based camouflage reconstruction architecture that avoids pixel-level perturbation stacking and preserves visual fidelity. Extensive experiments demonstrate that the method reduces source identity retention rates to below 5% on mainstream face-swapping models—including FaceShifter and SimSwap—outperforming existing active perturbation approaches by a substantial margin.

Suffering from performance bottlenecks in passively detecting high-quality Deepfake images due to the advancement of generative models, proactive perturbations offer a promising approach to disabling Deepfake manipulations by inserting signals into benign images. However, existing proactive perturbation approaches remain unsatisfactory in several aspects: 1) visual degradation due to direct element-wise addition; 2) limited effectiveness against face swapping manipulation; 3) unavoidable reliance on white- and grey-box settings to involve generative models during training. In this study, we analyze the essence of Deepfake face swapping and argue the necessity of protecting source identities rather than target images, and we propose NullSwap, a novel proactive defense approach that cloaks source image identities and nullifies face swapping under a pure black-box scenario. We design an Identity Extraction module to obtain facial identity features from the source image, while a Perturbation Block is then devised to generate identity-guided perturbations accordingly. Meanwhile, a Feature Block extracts shallow-level image features, which are then fused with the perturbation in the Cloaking Block for image reconstruction. Furthermore, to ensure adaptability across different identity extractors in face swapping algorithms, we propose Dynamic Loss Weighting to adaptively balance identity losses. Experiments demonstrate the outstanding ability of our approach to fool various identity recognition models, outperforming state-of-the-art proactive perturbations in preventing face swapping models from generating images with correct source identities.