Third-party dataset poisoning poses a critical security threat to Deepfake detectors by enabling stealthy backdoor implantation. Method: We propose a novel backdoor attack framework featuring high concealment and semantic controllability. It introduces the first adaptive trigger generation mechanism integrating semantic suppression with cryptographic control, supports both dirty-label and clean-label poisoning paradigms, and combines adversarial trigger synthesis with steganographic pattern embedding. Results: Evaluated on mainstream Deepfake detectors, our approach achieves >98% backdoor activation rate; triggers are imperceptible to human vision and resistant to forensic traceback. This work is the first to systematically demonstrate the feasibility and severity of semantic-level backdoor attacks in the Deepfake data supply chain, providing foundational theoretical insights and practical technical warnings for security evaluation and robustness enhancement of Deepfake defense systems.

With the advancement of AI generative techniques, Deepfake faces have become incredibly realistic and nearly indistinguishable to the human eye. To counter this, Deepfake detectors have been developed as reliable tools for assessing face authenticity. These detectors are typically developed on Deep Neural Networks (DNNs) and trained using third-party datasets. However, this protocol raises a new security risk that can seriously undermine the trustfulness of Deepfake detectors: Once the third-party data providers insert poisoned (corrupted) data maliciously, Deepfake detectors trained on these datasets will be injected ``backdoors'' that cause abnormal behavior when presented with samples containing specific triggers. This is a practical concern, as third-party providers may distribute or sell these triggers to malicious users, allowing them to manipulate detector performance and escape accountability. This paper investigates this risk in depth and describes a solution to stealthily infect Deepfake detectors. Specifically, we develop a trigger generator, that can synthesize passcode-controlled, semantic-suppression, adaptive, and invisible trigger patterns, ensuring both the stealthiness and effectiveness of these triggers. Then we discuss two poisoning scenarios, dirty-label poisoning and clean-label poisoning, to accomplish the injection of backdoors. Extensive experiments demonstrate the effectiveness, stealthiness, and practicality of our method compared to several baselines.