Existing proactive defenses against deepfakes suffer from insufficient persistence, as attackers can rapidly bypass them by retraining their models using protected (i.e., perturbed) samples. Method: This paper proposes TSDF, a two-stage defense framework that introduces a novel strength-separation mechanism to generate dual-function adversarial perturbations—simultaneously degrading the usability of forged outputs and poisoning the attacker’s data curation process. Crucially, TSDF is the first to embed data-source poisoning directly into proactive defense: during inference, perturbations disrupt deepfake generation; during the attacker’s model training phase, they contaminate the adversary’s dataset, impairing model adaptation. Results: Experiments demonstrate that, unlike conventional perturbation-based interference methods—whose efficacy collapses under iterative retraining—TSDF maintains stable and high defense performance across multiple attack rounds, significantly enhancing long-term robustness and practical deployability.

Active defense strategies have been developed to counter the threat of deepfake technology. However, a primary challenge is their lack of persistence, as their effectiveness is often short-lived. Attackers can bypass these defenses by simply collecting protected samples and retraining their models. This means that static defenses inevitably fail when attackers retrain their models, which severely limits practical use. We argue that an effective defense not only distorts forged content but also blocks the model's ability to adapt, which occurs when attackers retrain their models on protected images. To achieve this, we propose an innovative Two-Stage Defense Framework (TSDF). Benefiting from the intensity separation mechanism designed in this paper, the framework uses dual-function adversarial perturbations to perform two roles. First, it can directly distort the forged results. Second, it acts as a poisoning vehicle that disrupts the data preparation process essential for an attacker's retraining pipeline. By poisoning the data source, TSDF aims to prevent the attacker's model from adapting to the defensive perturbations, thus ensuring the defense remains effective long-term. Comprehensive experiments show that the performance of traditional interruption methods degrades sharply when it is subjected to adversarial retraining. However, our framework shows a strong dual defense capability, which can improve the persistence of active defense. Our code will be available at https://github.com/vpsg-research/TSDF.