This work addresses the growing threat of deepfake-based face swapping to privacy and security, noting that existing pixel-level defenses are ineffective against advanced models leveraging high-dimensional identity embeddings. To counter this, the authors propose the first approach that introduces learnable perturbations directly in the identity embedding space to actively erase identifiable information, while employing a face restoration generator to produce visually natural images. Evaluated under black-box settings, the method drastically reduces the adversary’s ability to exploit identity cues—lowering Top-1 identification accuracy to 0.30 and mean identity similarity to 0.504—without compromising perceptual quality, as evidenced by a low FID of 1.64 and LPIPS of 0.020. The approach further demonstrates strong generalization and robustness across datasets and common image distortions.

Deepfake technologies have rapidly advanced with modern generative AI, and face swapping in particular poses serious threats to privacy and digital security. Existing proactive defenses mostly rely on pixel-level perturbations, which are ineffective against contemporary swapping models that extract robust high-level identity embeddings. We propose ID-Eraser, a feature-space proactive defense that removes identifiable facial information to prevent malicious face swapping. By injecting learnable perturbations into identity embeddings and reconstructing natural-looking protection images through a Face Revive Generator (FRG), ID-Eraser produces visually realistic results for humans while rendering the protected identities unusable for Deepfake models. Experiments show that ID-Eraser substantially disrupts identity recognition across diverse face recognition and swapping systems under strict black-box settings, achieving the lowest Top-1 accuracy (0.30) with the best FID (1.64) and LPIPS (0.020). Compared with swaps generated from clean inputs, the identity similarity of protected swaps drops sharply to an average of 0.504 across five representative face swapping models. ID-Eraser further demonstrates strong cross-dataset generalization, robustness to common distortions, and practical effectiveness on commercial APIs, reducing Tencent API similarity from 0.76 to 0.36.