This work proposes a novel attack paradigm demonstrating that existing deepfake detection methods significantly fail against semantic-preserving image refinements produced by commercial generative AI systems, leading to a severe underestimation of real-world security risks. By leveraging compliant prompts to invoke the image refinement capabilities of closed-source generative models—such as proprietary chatbots—an adversary can enhance visual quality and preserve identity consistency without deploying custom manipulation algorithms, thereby effectively evading state-of-the-art detectors. The approach exposes a structural mismatch between current detection frameworks’ threat models and the actual capabilities of generative AI, revealing for the first time that the embedded authenticity priors within commercial AI systems can be directly repurposed for adversarial evasion. Experiments show that the refined images maintain identity fidelity under commercial face recognition APIs, with closed-source models yielding substantially higher evasion rates and security risks compared to open-source alternatives.

Generative AI systems increasingly expose powerful reasoning and image refinement capabilities through user-facing chatbot interfaces. In this work, we show that the na\"ive exposure of such capabilities fundamentally undermines modern deepfake detectors. Rather than proposing a new image manipulation technique, we study a realistic and already-deployed usage scenario in which an adversary uses only benign, policy-compliant prompts and commercial generative AI systems. We demonstrate that state-of-the-art deepfake detection methods fail under semantic-preserving image refinement. Specifically, we show that generative AI systems articulate explicit authenticity criteria and inadvertently externalize them through unrestricted reasoning, enabling their direct reuse as refinement objectives. As a result, refined images simultaneously evade detection, preserve identity as verified by commercial face recognition APIs, and exhibit substantially higher perceptual quality. Importantly, we find that widely accessible commercial chatbot services pose a significantly greater security risk than open-source models, as their superior realism, semantic controllability, and low-barrier interfaces enable effective evasion by non-expert users. Our findings reveal a structural mismatch between the threat models assumed by current detection frameworks and the actual capabilities of real-world generative AI. While detection baselines are largely shaped by prior benchmarks, deployed systems expose unrestricted authenticity reasoning and refinement despite stringent safety controls in other domains.