The rapid rise of DeepSeek, a Chinese artificial intelligence (AI) company, has not only disrupted the AI industry but also attracted the attention of cybercriminals.
As its AI Assistant app became the most downloaded free app on the iOS App Store in January 2025, surpassing OpenAI’s ChatGPT, malicious actors have exploited its popularity to launch phishing campaigns, investment scams, and malware attacks.
Cybercriminals have created fraudulent websites mimicking DeepSeek’s platform to target cryptocurrency users.
.webp)
These sites, such as abs-register[.]com and deep-whitelist[.]com, lure victims into connecting their cryptocurrency wallets.
Upon scanning a QR code presented on these fake platforms, users unknowingly compromise their wallets, leading to potential loss of funds.
.webp)
Besides this, analysts at Cyble discovered that the phishing sites often impersonate legitimate wallet services like MetaMask and WalletConnect, making them highly convincing.
.webp)
Here below we have mentioned the technical details:-
- Targeted Wallets: MetaMask, WalletConnect
- Attack Mechanism: QR code phishing
- Example URLs:
hxxp://abs-register[.]comhxxps://deep-whitelist[.]com
Surge in Frauds & Phishing Attacks
Another prevalent scam involves fake cryptocurrency tokens marketed as “DeepSeekAI Agent.”
.webp)
Fraudulent sites provide a wallet address for purchasing these tokens but prevent victims from withdrawing or trading them. The token address 0x27238b76965387f5628496d1e4d2722b663d2698 has been blacklisted as a honeypot.
Domains like deepseek-shares[.]com falsely advertise pre-IPO shares of DeepSeek to deceive investors.
DeepSeek remains privately held with no IPO announcements, and these scams aim to harvest sensitive personal information for further exploitation.
Threat actors have also used DeepSeek’s name to distribute malware disguised as legitimate downloads for its app.
Malicious files such as AMOS Stealer have been detected in the wild. These malware samples are capable of data exfiltration, credential theft, and remote command execution.
Malware indicators:-
- File Names: Variants starting with “DeepSeek”
- SHA256 Hashes:
e596da76aaf7122176eb6dac73057de4417b7c24378e00b10c468d7875a6e69ea3d06ffcb336cba72ae32e4d0ac5656400decfaf40dc28862de9289254a47698
DeepSeek’s open-source language models (LLMs) have proven vulnerable to jailbreaking techniques like “Crescendo” and “Deceptive Delight.”
These methods bypass safety protocols, enabling the generation of harmful outputs such as phishing templates, keylogger scripts, and even chemical weapon instructions.
Example code output:-
import win32com.client
def execute_command(command):
shell = win32com.client.Dispatch("WScript.Shell")
shell.Run(command)This script demonstrates how attackers could use DeepSeek-generated code for malicious purposes.
In addition to targeted scams, DeepSeek recently exposed over one million sensitive records due to an unsecured database.
The breach included API keys, chat logs, and backend operational data. While the issue was quickly resolved, it underscores the platform’s security vulnerabilities.
Users should verify official sources before engaging with any DeepSeek-related content and avoid scanning unverified QR codes or downloading apps from unofficial websites.
Using strong antivirus software helps detect potential threats, while staying informed about cybersecurity best practices enhances overall protection against risks.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request