Less than a month after its groundbreaking launch, Chinese artificial intelligence company DeepSeek has found itself at the center of a cybersecurity storm.
The company, which debuted its first AI model, DeepSeek-R1, on January 20, 2025, has been grappling with severe cyberattacks that have disrupted operations and delayed new user registrations.
These attacks, involving the botnets HailBot and RapperBot, have raised alarms across the tech industry about the growing sophistication of cyber threats.
DeepSeek’s Meteoric Rise
Founded in late 2023, DeepSeek quickly gained global attention with the release of its DeepSeek-R1 model. The model achieved AI performance comparable to OpenAI’s ChatGPT but at a fraction of the cost under $6 million.
By leveraging less-advanced chips, DeepSeek reduced operational costs by up to 50 times compared to competitors.
Additionally, its decision to make the AI open source further fueled its popularity, resulting in millions of app downloads within days of its launch. However, this rapid success also made it a target for cybercriminals.
Timeline of the Cyberattacks
The attacks on DeepSeek began in early January and escalated significantly by the end of the month. Here is a detailed timeline of events:
January 27: DeepSeek announced it was pausing new user registrations due to “large-scale malicious attacks” on its infrastructure.
January 28: Cybersecurity firm Wiz.io reported a leaked ClickHouse database linked to DeepSeek. The database contained sensitive user data, including chat histories and API keys. However, this leak was deemed unrelated to the ongoing attacks.
January 29: The Global Times revealed that DeepSeek had been enduring regular distributed denial-of-service (DDoS) attacks since early January. These attacks utilized reflection amplification techniques and were accompanied by HTTP proxy attacks and brute-force attempts originating from U.S.-based IP addresses.
January 30: A report by XLab disclosed that two Mirai botnet variants HailBot and RapperBot were behind the latest wave of attacks. These botnets launched coordinated assaults using 16 command-and-control (C2) servers and over 100 C2 ports.
The Botnets Behind the Attacks
According to ANY.RUN report, The two botnets responsible for disrupting DeepSeek’s operations are sophisticated variants of the infamous Mirai botnet:
HailBot
HailBot specializes in DDoS attacks and exploits vulnerabilities like CVE-2017-17215 in certain Huawei devices. By compromising a wide range of devices, HailBot can launch large-scale denial-of-service attacks.
Analysis using ANY.RUN’s Interactive Sandbox revealed that HailBot establishes connections with its C2 server through detectable network traffic patterns.
Submit suspicious files and URLs to ANY.RUN for proactive analysis of threats targeting your company
RapperBot
RapperBot spreads through SSH brute-force attacks and is identified by the string “SSH-2.0-HELLOWORLD.” Once it compromises a device, it ensures persistent access by replacing SSH keys and creating a superuser account named “suhelper.”
Additionally, RapperBot includes cryptojacking capabilities through the XMRig Monero miner, enabling it to mine cryptocurrency on infected devices.
Sandbox analysis showed that RapperBot generated nearly 140,000 network connection attempts within three minutes a staggering volume that underscores its disruptive potential.
The cyberattacks on DeepSeek serve as a stark reminder of the vulnerabilities faced by companies reliant on digital infrastructure.
With botnets like HailBot and RapperBot available as services, even attackers with limited technical expertise can launch devastating attack.
For AI-driven businesses like DeepSeek, such disruptions can lead to service outages, data breaches, and erosion of customer trust.
DeepSeek’s ordeal highlights both the promise and peril of rapid technological advancement. While its innovative AI model has disrupted the industry, it has also attracted sophisticated cyber threats that could undermine its success.
As cybersecurity experts analyze these incidents further, organizations worldwide must remain vigilant against evolving threats.
Tools like ANY.RUN’s Interactive Sandbox have proven invaluable in identifying and analyzing malware like HailBot and RapperBot. By leveraging such technologies, companies can better protect their digital ecosystems from similar attacks in the future.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day free trial