DeepSeek Phishing Sites Pursue User Data, Crypto Wallets

Source: mundissima via Shutterstock

More than two weeks after China’s DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company.

The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors.

Coordinated Campaign?

“Memcyco observed clusters of fake domains registered in waves, often adjusting their content and branding dynamically and in real time, based on how DeepSeek’s website was being perceived and positioned in the market,” says Israel Mazin, CEO and co-founder of Memcyco. “Some sites even changed their attack methods based on these trends to cater to what would be most effective.” In some cases, the threat actors displayed remarkable agility by shifting their infrastructure to new locations and configurations to dodge takedown attempts, he says.

Dozens of phishing sites have popped up since DeepSeek released its free R1 AI chatbot on Jan. 20. Although many of these sites have been taken down, slow response times from some hosting providers, domain registrars, and other intermediaries continue to give phishing operators a window of opportunity to target users interested in exploring DeepSeek with fake websites.

Users that engage with these sites risk identity theft, financial fraud, and malware infection, Mazin says. Some sites even intercept login credentials in real-time, enabling account takeovers. Others distribute malware that allows remote access to users’ devices, putting personal and corporate data at risk. “These attacks are especially dangerous when new, exciting, and hyped-up tools are launched, such as DeepSeek, and users are not yet familiar with the website or platform,” he adds.

Others have reported on the threat as well. In a blog post last week, Cyble, for instance, said its researchers had spotted DeepSeek lookalike domains designed to trick users into believing they had landed on the real site. Some of the sites had links to cryptocurrency scams and others to fraudulent investment scams like one touting a nonexistent DeepSeek pre-IPO sale. The DeepSeek-linked cryptocurrency scam site attempted to lure site visitors into scanning a QR code that essentially opened the way for the threat actor to empty their crypto wallets. Another site that Cyble inspected attempted to lure unsuspecting users into purchasing a fake DeepSeekAI Agent crypto token.

“As DeepSeek continues to gain global recognition, cybercriminals are capitalizing on its popularity to launch phishing campaigns, fake investment scams, and fraudulent cryptocurrency schemes,” Cyble noted.

Phishing Isn’t the Only Threat

Fraudulent websites are not the only concern. Innovative threat actors have found other ways to take advantage of the huge interest around DeepSeek. Researchers from Positive Technologies recently spotted two malicious packages labeled “deepseekai” and “deepseeek” on the popular PyPI Python package repository. The packages were targeted at developers and organizations seeking to integrate DeepSeek into their systems and gave its authors a way to steal information from environments where they had been downloaded.

Many of the phishing sites that Memcyco observed appeared to fit the pattern of phishing-as-a-service (PhaaS) operators that sell impersonation “phish kits” to fraudsters, Mazin notes. “This could include organized cybercriminal groups, state-backed hackers, or even immature phishers, all with financial or espionage motives.”

The surge in malicious activity surrounding DeekSeek is typical for major news events. It is a reminder of the need for users to be cautious when approaching new, popular hyped-up services. That means extra vigilance for strange URLs with misspelled words or unprofessional website designs, Mazin advises. “Domain registrars and social media platforms must be proactive in monitoring when new domains and profiles are being registered or created,” he says. “Businesses and organizations should improve scam detection [and] takedowns and deploy real-time digital impersonation protection capabilities to safeguard their users.”

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.