The rapid rise of DeepSeek, a Chinese artificial intelligence company known for its open-source large language models (LLMs), has sparked not only excitement but also a significant increase in cyber threats. As of January 2025, the company launched its first free chatbot app, “DeepSeek – AI Assistant,” which quickly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI’s ChatGPT.
According to Cyble, DeepSeek’s success has made it a trailblazer in the AI space, but it has also drawn the attention of cybercriminals, who are now using its reputation to fuel a variety of fraudulent activities, including phishing attacks, malware campaigns, and investment scams.
DeepSeek’s Meteoric Rise and the Cybersecurity Risks That Follow
Following the DeepSeek’s rapid popularity, a concerning trend has emerged. Cybercriminals have begun to exploit its growing recognition to launch scams and malware campaigns. According to recent investigations by Cyble Research and Intelligence Labs (CRIL), several suspicious websites have surfaced, impersonating DeepSeek in an attempt to deceive unsuspecting users. These sites are often tied to cryptocurrency phishing schemes and fraudulent investment opportunities, capitalizing on the trust DeepSeek has earned in the tech community.
One of the key tactics used by threat actors (TAs) involves mimicking the legitimate DeepSeek platform to launch crypto phishing attacks. These schemes involve fraudulent websites that closely resemble DeepSeek’s official site, tricking users into scanning QR codes that ultimately compromise their crypto wallets. Such scams are becoming increasingly common, with cybercriminals taking advantage of popular platforms like DeepSeek to lure users into unsafe situations.
Cyble has identified multiple fraudulent domains tied to these phishing campaigns, including:
- abs-register[.]com
- deep-whitelist[.]com
- deepseek-ai[.]cloud
- deepseek[.]boats
- deepseek-shares[.]com
- deepseek-aiassistant[.]com
- usadeepseek[.]com
These domains were linked to malicious efforts designed to extract users’ personal data, steal cryptocurrency, or promote fraudulent investment schemes.
The Growing Threat of Crypto Phishing
One of the most common phishing tactics identified is the use of QR codes to trick users into compromising their crypto wallets. By creating websites that resemble DeepSeek’s official platform, cybercriminals encourage users to connect their wallets, often through deceptive “Connect Wallet” buttons. When a user selects a wallet option, such as MetaMask or WalletConnect, the website prompts them to scan a QR code. However, this action redirects users to a fraudulent address, which ultimately gives cybercriminals access to the wallet and its contents.
Two specific websites, abs-register[.]com and deep-whitelist[.]com, were flagged as part of this scheme. These phishing sites presented themselves as legitimate portals, luring unsuspecting crypto enthusiasts into connecting their wallets through a misleading interface.
The use of QR codes in phishing schemes is not new, but the rise of platforms like DeepSeek has amplified its effectiveness. By leveraging the credibility of a trending service, cybercriminals are increasingly able to deceive even the most cautious users into falling for these attacks.
Fake Investment Scams Exploit DeepSeek’s Popularity
In addition to phishing attacks, fraudsters have also used DeepSeek’s growing prominence to promote fake investment opportunities. One of the more interesting examples discovered by Cyble was the domain deepseek-shares[.]com, which was registered on January 29, 2025. This fraudulent website posed as an official DeepSeek investment platform, claiming to offer pre-IPO shares of the company.
The problem with this claim is that DeepSeek is a privately held company, and no official initial public offering (IPO) announcements have been made. The website’s real purpose is to gather sensitive personal information from potential investors, which can later be exploited for phishing, identity theft, or financial fraud.
These types of investment scams are particularly dangerous because they prey on individuals eager to capitalize on the perceived success of a rapidly growing company. Fraudsters promise lucrative returns, but the goal is not to help investors profit—it’s to steal their personal data and funds.
Malware Campaigns Linked to DeepSeek
Beyond phishing and investment scams, there are also reports of malware campaigns taking advantage of DeepSeek’s rising influence. According to Cyble’s research, several malicious websites have been found claiming to offer legitimate DeepSeek app downloads for various platforms, including Windows, iOS, and Android. While some of these sites appear to be under development, others may serve as entry points for malware.
There have been reports of malware labeled AMOS Stealer, a type of credential-stealing software, being distributed through fraudulent DeepSeek-related downloads. This software can steal sensitive user data, including login credentials, and may even grant attackers full access to users’ online accounts.
To avoid falling victim to such attacks, users are advised to only download the DeepSeek app from official sources. Any websites offering third-party downloads should be approached with caution, as they may be attempting to deliver malicious software.
Conclusion
As DeepSeek’s popularity continues to soar, so does the risk of cyber threats targeting its users, including phishing scams, fake investment schemes, and malware campaigns. To protect themselves, users must remain vigilant by verifying official sources, avoiding untrusted third-party websites and QR codes, and scrutinizing crypto projects before making any investments. They should also be cautious about unverified investment opportunities, as DeepSeek has not announced any official IPO or cryptocurrency launch.
Employing reputable security software, keeping systems up to date, and staying informed about phishing and malware tactics are also crucial steps. By following these best practices, individuals can protect their personal information and avoid falling victim to cybercriminals seeking to exploit DeepSeek’s success.
