The rapid rise of the Chinese AI company DeepSeek and its large language model-based chatbot, “DeepSeek AI Assistant,” has made it a prime target for cybercriminals.
Recent research by Cyble Research and Intelligence Labs (CRIL) has uncovered a wave of phishing attacks, fraudulent investment schemes, and malware distribution attempts exploiting DeepSeek’s popularity.
The company’s chatbot, which recently surpassed OpenAI’s ChatGPT as the most downloaded free app on the iOS App Store in the U.S., now finds itself at the center of an alarming cybersecurity crisis.
Crypto Phishing Targets Users’ Wallets
Cyber threat actors have capitalized on DeepSeek’s rising prominence by creating malicious websites impersonating the platform.
These websites, disguised as legitimate DeepSeek domains, aim to steal sensitive user credentials and crypto funds.
Notable examples include phishing portals like abs-register[.]com and deep-whitelist[.]com, which lure users into connecting their cryptocurrency wallets.
Upon engagement, visitors are presented with QR codes under the guise of wallet integration.
Scanning these QR codes results in the compromise of users’ wallet data, often leading to the theft of digital assets.
The tactic of using QR code-based phishing is not new but remains highly effective.
It preys on unsuspecting individuals by mimicking trusted entities, leveraging their credibility to execute financial theft.
Fraudulent Investments and Fake Tokens
Additionally, CRIL has detected numerous fraudulent schemes involving counterfeit tokens linked to DeepSeek.
For instance, websites like deepseek-ai[.]cloud and deepseek[.]boats promote a fabricated cryptocurrency called “DeepSeekAI Agent token.”
These scams are marketed to unsuspecting investors who are unaware that no official tokens or cryptocurrencies have been released by DeepSeek.
Analysis of the associated wallet addresses, such as “0x27238b76965387f5628496d1e4d2722b663d2698,” has revealed them to be honeypots, blacklisted to prevent token transactions.
Moreover, fake investment domains like deepseek-shares[.]com entice individuals with false claims of a “DeepSeek Pre-IPO” offer.
Cyble’s investigation confirmed that DeepSeek is a privately held company, and such investment opportunities are entirely fabricated.
These websites primarily aim to harvest sensitive personal information, such as names and emails, which could then be misused for identity theft or targeted financial fraud.
Evidence also points to the emergence of websites offering fake DeepSeek app downloads for Windows, iOS, and Android.
Some of these sites distribute malicious programs like the AMOS Stealer malware.
Users attempting to download the DeepSeek app are redirected to these malicious platforms, putting their devices and data at significant risk.
Cyble emphasizes the importance of downloading applications solely from verified sources, such as official websites or app stores.
The surge in attacks exploiting DeepSeek underscores a broader challenge in the cybersecurity ecosystem, where high-visibility platforms inadvertently become soft targets for cybercriminals.
To mitigate these risks, experts recommend heightened user awareness, caution against unverified QR codes and websites, and the use of reliable cybersecurity tools.
DeepSeek has officially clarified that it has not launched any cryptocurrency or IPO, making any related claims fraudulent.
As the AI and cryptocurrency domains continue to evolve, this incident serves as a stark reminder of the importance of safeguarding digital platforms and users amid a rapidly expanding threat landscape.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
