Threat actors have been taking advantage of the recent attention surrounding China’s DeepSeek AI model by setting up phishing sites to scam unsuspecting users, according to reports. These fraudulent sites are designed to deceive individuals into downloading malicious software or providing sensitive information such as login credentials. Researchers at Memcyco have identified at least 16 fake websites impersonating DeepSeek, indicating a coordinated attack campaign by threat actors.
Israel Mazin, the CEO and co-founder of Memcyco, explained that these fake domains were registered in clusters and adjusted their content dynamically based on the perception of DeepSeek in the market. Some sites even changed their attack methods to target what would be most effective. Additionally, threat actors displayed agility by shifting their infrastructure to new locations and configurations to avoid detection attempts.
Since DeepSeek released its free R1 AI chatbot on Jan. 20, numerous phishing sites have emerged. While some of these sites have been taken down, slow response times from hosting providers and domain registrars have given phishing operators the opportunity to target users interested in DeepSeek with fake websites. Engaging with these sites can put users at risk of identity theft, financial fraud, and malware infection, as threat actors can intercept login credentials or distribute malware for remote access to devices.
Cyble, a cybersecurity company, also reported on the rise of DeepSeek-related fraud schemes. Some fake websites were designed to trick users into thinking they were on the real DeepSeek site, while others promoted cryptocurrency and investment scams. One such scam involved urging visitors to scan a QR code that led to the theft of their cryptocurrency wallets. Another site attempted to sell a fake DeepSeekAI Agent crypto token to unsuspecting users.
In addition to phishing sites, threat actors have exploited the interest in DeepSeek by creating malicious packages labeled “deepseekai” and “deepseeek” on the PyPI Python package repository. These packages targeted developers and organizations looking to integrate DeepSeek into their systems, providing a way for the authors to steal information from the environments where they were downloaded.
The surge in malicious activities surrounding DeepSeek serves as a reminder for users to remain cautious when engaging with new and popular services. It is essential to be vigilant of suspicious URLs, misspelled words, or unprofessional website designs, as these could be indicators of phishing attempts. Mazin emphasized the importance of domain registrars and social media platforms monitoring new domains and profiles to prevent fraudulent activities. Businesses and organizations should enhance scam detection and deploy real-time digital impersonation protection to safeguard their users from such threats.