Cybercriminals Exploit DeepSeek’s Popularity with Phishing and Fraudulent Schemes

In the weeks following the global buzz around China's DeepSeek and its cost-effective AI model, cybercriminals have been actively setting up phishing websites to impersonate the company. These fraudulent sites are designed to trick users into downloading malware, handing over credentials, or falling victim to financial scams.

Coordinated Phishing Campaign

Researchers at Israel-based Memcyco have identified at least 16 phishing domains mimicking DeepSeek, with evidence suggesting a coordinated attack campaign. "Clusters of fake domains are being registered in waves, dynamically adjusting branding and attack strategies based on DeepSeek's market presence," says Israel Mazin, CEO and co-founder of Memcyco. Some threat actors have even rapidly moved their infrastructure to evade takedown efforts.

Since DeepSeek launched its free R1 AI chatbot on January 20, phishing operators have exploited the platform’s growing popularity. Delayed response times from hosting providers and domain registrars have given attackers a window to continue their operations, targeting users unfamiliar with DeepSeek’s legitimate platform. Victims risk identity theft, financial fraud, and malware infections, with some phishing sites intercepting login credentials in real-time for account takeovers. Others distribute malware that grants remote access to victims' devices, putting personal and corporate data in jeopardy.

Beyond Phishing: Crypto Scams & Malicious Packages

Security firm Cyble also reported a rise in DeepSeek lookalike domains, many of which host cryptocurrency scams and fraudulent investment schemes. Some phishing sites lure users with fake DeepSeek-related investment opportunities, such as a nonexistent pre-IPO sale or a bogus AI crypto token. Others use QR codes that, when scanned, allow attackers to drain victims’ cryptocurrency wallets.

Additionally, researchers at Positive Technologies have discovered malicious Python packages—"deepseekai" and "deepseeek"—on the PyPI repository, targeting developers looking to integrate DeepSeek. These packages serve as data-stealing tools, compromising environments where they are installed.

The Rise of Phishing-as-a-Service (PhaaS)

Memcyco’s analysis suggests many of these phishing campaigns align with phishing-as-a-service (PhaaS) operations, where cybercriminals sell ready-made impersonation kits to other fraudsters. This means both experienced hackers and low-level cybercriminals can easily launch attacks for financial or espionage purposes.

Staying Safe Amid DeepSeek Hype

The surge in cyber threats surrounding DeepSeek is part of a broader trend where attackers exploit major news events and emerging technologies. Users should exercise caution by scrutinizing URLs for misspellings, avoiding unverified sources, and being wary of suspicious investment opportunities. Mazin emphasizes the need for proactive security measures: "Domain registrars and social media platforms must monitor new registrations, while businesses should enhance scam detection, takedown efforts, and deploy real-time digital impersonation protection."