Threat Actors Exploiting DeepSeek’s Popularity To Deploy Malware

The Chinese AI startup DeepSeek has gained significant attention in the global AI market with its open-source inference model, DeepSeek-R1.

This model has been touted as a more cost-effective alternative to existing AI solutions, outperforming OpenAI’s GPT-o1.

However, this newfound popularity has also attracted malicious actors who are exploiting DeepSeek’s name to distribute malware through phishing websites.

DeepSeek’s search volume surged on Google Trends after the release of the DeepSeek-R1 model on January 20, 2025, reaching a peak interest level of ‘100’ on January 28, 2025.

Experts at CriminalIP noted that this rapid rise in popularity has led to increased scrutiny over phishing and fraudulent activities associated with the brand.

Malware Distribution via Phishing Websites

Cyber attackers have been creating phishing websites that mimic the official DeepSeek site.

These fraudulent sites use Site Proxy techniques to embed malware download links, making them appear legitimate to unsuspecting users.

The malware distributed through these sites targets financial applications, such as “Corper,” and has been detected by multiple antivirus programs.

VirusTotal Analysis:-

As of February 3, 2025, 24 antivirus programs detected the app downloaded from the fake DeepSeek site as malicious, with 154 negative votes. This confirms the malicious intent behind these phishing sites.

The official DeepSeek site and phishing sites can be distinguished by several factors:-

• Domain Verification: Phishing sites often use new domains created shortly after the surge in popularity, such as the one created on January 30, 2025.
• Form Event Detection: Phishing sites may use Site Proxy to transmit form data to different domains, which can be detected using tools like Criminal IP Domain Search.
• Email Domain Mismatch: The email domain used by phishing sites does not match the official one, indicating a high probability of a scam.

Criminal IP AI assessed the phishing DeepSeek site and assigned it a critical risk score of 99.0%.

The site was flagged as a newborn domain, created shortly after DeepSeek’s rise in popularity, indicating a potential scam.

Moreover, form event analysis revealed the use of a Site Proxy to redirect user data to another domain, highlighting a clear phishing attempt.

Users are advised to use tools like Criminal IP Domain Search to analyze sites before accessing them and to avoid entering sensitive information on unverified platforms.

By leveraging threat intelligence and security analysis tools, users can protect themselves from such phishing attacks.

To safely navigate AI models like DeepSeek while minimizing phishing and malware risks, users should utilize Criminal IP’s IP analysis service to verify server locations and network security.

Additionally, reviewing DeepSeek’s official privacy policy helps understand how data is processed.

Most importantly, users should avoid entering personal or sensitive information on unverified sites. Taking these precautions ensures a more secure online experience.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free