Overview

DeepSeek is a Chinese artificial intelligence company that has developed open-source large language models (LLMs). In January 2025, DeepSeek launched its first free chatbot app, “DeepSeek – AI Assistant”, which rapidly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI’s ChatGPT.

However, with rapid growth comes new risks—cybercriminals are exploiting DeepSeek’s reputation through phishing campaigns, fake investment scams, and malware disguised as DeepSeek. This analysis seeks to explore recent incidents where Threat Actors (TAs) have impersonated DeepSeek to target users, highlighting their tactics and how readers can secure themselves accordingly.

Recently, Cyble Research and Intelligence Labs (CRIL) identified multiple suspicious websites impersonating DeepSeek. Many of these sites were linked to crypto phishing schemes and fraudulent investment scams. We have compiled a list of the identified suspicious sites:

• abs-register[.]com
• deep-whitelist[.]com
• deepseek-ai[.]cloud
• deepseek[.]boats
• deepseek-shares[.]com
• deepseek-aiassistant[.]com
• usadeepseek[.]com

Campaign Details

Crypto phishing leveraging the popularity of DeepSeek

CRIL uncovered a crypto phishing scheme leveraging DeepSeek’s rising popularity. Cybercriminals created fraudulent websites that closely mimic the legitimate DeepSeek platform, luring users into scanning a QR code that ultimately compromises their crypto wallets. We identified the three following deceptive websites designed to exploit unsuspecting victims.

• hxxp://abs-register[.]com/
• hxxps://deep-whitelist[.]com/

When users click on the “Connect Wallet” button, they are presented with a list of cryptocurrency wallets, including popular options such as MetaMask, WalletConnect, and others, as shown below.

When a user selects any of the wallet options, a QR code is displayed to establish a wallet connection. Scanning this QR code leads to the compromise of the user’s wallet account, potentially resulting in the loss of all their crypto funds.

QR code-based crypto phishing scams are increasingly common, often exploiting trending or widely recognized entities to deceive users. Cybercriminals take advantage of popular platforms to gain victims’ trust and trick them into compromising their wallets. With DeepSeek’s rising prominence, TAs have now increasingly started to impersonate this platform, using deceptive tactics to lure unsuspecting users into their traps.

In addition to QR code-based crypto phishing sites, we also identified several fraudulent websites promoting a fake DeepSeekAI Agent token. These sites display a coin address and urge users to purchase the mentioned cryptocurrency, ultimately scamming unsuspecting investors.

Upon analyzing the provided address “0x27238b76965387f5628496d1e4d2722b663d2698”, we found it to be a honeypot token that has already been blacklisted, confirming it as a fraudulent scheme. Victims who purchased tokens using this address will be unable to withdraw or trade the tokens, resulting in total financial loss.

Similar fraudulent schemes have emerged following DeepSeek’s announcement, capitalizing on its growing recognition. However, DeepSeek has not launched any official cryptocurrency or token, making any such claims entirely deceptive and a clear attempt to exploit unsuspecting investors.

Fake Investment scam

We discovered the domain “deepseek-shares.com”, which was registered on January 29, 2025. This website falsely presents itself as an official DeepSeek investment platform, claiming to offer DeepSeek Pre-IPO shares to lure potential investors.

However, DeepSeek is a privately held organization, and no official IPO announcements have been made at this point. This fraudulent website is designed to mislead users by promoting a fake investment opportunity. The primary intent behind its creation is to harvest sensitive user information, which could later be exploited for targeted phishing attacks, identity theft, or financial fraud.

Collecting Personal Information

Some websites prompt users to submit Personally Identifiable Information (PII), such as their name and email. Collecting PII without clear consent raises serious privacy and security concerns, potentially leading to spam, phishing, or identity theft.

Threat Actors Leveraging DeepSeek’s Popularity for Malware Delivery

We have identified multiple websites claiming to offer DeepSeek app downloads for Windows, iOS, and Android. While some of these newly created websites appear to be in the development stage, it cannot be confirmed whether they ultimately redirect to the official page or serve any malicious content.

However, malicious samples with filenames starting with ‘DeepSeek’ have indeed been detected in the wild, suggesting that TAs are exploiting DeepSeek’s popularity to distribute malware, leveraging phishing sites to deliver malicious software such as AMOS Stealer. To stay secure, we recommend downloading DeepSeek only from its official website.

Conclusion

As DeepSeek continues to gain global recognition, cybercriminals are capitalizing on its popularity to launch phishing campaigns, fake investment scams, and fraudulent cryptocurrency schemes. From QR code-based wallet phishing to counterfeit DeepSeek token promotions, these attacks pose serious risks to unsuspecting users, leading to financial losses and compromised security.

The rise of such threats highlights the importance of vigilance in the crypto and AI space. Users must remain cautious, verify official sources, and avoid interacting with suspicious websites or investment offers. DeepSeek has not announced any official cryptocurrency or IPO, making any claims to the contrary a clear red flag.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Always check the official DeepSeek website and social media channels for announcements.
• Avoid scanning QR codes from unverified sources or suspicious websites.
• Always confirm the legitimacy of a crypto project before sending any funds.
• Avoid downloading files from unknown websites.
• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Educate employees on protecting themselves from threats like phishing/untrusted URLs.
• Keep your devices, operating systems, and applications updated.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
hxxp://abs-register[.]com/ hxxps://deep-whitelist[.]com/	URL	Crypto Phishing URLs
hxxps://deepseek-ai[.]cloud/ hxxps://deepseek[.]boats/	URL	Phishing sites promoting fraudulent tokens
deepseek-aiassistant[.]com usadeepseek[.]com	Domain	Fake Deepseek website
deepseek-shares[.]com	Domain	Fake investment website
e596da76aaf7122176eb6dac73057de4417b7c24378e00b10c468d7875a6e69e a3d06ffcb336cba72ae32e4d0ac5656400decfaf40dc28862de9289254a47698 7d0e76c7682d33d36225620d3c82e4ddc0f6744baf387a0ea8124f968c185995	SHA256	AMOS Stealer

The post DeepSeek’s Growing Influence Sparks a Surge in Frauds and Phishing Attacks appeared first on Cyble.

Blog – Cyble – ​Read More