Researchers have seen dozens of fake DeepSeek websites used for credential phishing, cryptocurrency theft, and scams.
Researcher Dominic Alvieri has been tracking such websites. He told SecurityWeek that he had seen well over 50 active sites as of Wednesday, as well as over a thousand domains that are likely being prepared for nefarious activities.
Some of the fake DeepSeek sites are hosted on domains such as deepseek-login[.]com and their goal is to trick users into handing over their credentials.
Other fake DeepSeek websites push cryptocurrency wallet drainers, while others promote token scams, Alvieri said.
Some of the malicious websites are obviously fake — one example highlighted by the researcher is a site apparently hosting a DeepSeek API ‘Plateform’.
Other sites, however, such as the credential phishing pages, are well designed and are more difficult to discern from the legitimate website. The quality of these malicious websites has improved this week compared to the previous week, Alvieri said.
Alvieri said he and other members of the cybersecurity community have managed to shut down some of these websites, but dozens of new sites emerged on Thursday.
Cybersecurity firms ESET and Cyble have also looked at fake DeepSeek websites.
Cyble has seen websites that trick visitors into connecting their cryptocurrency wallets, which enables the attackers to steal the victims’ funds. These attacks involve tricking the victim into scanning QR codes.
The security firm has also seen fake DeepSeek websites promoting investment scams, some claiming to offer DeepSeek pre-IPO shares.
Cyble also spotted a website set up to collect personal information such as name and email address, as well as sites offering downloads for DeepSeek apps, which could hide malware.
Tzoor Cohen, head of cyber threat intelligence at digital impersonation protection firm Memcyco, told SecurityWeek, “What we’re seeing with DeepSeek may not just be another wave of phishing sites, but a coordinated attack campaign that evolves in real-time.”
“Our system is tracking how these sites go live, adapt, and shift infrastructure to evade takedowns. The slow response times of traditional takedown systems mean attackers are exploiting a critical window of opportunity to steal from users—often before the first reports even surface. This needs to change,” Cohen added.
Python developers looking to integrate DeepSeek into their projects were recently targeted with malicious packages delivered through PyPI.
Related: Researchers Link DeepSeek’s Blockbuster Chatbot to Chinese Telecom Banned From Doing Business in US
Related: DeepSeek Compared to ChatGPT, Gemini in AI Jailbreak Test
Related: DeepSeek Security: System Prompt Jailbreak, Details Emerge on Cyberattacks
