DeepSeek, a Chinese AI startup, is the latest big thing in the hype surrounding AI. Low prices on its paid models and open-source versions, in addition to the controversy of Chinese AI competing with companies like OpenAI and Google, are behind the growth in popularity of DeepSeek AI.
Jumping onto this new wave, cybercriminals are creating fake DeepSeek websites to trick users into giving away their data and downloading malware. In this report, we look at how DeepSeek’s rocky rise to the top is giving way to new cybercriminal tricks.
Cyble discovers several domains built to scam DeepSeek enthusiasts
A recent Cyble report found that there has been a surge in crypto phishing attacks, investment scams, and malware distribution exploiting DeepSeek’s rising popularity. iPhone users are in a particularly vulnerable position.
On January 27 and 28, DeepSeek became the most downloaded free app on the iOS App Store in the United States. The app displaced OpenAI’s own ChatGPT and Google’s Gemini by far. This makes the new wave of campaigns impersonating DeepSeek something to take seriously.
Cyble found evidence of macOS malware samples being distributed via DeepSeek impersonation threat campaigns. Specifically, the campaigns spread AMOS, the infamous stealer that targets Macs. Additionally, Cyble found a wide range of crypto scams using the same technique.
Moonlock investigated the indicators of compromise (IoCs) presented by Cyble and found that the crypto rabbit hole scam never ended. Let’s dive into what Cyble found, what we discovered when we followed the IoCs, and some words of caution.
A follow-up on fake DeepSeek crypto scamming sites
Cyble found 6 fake websites — there are probably a lot more — that were developed to scam visitors interested in DeepSeek. Some of the scam sites are now defunct. Others remain active, and others have been altered to scam other hypes.
For example, Crypto phishing sites such as hxxp://abs-register[.]com and hxxps://deep-whitelist[.]com, discovered by Cyble, imitated the DeepSeek logo and brand. These sites lured users with QR codes that were coded to breach and empty crypto wallets.
Moonlock found that hxxp://abs-register[.]com is now offline, and hxxps://deep-whitelist[.]com has changed its design to lure users with a very suspicious crypto coin project called ALPHA.
The site ALPHA, hosted on the domain hxxps://deep-whitelist[.]com, is actually a bad copy of the ALPHA coin project site hxxps://alphaofsol[.]com, a project that has over 46,000 followers on X (formerly Twitter).
The header links on both pages include social media, X, and Telegram. The Dex Screener link on both pages has the same link (hxxps://dexscreener[.]com/solana/fps13qjgyq9bdx2xtlfhran7cmessicgor95dwcjs6rt). This link leads to a classic crypto dashboard — Dex visualization that seems to be maliciously modified.
At the time, we do not know if both these Alpha sites are connected. We can verify that scammers and black hatters who ran the DeepSeek scam campaign identified by Cyble have moved on to target the crypto community, which they were already scamming.
On the ALPHA X page, Moonlock found numerous comments from users warning that the ALPHA project was a scam, saying that they lost money and leaving other negative comments behind. Moonlock cannot verify the claims at this time.
Moonlock also found that actors behind the domain hxxps://deep-whitelist[.]com lured users with a button that read, “Check Eligibility.”
Clicking on this button led to a popup of a smaller window that asked the user to confirm by connecting their cold wallet, prompting the user for cold wallet keywords. This is something we have never reported on.
Cold wallets store blockchain assets and coins offline. Keywords are the ultimate password to access these wallets.
If someone asks you to give them your cold wallet keywords, this is a clear red flag. This would be like handing over the keys to your house to a stranger simply because they asked you.
Moonlock can also confirm that, as Cyble reported, the scammers behind the domain hxxps://deep-whitelist[.]com are also offering visitors the “chance to buy” Alpha coin, which is, in itself, a risky and virtually unknown coin.
This chance to buy Alpha comes in the form of an option to Connect your Wallet, which ends with a QR code. Cyble reported that these QR codes are malicious, a fact that Moonlock cannot confirm at this time, but given what we have seen so far, we agree that this is most likely the case.
Cyble’s investigation into hxxp://deepseek-shares[.]com says the site “presented itself as an official DeepSeek investment platform, claiming to offer DeepSeek Pre-IPO shares to lure potential investors.” Moonlock’s follow-up investigation shows that someone pulled the plug on this scam site as well, and it is no longer accessible.
However, Moonlock can confirm that 2 sites discovered by Cyble continue to operate. These sites impersonate a new DeepSeek product or service (DeepSeek USA and DeepSeek AI Assistant), which obviously do not exist.
The 2 sites attempt to trick visitors by posing as an exclusive DeepSeek project under development in stealth mode. It lures visitors into giving away their personally identifiable information (PII).
Naturally, giving your email address or signing up for updates on black hat sites puts a user at risk of spear phishing, spam, phishing, identity theft, account takeovers, and more.
Moonlock did not conduct blockchain forensics on the crypto addresses linked to the domains discovered by Cyble or others that came up during our investigation due to time constraints. We did get several cross-script attacks.
Words of caution and advice to stay safe during the DeepSeek hype
First, if you want to download DeepSeek, go to its official page: www.deepseek.com. You can also download it from the official Apple App Store. We recommend that you investigate, in full, every app you download and check its security and privacy.
Second, DeepSeek has free versions. Anyone trying to charge you for it is likely acting as an unnecessary middle-man, or they are scamming you.
And third, if you stumble across crypto websites in your search for DeepSeek, immediately close those pages. DeepSeek has nothing to do with crypto or the blockchain, so anything you click on while visiting such sites is a potential risk.
Final thoughts
Today, it’s DeepSeek. Tomorrow, it will be whoever or whatever lands at the top of the news cycle.
For scammers, hypes are all the same: an opportunity to scam people. These types of scams are usually easy to spot. However, awareness and vigilance are still advised.
In general, scammers are either talented black hatters themselves or they hire well. Scamming people out of crypto requires special blockchain knowledge, and this knowledge is not easy to come by. The pages we examined were clearly developed by someone who has crypto hacking experience and crypto content development skills.
What does this mean for you? Unfortunately, it means that scam sites like these are going to get better and better, and telling them apart from legitimate ones will become increasingly difficult.
