From DeepSeek to Hide'n'Seek

Adversaries are keeping up with the trend of AI domain impersonations, this time targeting the already super popular DeepSeek LLM

They are coming... and they are coming fast. As the tide of AI slowly turns into a tsunami, so does the phishing campaigns that find good ground for “monetization” via unethical methods.

As all things in life that make a huge impact, the latest AI from China, DeepSeek AI, is no exception. Right from the first days, as news spread about a new AI that came to challenge all the AI’s of the West, also stirring the worlds economy, malicious actors did’t waste a second. Phishing campaigns and domain impersonations started forming right away.

The Doppelganger

It is very interesting to explore the techniques used by attackers when the impersonate legitimate domains. These attackers can be extremely crafty.

In this case domain cleepseek[.]com, were the malicious actors combined the letter `c` and `l` to create the illusion of `d`, as stand in for (d)eepseek.

It is really important to take a good look before “hitting” any domain, regardless of the delivery method (email, sms etc). The devil always hides in the details.

While the original DeepSeek website had various socials hyperlinks, there are two missing from the fake version.

Also upon trying to register to their service, the original website requires a verification code to be sent via user’s email, while the fake one uses Windows specific CAPTCHA. This is a difference in verification methodologies between real and fake websites. The copycat website requires a weird CAPTCHA validation, that is not even reflected properly as Linux-based, but instead shown as Windows-based. Also several functionalities such as the “eye” button, that makes the password transparent, were not working. Typical indicators that a website is “phishy”.

This domain is very fresh and live. Created only 6 days ago and not detected by any engines on any reputable threat intelligence platforms i.e. Virus Total.

Phishing legion

This was not an isolated incident. But utilising NORNA’s powerful interface we were able to match and aggregate thousands of domains serving the same purpose under different colours. With plenty of trademarks actively abused on the web.

Our own THEMIS AI was able to detect, with lightning speed, and high precision many domains targeting DeepSeek. Below is a sample screenshot.

All domains registered on 2025-02-03.

They say that “one picture equals thousand words”. At THEA we think one graph is equal to one million words.

Conclusion

Similar to the first DeepSeek impersonator, we also identify hundreds of similar domains that are also trying to impersonate OpenAI, Mistral among others.

Always stay vigilant and don’t fall for their tricks. Take a step back, look a second time and access only when you are really sure you have the right page.

Explore. Evolve. Become the hunter.

IoCs

This is a sample sub-set of indicators

deepseekmanager[.]com

deepseekaicoin[.]com

deepseekaibitcoin[.]com

deepseekonlinefree[.]com

deepseekpolsku[.]com

peopledeepseek[.]com