Introduction: The Rise of DeepSeek & Emerging Threats
DeepSeek has recently gained significant traction in the market, becoming a go-to solution for many users. However, with great popularity comes great risk. In Bolster Our research team detected a surge in phishing attempts, fake domains, and scams targeting DeepSeek users. These malicious actors are exploiting the brand’s growing reputation to deceive unsuspecting individuals, particularly through fake login pages, crypto wallet scams and fake social media support page.
In this blog, we’ll dive into our findings, analyze how scammers are operating, and provide actionable insights to help users stay safe.
The Surge of Lookalike Domains Targeting DeepSeek
With DeepSeek AI gaining rapid popularity, cybercriminals have wasted no time exploiting its success. Our research team has identified a sudden surge in lookalike domains, typosquatting attacks, and homoglyph-based phishing sites designed to deceive users. Alarmingly, many of these fraudulent domains were created or updated on the very same day DeepSeek rose to fame. These scam pages mimic DeepSeek’s UI to appear legitimate and lure unsuspecting victims.
Scam Tactics: Phishing Logins & Crypto Wallet Theft
Many of the identified phishing sites employ two primary attack methods:
Google Login Phishing – Users are tricked into entering their Google credentials to login via Google on fake DeepSeek login pages, allowing attackers to steal their accounts.
Crypto Wallet Scams – Some fraudulent sites prompt users to connect their crypto wallets, leading to unauthorized transactions and asset theft.
List of Lookalike & Phishing Domains
Below is a list of fraudulent domains that our analysis has uncovered in a single hour after the news of DeepSeek’s rise:
http://deepseek3.ru/
https://deepseek.com.pk/
https://www.deepseekfreeonline.com/
https://www.deepseekaiimagegenerator.com/chatbot/
https://deepseek-presale.com/
https://deepseek.boats/
https://deepseek.sbs/
https://deepseekchat.ai/app
https://deepseek.3x.wiki/
https://deepseek-telegram.ru/
https://deepseekapi.io/
https://deepseeksai.com/
https://deepseekapp.net/
https://deepseek-r1.com/
http://whitelist-deepseek.com/
These domains redirect users to phishing pages where they are prompted to enter login details or connect their crypto wallets.
Fake DeepSeek CEO Website To Buy Meme Tokens
How Scammers Are Exploiting DeepSeek’s Login Portal
During our investigation, we identified one of the most common tactics used by scammers: creating fake DeepSeek login pages designed to steal user credentials. These phishing pages often:
- Imitate DeepSeek’s design and branding
- Use HTTPS to appear legitimate
- Prompt users to “re-authenticate” their accounts
- Redirect stolen credentials to threat actors in real time
A notable example we analyzed is deepseekchat[.]ai, a domain registered on January 27, 2025. At first glance, the site appears identical to the legitimate DeepSeek page. However, a closer look reveals a hidden login button in the bottom left section. when clicked, leads users to a phishing portal. This deceptive tactic makes it difficult for users to differentiate between real and fake sites.
When users click on this button, they are prompted to enter their credentials, either by manually inputting their email ID and password or by selecting the “Login with Google” option. To verify the legitimacy of this request, our team conducted a network capture analysis, which confirmed that user credentials were being transmitted to an external server controlled by the scammers.
Here are some key observations:
Network Request of DeepSeek Phishing Page
When entering dummy credentials in the text fields, we noticed that the request URL differed from the phishing DeepSeek domain in the URL bar. The request was sent to autosite[.]erweima[.]ai/api/v1/user/login.
Another significant red flag was the way the credentials were being transmitted. Upon inspecting the response tab in our network capture, we found that both the email address and password were being sent in plain text, without encryption.
Attackers are always on the lookout for opportunities to exploit trends and target unsuspecting users. The moment a platform or technology gains traction, scammers swoop in, creating fake domains, phishing pages, and deceptive schemes. Once they obtain credentials, they can access user accounts, scrape sensitive data, and even use the stolen information for further social engineering attacks.
Crypto Wallet Scams: A Growing Concern
In our research we identified bad actors are now launching fake DeepSeek token presales to drain users’ crypto wallets. One such fraudulent domain, deepseek-presale[.]com, lures visitors with a ‘Connect Wallet’ button. When clicked a popup prompts users to enter their wallet’s secret phrase to ‘verify’ or ‘connect.’ Unaware of the scam, victims who provide their seed phrase unknowingly grant attackers full access to their wallets, resulting in permanent compromise and loss of funds.
Fake DeepSeek Crypto Presale Token Page
Another fraudulent domain, deepseek-wl[.]com, mimics the exact user interface of DeepSeek’s official website, complete with the DeepSeek logo. The site features a ‘Connect Wallet’ button, which appears legitimate at first glance. However, if a user connects their wallet, it triggers a fake contract on the blockchain. Within moments, the scammer drains the wallet of all funds, including assets loaded from multiple blockchain networks.
Another DeepSeek Fake Scam Page
Surprisingly, the attacker has embedded support for over 150+ widely used crypto wallets globally in the popup, ensuring no user is left unscammed.
The page includes popular wallets like Uniswap, Coinbase, OKX, Binance, Trust Wallet, and many more. By catering to virtually every type of crypto user, the scammer maximizes their chances of success.
This level of sophistication demonstrates how attackers are evolving their tactics to exploit even the most cautious individuals, making it crucial to double-check every interaction involving your crypto assets.
Fake Support Pages and Chatbot Scams: How Scammers Are Exploiting Social Media
Amid the surge in fake domains, we’ve observed numerous free chatbot links using the DeepSeek branding, claiming to accept donations to keep the platform free for users. While this may sound convincing, it’s entirely a scam setup created by attackers to exploit users’ goodwill and sentiment. These fraudulent sites aim to deceive people into donating money under the false pretense of supporting a “free” service.
Fake Bots and Deceptive Investment Schemes
In further discovery, we came across another scam where an attacker created a fake bot page that displayed different meme tokens associated with DeepSeek, encouraging users to “buy” these tokens. The page looked convincing at first, but after verifying the links, we discovered that these redirected users to two Telegram channels.
Fake BOT Using DeepSeek Branding
On the page, there were two buttons labeled “CHAT AI” and “PIC AI”, which seemed like legitimate features of the platform. However, clicking either button took users to fake DeepSeek Telegram bots that were created to deceive and scam people. These bots interact with users, attempting to steal their credentials or trick them into investing in a fraudulent scheme. The whole setup was designed to exploit users’ trust and trick them into giving away personal information or money.
Here are the links to the fake Telegram bots:
- https://t.me/DeepSeekAIPIC_BOT
- https://t.me/DeepSeekAICHAT_BOT
DeepSeek Fake ChatBot on Telegram
It’s important to stay cautious and avoid engaging with such bots, as they are part of a scam to steal your information or persuade you to invest in fake schemes.
How to Stay Safe: Tips & Best Practices
To stay safe from phishing attacks and fraudulent schemes, follow these best practices:
- Verify URLs Carefully – Always double-check the domain before entering your login credentials. Look for subtle misspellings or extra characters that indicate a fake site.
- Avoid Clicking Suspicious Links – If you receive a message, email, or website that seems off, do not click on any links or interact with the content.
- Enable Two-Factor Authentication (2FA) – Activate 2FA on your DeepSeek and Google accounts to add an extra layer of security.
- Never Share Your Seed Phrase – Legitimate platforms will never ask for your crypto wallet’s seed phrase. If a website or bot requests it, it’s a scam.
- Check Official Channels – Only trust DeepSeek’s official website and verified social media accounts to avoid falling for impersonation scams.
- Report Suspicious Activity – If you encounter a phishing site or scam, report it to the relevant authorities or security teams to help protect others.
- Use a Password Manager – A good password manager helps detect fraudulent sites and prevents credential reuse across multiple platforms, reducing the risk of account takeover.
By staying vigilant and following these security measures, you can avoid falling victim to cybercriminals looking to exploit user trust and steal sensitive information.
Conclusion
Cybercriminals are always adapting their tactics to exploit whatever is trending, taking advantage of sudden hype around new platforms, technologies, or services. Whenever something gains rapid popularity, attackers see it as an opportunity to deceive unsuspecting users through phishing scams, fraudulent websites, and crypto-related fraud.
The best defense against these threats is awareness and vigilance. Always verify sources before entering any sensitive information, double-check URLs for inconsistencies, and never trust unsolicited requests for login credentials or financial details.
Most importantly, never let urgency or excitement cloud your judgment online. Scammers thrive on impulse decisions, so take a step back, verify through official channels, and always remain cautious when engaging with newly popular platforms. If you’re still unsure about a website’s legitimacy, run a quick scan on CheckPhish to detect potential threats before taking any action.
