How the scams work
Online scammers often take advantage of trendy applications in order to plant malware on unsuspecting users’ devices and steal sensitive information. According to McAfee:“Malware creators frequently exploit trending search terms through hashtags and SEO manipulation to boost visibility and climb search rankings. This tactic, known as SEO poisoning, helps drive traffic to malicious sites, increasing downloads or earning rewards through affiliate programs.”With the DeepSeek app garnering around 30 million downloads worldwide and both “AI” and “DeepSeek” trending high in internet searches, scammers haven’t hesitated to take advantage. Many DeepSeek scams are presenting themselves in the form of Google Ads, enticing users to click on links that lead to copycat websites. According to Security Week, over 2,500 look-alike pages were created between December 2024 and February 2025 alone. Since going live, the DeepSeek website has been down several times due to high traffic. This is problematic, because when the legitimate site is down, users are more likely to click on copycat links that direct them to a site that loads. These links lead to various forms of malware, which are then inadvertently downloaded by users.
The diversity of DeepSeek scams
DeepSeek scams come in a variety of forms – here’s what internet users have encountered so far:1. Malicious software downloads
Copy-cat URLs will often prompt visitors to install “DeepSeek software” – but instead of downloading the application, this download will connect the user to hostile servers, allowing hackers to obtain access to the user’s computer. The hackers can then flood the computer with a variety of malicious software, including keyloggers, which record the user’s every keystroke, allowing hackers to garner sensitive information, such as browsing data, passwords, and credit card information. Other malicious software that has been found at these fake sites includes cryptominers, which, according to McAfee, “ [use] infected devices to mine cryptocurrency, draining resources, slowing performance, increasing energy costs, and often remaining difficult to detect or remove.”2. Forced unrelated software installation
Copycat URLs can also lead to downloads of unrelated software, that may or may not be malicious, but whose downloads provide revenue for the impersonators. According to McAfee,“[C]ertain affiliates were able to spike their partner downloads and get a commission based on pay-per-install partner programs. Rogue affiliates use this tactic to generate revenue through forced installations of partner programs.”