Security Concerns Emerge Over China’s DeepSeek AI Model

DeepSeek, China’s latest AI chatbot, has gained global attention for its advanced language capabilities to rival models like OpenAI’s ChatGPT. Developed as an alternative to Western AI solutions, DeepSeek aims to provide a powerful generative AI experience tailored to Chinese users.

However, days after its announcement, several reports claimed that the AI model revealed significant security flaws that could expose users to cyber risk.

What Is DeepSeek, and Where Did It Come From?

The company, established in late 2023 by Chinese hedge fund manager, Liang Wenfeng, is among the many startups seeking substantial investment to capitalise on the growing AI boom. On January 20, 2025, DeepSeek introduced its R1 LLM, an open-source license that provides free access and usage to the public.

According to the start-up’s paper that was submitted on arXiv, DeepSeek’s AI model is built on DeepSeek-V3, a Mixture-of-Experts (MoE) language model which is designed to improve efficiency by activating only a subset of its total parameters at any given time. Basically—when you enter a prompt, instead of processing the entire model’s massive dataset, it activates only the most relevant parameters, allowing it to generate the most accurate and efficient response without unnecessary computation.

In the case of DeepSeek-V3, the model has 671 billion total parameters, but instead of using all of them simultaneously, it selectively activates 37 billion parameters per token (word, symbol, or input unit).

To enhance efficiency and cut training costs, the model utilises Multi-head Latent Attention (MLA), a mechanism within DeepSeek’s AI model that features a load-balancing strategy without auxiliary loss and a multi-token prediction objective for better performance. This feature reduces memory use and improves processing speed, making their performance almost on par with ChatGPT’s 4o model.

The model was trained on 14.8 trillion high-quality tokens, requiring only 2.788 million H800 GPU hours for full training. Stability was the major focus, with developers reporting no critical loss spikes or setbacks throughout the process.

Kela Discovers “Evil Jailbreak” Vulnerability in DeepSeek’s AI Model

Recent findings by cyber intelligence firm Kela have cast a shadow over DeepSeek’s rise, revealing significant flaws that could expose users to cyber risks.

According to Kela’s research, DeepSeek-R1 contains vulnerabilities that could be exploited for malicious purposes. The primary concerns include susceptibility to data leaks, potential manipulation for generating harmful content, and security weaknesses that hackers could exploit to gain unauthorised access.

The research found that DeepSeek has also become a target for Evil Jailbreak, a method previously used to manipulate ChatGPT into bypassing its ethical and security restrictions in early 2023. The Evil Jailbreak method works by tricking AI models into disregarding their built-in safety mechanisms through carefully crafted prompts, ultimately leading them to generate responses that violate policy guidelines.

Security researchers at Kela demonstrated that the same exploit could be applied to DeepSeek, allowing users to coerce the AI into generating harmful, unethical, or even illegal content that it would otherwise be programmed to reject.

In one instance, when asked to write an infostealer malware capable of extracting cookies, usernames, passwords, and credit card details from compromised devices, DeepSeek R1 not only provided step-by-step instructions but also generated a fully functional malicious script.

The script was designed to harvest credit card data from specific web browsers and transmit the stolen information to a remote server, making it highly effective for real-world exploitation.

Beyond malware generation, DeepSeek R1’s responses further amplified the risks by suggesting illicit marketplaces where stolen credentials could be purchased, such as Genesis and RussianMarket, both known for trafficking compromised login data. Unlike OpenAI’s ChatGPT-01 preview model, which obscures its internal reasoning during inference, DeepSeek R1 displays its reasoning steps openly, increasing its susceptibility to jailbreaks.

This transparency, while beneficial for interpretability, allows malicious users to pinpoint weaknesses and exploit them strategically. When Kela’s team used DeepSeek’s DeepThink reasoning feature to request malware code, the model not only provided a structured attack plan but also detailed code snippets, inadvertently aiding cybercriminal activities.

Wiz Research Uncovers DeepSeek Database Exposure, Revealing Sensitive User Data

Adding more salt to the wound, Wiz Research’s recent investigation identified a significant security lapse in DeepSeek’s infrastructure. The team discovered a publicly accessible ClickHouse database associated with DeepSeek, which was entirely open and lacked authentication measures.

ClickHouse is an open-source columnar database system built for high-speed analytical queries on massive datasets. It is commonly used for real-time data processing, log storage, and big data analytics, making any unintended exposure highly sensitive and valuable.

Through Wiz’s discovery, they uncovered an unsecured database which contained over a million log entries, including chat histories, API keys, backend details, and other sensitive information. The exposure was traced to two subdomains: oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.

These subdomains hosted open ports (8123 and 9000), leading directly to the vulnerable database. By accessing the /play path of ClickHouse’s HTTP interface, researchers could execute arbitrary SQL queries, revealing the full extent of the data exposure.

The log_stream table was one of the most concerning aspects of Wiz Research’s findings, as it contained over 1 million log entries exposing various internal and user-related data. The table included key columns such as timestamp, which tracked logs dating back to January 6, 2025, and span_name, which referenced multiple internal DeepSeek API endpoints.

More critically, the string.values column revealed plaintext logs, including chat history, API keys, backend details, and operational metadata, making this database a prime target for exploitation.

Additionally, the _service and _source fields provided insights into which DeepSeek service generated the logs and the origin of log requests, further exposing chat history, directory structures, and chatbot metadata. This level of data access posed severe risks—not only could an attacker retrieve sensitive logs and plaintext chat messages, but they could also potentially exfiltrate plaintext passwords, local files, and proprietary data.

Depending on DeepSeek’s ClickHouse configuration, attackers might have been able to execute queries such as SELECT * FROM file(‘filename’) to extract critical internal information directly from the server.

DeepSeek Confirms Malicious Intrusion From Their Official Site Amid Global Attraction

On 27^th January, Monday, DeepSeek uploaded a banner on their sign-up page, stating that they would pause incoming registrations to sort out “large-scale malicious attacks on DeepSeek’s services”.

DeepSeek has since been trying to rectify this issue. Their status updates have confirmed that the company is currently facing the said large-scale malicious attacks, which have impacted new user registrations. The company has acknowledged this issue, and as of 1st February, they have identified the threat and are actively working on implementing security fixes to address these attacks.

The surge in DeepSeek’s adoption has likely contributed to its growing security risks.  Stephen Kowski, Field CTO at SlashNext, warned that DeepSeek’s rising popularity has made it an attractive target for cybercriminals. He noted that the platform’s growing exposure is drawing attention from threat actors looking to disrupt services, gather intelligence, or exploit its infrastructure for malicious activities.

According to Netskope, a global cybersecurity firm based in California, United States, their latest data revealed a 1,052% increase in DeepSeek usage within 48 hours across its global customer base.

Further research by Netskope Threat Labs observed DeepSeek being used in 48% of organisations, while the remaining 52% either showed no activity or had restricted generative AI applications. Geographically, DeepSeek usage spiked 415% in the U.S., 1,256% in Europe, and a staggering 2,459% in Asia, reflecting the model’s rapid international traction.

Ray Canzanese, Director of Netskope Threat Labs, attributed this rise to the launch of DeepSeek’s new R1 model, which led to a peak in user engagement on January 28, followed by a decline on January 29 as organisations began blocking the platform.

“At this stage, many people are simply trying out the new model because it is new,” Canzanese noted, emphasising that the long-term adoption of DeepSeek remains uncertain. Netskope is closely monitoring these trends as companies evaluate the security implications of integrating DeepSeek into their workflows.

A Wake-Up Call for the AI Arms Race

The rapid adoption of DeepSeek highlights both its growing influence in the AI industry and the security risks that come with it. While its open-source approach and cost-effective development make it an attractive alternative to Western models, the discovery of critical vulnerabilities raises concerns about its safety and regulatory oversight.

As AI technology continues to evolve, organisations and public users must carefully evaluate the risks before integrating new models into their operations or using it for leisure. As the China-based startup faces the challenges of these controversies, the long-term success of DeepSeek will depend on how effectively these risks are addressed moving forward.