DeepSeek faces surging cyberattacks, US IPs among thousands targeting Chinese AI start-up
Chinese AI start-up DeepSeek has been subjected to a series of sophisticated and large-scale cyberattacks over the past month, according to XLab, a Chinese cybersecurity firm. The attacks, which began in early January, have escalated significantly in both scale and complexity, posing unprecedented challenges to DeepSeek's operations and data security, experts from the XLab told the Global Times on Wednesday and warned that the attacks are expected to continue in the future.
The lab told the Global Times on Wednesday that there are still HTTP proxy attacks targeting DeepSeek. The monitored source IPs range from hundreds to thousands, most of which are located in the US, Singapore, the Netherlands, Germany, and domestically, according to XLab.
DeepSeek on Tuesday launched a new open-source multimodal model Janus-Pro, an upgraded version of its earlier Janus model, which significantly enhances multimodal understanding and visual generation capabilities. Earlier in January the company released the latest open-source model DeepSeek-R1, which has achieved an important technological breakthrough - using pure deep learning methods to allow AI to spontaneously emerge with reasoning capabilities.
In her first press briefing on Tuesday (local time), US Press Secretary Karoline Leavitt while talking about DeepSeek, a Chinese artificial intelligence company that develops open-source large language models, said that as per US President Trump, this is a wake up call for American AI.
DeepSeek reportedly released an announcement on Tuesday saying that its online services had recently been subjected to large-scale malicious attacks. To ensure continued service, the company had temporarily restricted registration methods other than those with +86 mobile phone numbers.
The Global Times reporter tried to open the API (Application Programming Interface) platform of DeepSeek Wednesday morning, but the website displays a notice saying that the platform is undergoing maintenance and upgrade and that it's currently inaccessible.
DeepSeek has been subjected to large-scale and sustained DDoS attacks since January 3 or 4, and the methods escalated on January 27 and 28, significantly increasing the difficulty of defense, making it more effective, and even impacting registration access, according to XLab.
In addition to DDoS attacks, analysis has revealed a large number of password brute-force attacks. DeepSeek's AI services and data are undergoing unprecedented security challenges, according to the XLab's report.
XLab noted in its report to the Global Times that the changes in methods made it harder to defend against the attacks. The laboratory has been closely monitoring the network attacks since DeepSeek's launch and has found that the attacks can be divided into three phases:
In the first phase, on January 3, 4, 6, 7, and 13, suspected HTTP proxy attacks were observed. During this period, XLab detected a large number of proxy requests attempting to connect to DeepSeek, likely indicative of HTTP proxy attacks.
During phase two on January 20 and from January 22 to 26, the attack methods shifted to SSDP and NTP reflection amplification. During this time, XLab found that the main attack methods were SSDP and NTP reflection amplification, with a small number of HTTP proxy attacks. Generally, defending against SSDP and NTP reflection amplification attacks is simpler and easier to clean up.
In the last phase on January 27 and 28, the number of attacks surged, and the methods shifted to application layer attacks. Starting on the 27th, XLab identified that the main attack method changed to HTTP proxy attacks, which simulate normal user behavior. Compared to classic SSDP and NTP reflection amplification attacks, the difficulty of defense has significantly increased, making these attacks more effective.
XLab noted that the peak of the attacks on January 28 occurred between 03:00 and 04:00 Beijing time, corresponding to 14:00 to 15:00 Eastern Standard Time. This time window indicates that the attacks have cross-border characteristics and XLab said it may not rule out the possibility of targeted strikes against the availability of overseas services.
Additionally, starting at 03:00 on January 28, the DDoS attacks were accompanied by a large number of brute-force attacks. All the IPs involved in the brute-force attacks originated from the US. XLab's data indicates that half of these IPs are VPN exits, suggesting that this may be related to DeepSeek's restrictions on overseas mobile users.
Security experts from XLab said this large-scale attack is not an isolated incident. In recent years, cyberattacks targeting high-tech enterprises have become severe. The motivations of attackers are complex, ranging from commercial competition to attempts to steal core technology data, and even include hacker organizations with national backgrounds attempting to hinder the development of China's high-tech industry through attacks.
From attacks against Black Myth: Wukong to DeepSeek, the attacks they have encountered demonstrated that as China continues to rise in the field of high technology, malicious attacks from foreign hackers are also increasing. These attacks can lead to serious consequences such as service interruptions and data breaches, and they may also negatively impact China's technological image and international competitiveness. So the top priority [for China] now is to strengthen cybersecurity protection, XLab experts told the Global Times.
