A smartphone displaying the DeepSeek app is shown in Beijing on January 28, 2025. (AP Photo/Andy Wong, File)
A recently discovered issue has raised security concerns around the popular DeepSeek chatbot, which became the most downloaded app in the U.S. According to security experts, the website for this Chinese AI company contains hidden code that might be sending user login details to China Mobile, a state-owned telecom firm blacklisted from operating in the United States.
Researchers found that DeepSeek’s web login page features obscure code that, when decoded, reveals connections to China Mobile’s infrastructure. This connection suggests that the login and user creation process for the chatbot may be directly linked to China Mobile. The chatbot’s privacy policy mentions that user data is stored on servers located in China, but this recent discovery indicates a closer tie to the Chinese government than previously understood.
The U.S. government has imposed sanctions on China Mobile, citing its alleged ties to the Chinese military. These concerns are amplified by the broader issue of Chinese-controlled digital services raising alarms about U.S. national security. The matter becomes even more pressing considering that generative AI platforms like DeepSeek can handle sensitive personal and business data, which could be exploited by adversaries.
The issue was first identified by Feroot Security, a Canadian cybersecurity firm, which discovered the code pointing to China Mobile. Although the testing didn’t show any data transfer to China Mobile, it’s unclear if certain user data is being sent through this route. Researchers also clarified that their analysis only applied to the web version of DeepSeek and not the mobile app, which continues to rank among the most downloaded apps.
The United States Federal Communications Commission (FCC) blocked China Mobile from operating within the U.S. in 2019, citing national security risks. In response to concerns over the company’s links to the Chinese government, the Biden administration has also imposed sanctions, limiting American investments in the company. However, some experts, including Ivan Tsarynny, CEO of Feroot, have criticized the lack of awareness about the risks posed by such links, expressing disbelief that more isn’t being done to protect citizens’ data.
The potential implications are vast. As more users input sensitive information into generative AI platforms, the security risks grow. The situation becomes even more alarming when the platform is connected to a geopolitical rival, raising concerns that personal, proprietary, and business-related data could be exposed. Feroot’s analysis reveals that the code might capture specific information about a user’s device, such as its fingerprint, making the security risks more complex.
Security experts have verified the findings independently, confirming the suspicious connection between DeepSeek and China Mobile. This raises further questions about the integrity of the platform and the possible vulnerabilities that could be exploited, especially as it continues to gain popularity in North America.
