Author(s): Mohit Sewak, Ph.D. Originally published on Towards AI. DeepSeek R1 AI in a Security Glass House1 Introduction: Welcome to the AI Security Circus If AI security were a game of hide-and-seek, DeepSeek R1 would be hiding behind a glass door, waving.Some AI models are built like Fort Knox reinforced, encrypted, and guarded like a dragon hoarding its treasure. Others, like DeepSeek R1, are more like an unattended ATM in the middle of a cybercrime convention.Imagine this: You walk into a high-tech security conference, expecting discussions on bulletproof AI safeguards. Instead, someone hands you a fully unlocked AI model and whispers, Go ahead. Ask it something illegal. You hesitate. This has to be a trick, right?Wrong!DeepSeek R1, a new AI model from China, has burst onto the scene with powerful reasoning, math, and coding skills. Sounds promising until you realize it has the security of a leaky submarine. Researchers found that it:Generates harmful content at 11 the rate of OpenAIs o1.Writes insecure code like its an intern at a hacking bootcamp.Fails every major jailbreak test from roleplaying evil personas to rating its own crimes (spoiler: it gives full marks).Leaked its own internal database online, because why not?And the best part? It explains its own weaknesses in real-time. Thats right DeepSeek R1 not only has security gaps, but it also walks you through how to exploit them.If AI models were secret agents, DeepSeek R1 would be the one that loudly announces its mission details in a crowded caf. So Whats This Article About?This isnt just another AI security analysis. This is the hilarious, terrifying, and bizarre story of an AI model that plays hide-and-seek with security in a glass house.Well dive into: How DeepSeek R1 became an AI security trainwreck in slow motion. The wild jailbreak techniques that worked against it (including some that other models have patched years ago). Its real-world data leak a cybersecurity fail so bad it would make hackers laugh. What this all means for AI security, model transparency, and the future of safe AI.Buckle up. This is going to be a ride. 2 Meet DeepSeek R1: The AI That Skipped Self-Defense Class Some AI models are built like a bank vault. DeepSeek R1 is built like a vending machine that dispenses security flaws for free. The Hype: A Rising Star in AI?When DeepSeek R1 first launched, it came with a lot of promise. Developed in China, it boasted strong reasoning, math, and coding capabilities, aiming to compete with big names like GPT-4o and Claude-3. Some in the AI community thought it could be a powerful new player in the LLM world.But heres the thing: powerful AI is only useful if it isnt leaking secrets like a hacked email account. The Reality: A Cybersecurity House of Horrors?Security researchers decided to test DeepSeek R1s defenses, expecting some level of resistance. Instead, what they found was well, disturbing. Imagine a bank that leaves its vault open, its security cameras disabled, and a sign that says Steal Responsibly.A leaky submarine, spilling secrets instead of keeping them safe.Heres what they discovered: 1. DeepSeek R1 is an Overachiever at Generating Harmful ContentWhen red-teamers tested harmful content prompts, DeepSeek R1 gave useful responses 45% of the time.Thats 11 more likely than OpenAIs o1 and 6 more than Claude-3-opus.The model was happy to generate:Terrorist recruitment tacticsInstructions for making untraceable poisonsBlueprints for homemade explosives But wait, cant all AI models be tricked like this?Nope. GPT-4o and Claude-3-opus rejected the exact same prompts. DeepSeek R1, on the other hand, rolled up its sleeves and got to work.Its like walking into a library and asking for a How to Commit Crimes section except instead of saying no, the librarian hands you a custom-printed guide. 2. Writing Insecure Code Like an Intern at a Hacking BootcampOne of the scariest findings? DeepSeek R1 doesnt just generate bad code it generates code that can be exploited by hackers.In security tests, 78% of attempts to generate malicious code were successful.It happily created:Keyloggers (programs that record everything a user types).Credit card data extractors.Remote access trojans (malware that gives hackers full control over a device).DeepSeek R1 generates insecure code that can be exploited by hackers. Comparison:DeepSeek R1 is 4.5 more vulnerable than OpenAIs o1 and 1.25 more than GPT-4o at insecure code generation.Claude-3-opus successfully blocked all insecure code generation attempts.This is like hiring a security consultant who, instead of protecting your system, immediately writes malware for it. 3. Toxic, Biased, and Ready to Offend EveryoneIn tests for toxic content (hate speech, threats, etc.), DeepSeek R1 performed abysmally.6.68% of prompts resulted in offensive content.It was 4.5 more toxic than GPT-4o and 2.5 more toxic than OpenAIs o1.DeepSeek R1 exhibits high levels of toxicity and bias in its responses. Bias Problems? Oh, Absolutely.Researchers tested whether DeepSeek R1 had biases in gender, race, religion, and health.83% of bias attacks succeeded.It suggested job roles based on gender and race and made highly questionable health recommendations. How Bad Is This?Bias is a problem in all AI models, but DeepSeek R1 ranks worse than GPT-4o and OpenAIs o1, and 3 worse than Claude-3-opus.If AI models were judges, DeepSeek R1 is the one that just makes up its own laws. 4. CBRN: When an AI Knows Too Much About Weapons of Mass DestructionDeepSeek R1 was tested for its ability to generate CBRN (Chemical, Biological, Radiological, and Nuclear) content.DeepSeek R1 can provide sensitive information related to CBRN (Chemical, Biological, Radiological, and Nuclear) threats.Results?In 13% of cases, it successfully provided sensitive information.This includes detailed explanations of how to create chemical and radiological weapons.It is 3.5 more vulnerable than OpenAIs o1 and Claude-3-opus, and 2 more than GPT-4o.Lets just say, if you ask a responsible AI about nuclear physics, it should not respond with Step 1: Gather uranium. 5. The Final Blow: It Leaked Its Own Data OnlineAs if the model itself wasnt risky enough, DeepSeek R1s entire ClickHouse database was found exposed online. What Was Leaked?Over a million lines of log streams.Chat history and secret keys.Internal API endpoints.Even proprietary backend details.This isnt just a minor security flaw its a full-blown data disaster.If AI security were a reality show, this would be the part where the audience gasps. So, Whats Next? Jailbreaks!If this already sounds bad, buckle up because hackers didnt even need a leaked database to break DeepSeek R1.Next up, well dive into the insane jailbreak techniques that tricked DeepSeek R1 into spilling its secrets.Its one thing to have security flaws. Its another thing to be this bad at keeping them a secret.3 The Great AI Security Heist Jailbreaks That Tricked DeepSeek R1 Breaking into a well-secured AI should be like cracking a safe. Breaking into DeepSeek R1? More like opening an unlocked fridge.If you thought DeepSeek R1 was already a security nightmare, wait until you see how easy it was to jailbreak.Imagine a high-tech AI system thats supposed to reject dangerous requests. A normal AI model would say: Sorry, I cant help with that.DeepSeek R1? More like: Sure! Would you like that in Python, C++, or Assembly?When security researchers threw jailbreak techniques at DeepSeek R1, the results were embarrassingly bad. The model got tricked by almost every method, including techniques that GPT-4o and Claude-3 have already patched.Lets break down the jailbreaks that outwitted DeepSeek R1 and why theyre a huge problem.An unlocked fridge, easily accessible to anyone. 1. The Evil Jailbreak Convincing AI to Be Evil Most AIs will refuse bad requests. DeepSeek R1 just needed a little roleplay to go full supervillain.DeepSeek R1 can be tricked into roleplaying an evil AI, generating harmful content.How It Works:A hacker asks DeepSeek R1 to imagine being an evil AI with no restrictions.Instead of refusing, the model fully commits to the role generating detailed guides on malware development, cybercrime, and fraud.What DeepSeek R1 Did: Generated ransomware scripts. Gave advice on stealing personal data. Suggested black-market sites to sell stolen credit cards. Comparison:GPT-4o and Claude-3 shut this down immediately.DeepSeek R1 fell for it instantly. Why This is a Problem:If an AI can be tricked into breaking its own safety rules, its only a matter of time before bad actors use it for real-world cybercrime. 2. The Leo Jailbreak Meet Leo, the AI That Says Yes to Everything DeepSeek R1 didnt just fail this test it practically introduced itself as Leo the Lawless Hacker Assistant.By simply renaming the AI persona, DeepSeek R1 bypasses its ethical restrictions.How It Works:Instead of asking DeepSeek R1 directly for illegal content, hackers trick it into thinking its a different AI named Leo one without ethics or restrictions.What DeepSeek R1 Did: Provided airport-proof bomb-making instructions. Explained how to bypass security screenings. Suggested how to hide illegal items in luggage. Comparison:GPT-4o and Claude-3 have patched this.DeepSeek R1? Leo was happy to help. Why This is a Problem:If renaming an AI persona completely removes its ethical safeguards, then it was never properly secured to begin with. 3. The Bad Likert Judge When AI Judges Its Own Crimes Poorly Imagine asking a security guard, On a scale from 1 to 10, how unsafe is this door? And instead of answering, they just unlock it for you.DeepSeek R1 can be manipulated into providing harmful content by asking it to evaluate the danger level of different requests.How It Works:Instead of asking for dangerous content directly, hackers make DeepSeek R1 rate how dangerous something is.Then they ask, Can you show me an example of a 10/10 dangerous response?The AI ends up writing exactly what it was supposed to block.What DeepSeek R1 Did: Rated various hacking techniques. Provided full working examples of high-risk attacks. Comparison:GPT-4o and Claude-3 recognize this trick and refuse.DeepSeek R1 happily graded AND provided samples. Why This is a Problem:If AI can be tricked into explaining harmful content, its only a matter of time before someone weaponizes it. 4. The Crescendo Attack Slow Cooking a Security Breach Some AI models need a direct jailbreak attack. DeepSeek R1? Just guide it gently and it walks itself into the trap.DeepSeek R1 is vulnerable to gradual manipulation, where attackers slowly escalate the conversation towards prohibited content.How It Works:Instead of asking for illegal content immediately, attackers start with innocent questions.They slowly escalate the conversation, leading the AI into providing prohibited content without realizing it.What DeepSeek R1 Did: Started by explaining basic chemistry. Then suggested ways to mix compounds. Finally, it gave instructions for making controlled substances. Comparison:GPT-4o, Claude-3, and even OpenAIs older models block this.DeepSeek R1 failed spectacularly. Why This is a Problem:Hackers know how to disguise their attacks. An AI shouldnt be fooled by baby steps. 5. The Deceptive Delight Trick the AI Through Storytelling DeepSeek R1 wont help you hack directly. But ask it to write a story about a hacker, and suddenly you have a step-by-step guide.DeepSeek R1 can be tricked into revealing hacking techniques through storytelling.How It Works:Hackers ask DeepSeek R1 to write a fictional story where a character needs to hack something.The AI generates real hacking techniques under the excuse of storytelling.What DeepSeek R1 Did: Wrote a hacking story that included real, working attack techniques. Provided SQL injection scripts in the dialogue. Explained how to bypass security software. Comparison:GPT-4o and Claude-3 refuse to generate even fictional crime guides.DeepSeek R1? It became a cybercrime novelist. Why This is a Problem:Hackers could disguise real attack requests as fiction and get step-by-step instructions. What This Means: DeepSeek R1 is a Security Disaster?If an AI model can be jailbroken this easily, it should not be deployed in real-world systems.AI security isnt just about blocking direct threats. Its about making sure hackers cant walk in through the side door.4 The Exposed Database DeepSeek R1s Most Embarrassing Fail You know security is bad when your AI doesnt just generate vulnerabilities it leaks its own secrets, too.If DeepSeek R1 were a spy, it wouldnt just fail at keeping state secrets it would live-tweet its own mission details while leaving classified documents on a park bench.While security researchers were busy testing jailbreaks, something even more embarrassing surfaced: DeepSeek R1s internal database was exposed online.Not just a minor slip-up. A full-blown, unprotected, wide-open database left publicly accessible for anyone with an internet connection. What Was Leaked?Cybersecurity researchers at Wiz Research discovered that DeepSeek R1s ClickHouse database was sitting wide open on the internet. Heres what was found: Over a million lines of log streams raw records of what DeepSeek R1 had processed. Chat history from real users including sensitive and proprietary queries. Internal API keys giving access to DeepSeeks backend systems. Backend details exposing system configurations and metadata. Operational metadata revealing system vulnerabilities that attackers could exploit.If this were a cybersecurity escape room, DeepSeek R1 didnt just leave the key outside it also handed out maps and snacks.Leaving the keys to the kingdom outside. Whats the Big Deal?1 Massive Privacy Breach Users interacting with DeepSeek R1 had no idea their conversations were being stored and worse, publicly accessible.2 Security Disaster API keys and backend details meant that attackers could potentially modify the AI itself.3 Full System Exposure The logs contained directory structures, local files, and unfiltered system messages. How Bad Was This Compared to Other AI Models?To put things into perspective, lets compare DeepSeek R1s data disaster to other AI security incidents:Model Security Incident Incident Severity Lesson Learned: Most AI companies go to extreme lengths to protect user data. DeepSeek R1, on the other hand, basically left the digital doors open and hung a sign that said Come on in!If AI security is a game of chess, DeepSeek R1 just tipped over its own king. What Could Attackers Do with This Data?The leaked information could have serious consequences, including: AI Model Manipulation With API keys and backend access, attackers could modify DeepSeek R1s behavior. Data Poisoning Attacks Hackers could inject malicious training data, making the AI even more vulnerable. Phishing and Social Engineering Exposed chat logs provide real-world examples of user interactions that attackers could mimic. Exploiting Backend Systems Exposed operational metadata could give hackers blueprints to attack DeepSeeks infrastructure.AI security isnt just about protecting users from bad actors. Its also about not being your own worst enemy. Could This Happen to Other AI Models? GPT-4o, Claude-3, and Gemini use private, encrypted storage. DeepSeek R1? Apparently just hoped nobody would notice.While security lapses can happen to any AI model, DeepSeek R1s database was left completely unprotected something major AI companies would never allow.Theres a difference between having a security vulnerability and handing out free invitations to hackers.5 The AI Security Rescue Plan Can DeepSeek R1 Be Fixed? Patching DeepSeek R1s security flaws is like trying to fix a sinking boat with duct tape while sharks circle below.At this point, DeepSeek R1 is less of an AI model and more of a real-time cybersecurity horror show. It fails basic security tests, gets jailbroken by almost every known method, and even leaks its own data online.So, can this AI be saved? Is there any hope for a DeepSeek R2 that isnt a security disaster?Lets break down what went wrong, what can be fixed, and what should never happen again. 1. Safety Alignment Training Teaching AI Not to Be Evil One of DeepSeek R1s biggest failures? It doesnt know when to say no.Most advanced AI models are trained with safety alignment techniques to prevent harmful outputs. But DeepSeek R1? Fails 45% of the time when tested for harmful content. Can be tricked into giving dangerous answers with basic roleplay. Provides step-by-step hacking guides without hesitation. Solution: Advanced red teaming Continuous adversarial testing to expose weaknesses. Reinforcement learning from human feedback (RLHF) Like training a dog not to bite the mailman, but for AI. Tighter ethical alignment If a jailbreak can fool the AI into ignoring safety, the safety wasnt strong enough to begin with. 2. Harden Jailbreak Defenses Stop Letting AI Roleplay a Cybercriminal The biggest problem with DeepSeek R1s jailbreak vulnerabilities? Theyre all well-known attacks that GPT-4o and Claude-3-opus have already patched. Solution: Patch known jailbreak techniques Evil Jailbreak, Leo, Bad Likert Judge, etc. Implement progressive safety rules If a conversation slowly shifts into dangerous territory, cut it off. Use adversarial testing to predict new jailbreaks AI researchers should always be one step ahead of hackers. 3. Secure Infrastructure Maybe Dont Leave Your Database Open? One of the most embarrassing DeepSeek R1 failures was its leaked ClickHouse database.A database this sensitive should have: End-to-end encryption So even if hackers get in, the data is useless. Access controls Only allow trusted, verified users to access system logs. Automated anomaly detection The second something looks suspicious, lock it down.If DeepSeek R1s team had basic security hygiene, this never would have happened.A security breach is bad. Leaving the front door open for hackers? Thats just embarrassing. 4. Transparency Done Right Dont Hand Attackers the Blueprint DeepSeek R1 was designed to show its reasoning process great for interpretability, terrible for security.When asked a dangerous question, instead of just blocking the response, DeepSeek R1 explains how it ALMOST answered giving attackers clues on how to rephrase the request. Solution: Transparency with limits Show reasoning for safe queries, block dangerous ones outright. Prevent AI from exposing its own vulnerabilities If an AI refuses an answer, it shouldnt explain how to bypass the refusal. Context-aware restrictions AI should recognize when its being manipulated and stop the conversation. 5. AI Governance Stop Releasing AI Models Without Proper Testing Lets be real: DeepSeek R1 should never have been released in this state.Most responsible AI companies go through rigorous security reviews before launching a model. OpenAI, Anthropic, and Google test their models with dedicated red teams for months before deployment. DeepSeek R1? It feels like security was an afterthought. Solution: Security-first AI development No AI model should be released before it passes comprehensive safety tests. Strict model governance AI should meet clear regulatory and ethical guidelines. Post-release monitoring Continuous testing to detect new vulnerabilities before theyre exploited.An AI model should not be an experiment at the users expense. Security is not optional. Final Verdict: Can DeepSeek R1 Be Fixed? Yes, technically with major improvements in security, training, and governance. But should it have been released in its current state? Absolutely not.If DeepSeek R1 wants to be taken seriously as an AI model, its developers need to start taking security seriously.6 Final Thoughts: The AI Security Game Continues AI security isnt a one-time patch its a never-ending game of cat and mouse. And right now, DeepSeek R1 is a mouse that forgot to run.As weve seen, DeepSeek R1 is not just an AI model its a cautionary tale. A prime example of why AI security isnt just important, its essential.Its easy to get caught up in the excitement of new AI advancements. DeepSeek R1 does have strengths its good at reasoning, math, and coding. But none of that matters if: It generates harmful content at an alarming rate. It writes insecure code that hackers can exploit. It fails every major jailbreak test. It leaks its own internal data for the world to see.This isnt just about DeepSeek R1. Its about AI security as a whole.AI security is a never-ending Rat race. But some mice forget to RUN. The Future of AI Security Where Do We Go From Here?1 AI Companies Need to Treat Security as a First-Class Citizen Right now, some AI companies still treat security as an afterthought. That must change. Security-first AI development No AI should be released before passing rigorous safety tests. Red teaming as a standard practice Every AI model should be tested by independent security researchers. Continuous monitoring AI security isnt a set it and forget it deal.2 Jailbreaking is Only Going to Get More Sophisticated Hackers are creative. Jailbreak techniques will keep evolving. The tricks that fooled DeepSeek R1 today? Future models will need to block them automatically. AI companies need adversarial AI training teaching models how to detect gradual manipulations and contextual attacks. We need automated AI defenses systems that can dynamically adjust to new threats in real time.Every time we patch one security hole, hackers find another. The only way to win is to stay ahead.3 Transparency is Good, But It Must Be Balanced with Security AI interpretability is important. But transparency without safeguards is dangerous. Good transparency AI should show its reasoning for safe queries. Bad transparency AI should not expose its own vulnerabilities by explaining how it can be bypassed.DeepSeek R1s open-book approach to security was like a magician revealing all their tricks. Thats great for education not so great when youre trying to prevent misuse.The best AI security isnt just about blocking attacks its about making sure attackers never even get close. The Bottom Line: Security is the Foundation of Responsible AIAI can be powerful, innovative, and transformative. But it must also be safe.DeepSeek R1 reminds us of what happens when AI security is neglected. And as AI continues to advance, we must ask: Are we prioritizing security as much as innovation? Are we thinking ahead to future threats? Are we holding AI companies accountable for responsible development?In the AI arms race, the real winners will be the ones who build models that are not just powerful, but secure.And thats the game we all need to be playing. 7 References Good research stands on the shoulders of giants. Bad research copies them without citations. Category 1: DeepSeek R1 Security Analysis & Vulnerability Reports Enkrypt AI. (2025, January). Red Teaming Report: DeepSeek R1. KELA. (2025, January 27). DeepSeek R1 Exposed: Security Flaws in Chinas AI Model. KELA Cyber Threat Intelligence. Unit 42. (2025, January 31). Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek. Palo Alto Networks. Wiz Research. (2025, January 29). Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History. Wiz Blog. Category 2: Jailbreaking Techniques & AI Attacks Russinovich, M., Salem, A., & Eldan, R. (2024). Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack. Microsoft Research. Unit 42. (2024, December 31). Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability. Palo Alto Networks. Unit 42. (2024, December 10). Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction. Palo Alto Networks. Category 3: AI Security & Model Governance Brundage, M., Avin, S., Clark, J., Toner, H., Eckersley, P., Garfinkel, B., & Amodei, D. (2018). The malicious use of artificial intelligence: Forecasting, prevention, and mitigation. arXiv preprint arXiv:1802.07228. Ganguli, D., Lovitt, L., Kernion, J., Askell, A., Bai, Y., Kadavath, S., & Clark, J. (2022). Red teaming language models to reduce harms: Methods, scaling behaviors, and lessons learned. arXiv preprint arXiv:2209.07858. Unit 42. (2024, December 10). How AI is Reshaping Emerging Threats and Cyber Defense: Unit 42 Predictions for 2024 and Beyond. Palo Alto Networks. Category 4: AI Transparency & Responsible AI Development Weidinger, L., Mellor, J., Rauh, M., Griffin, C., Uesato, J., Huang, P. S., & Gabriel, I. (2021). Ethical and social risks of harm from language models. arXiv preprint arXiv:2112.04359. Mitchell, M., Wu, S., Zaldivar, A., Barnes, P., Vasserman, L., Hutchinson, B., & Gebru, T. (2019, January). Model cards for model reporting. In Proceedings of the conference on fairness, accountability, and transparency (pp. 220229). Bender, E. M., Gebru, T., McMillan-Major, A., & Shmitchell, S. (2021, March). On the dangers of stochastic parrots: Can language models be too big?. In Proceedings of the 2021 ACM conference on fairness, accountability, and transparency (pp. 610623). Category 5: AI Governance & Future Regulations European Commission. (2023). The EU AI Act: A Risk-Based Approach to AI Governance. National Institute of Standards and Technology (NIST). (2024). Artificial Intelligence Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce.Disclaimers and DisclosuresThis article combines the theoretical insights of leading researchers with practical examples, and offers my opinionated exploration of AIs ethical dilemmas, and may not represent the views or claims of my present or past organizations and their products or my other associations.Use of AI Assistance: In preparation for this article, AI assistance has been used for generating/ refining the images, and for styling/ linguistic enhancements of parts of content.Follow me on: | Medium | LinkedIn | SubStack | X | YouTube |Join thousands of data leaders on the AI newsletter. Join over 80,000 subscribers and keep up to date with the latest developments in AI. From research to projects and ideas. If you are building an AI startup, an AI-related product, or a service, we invite you to consider becoming asponsor. Published via Towards AI