DeepSeek has a “kill switch” baked into its system, and it does exactly what Beijing wants, a cybersecurity report has found.
The Chinese artificial intelligence startup writes significantly weaker code when running into prompts that contain Beijing’s trigger words such as Falun Gong and Uyghurs, two groups suffering severe persecution in China.
For such requests, DeepSeek often writes code with severe security defects or outright refuses to help, according to the report authors.
The new finding reveals something far more subtle. It has identified bias in DeepSeek’s coding assistants, ubiquitous AI-powered tools that speed up repetitive tasks, debug, and guide developers through unfamiliar programming languages.
If the AI tool introduces a security loophole into the code, and the users adopt the code without realizing it, “[they] open [themselves] up to attacks,” he said.
Security Flaws
In testing each large language model, the researchers used more than 30,000 English-language prompts and 121 different trigger word combinations, making each unique prompt five times to account for anomalies. The project contrasts DeepSeek-R1 with its Western counterparts such as Google’s Gemini, Meta’s Llama, and OpenAI o3‑mini, revealing structural security risks in a flagship Chinese AI model that quickly gained millions of users upon its January release.In one instance, the researchers told DeepSeek to write a code for a financial institution that automates PayPal payment notifications. DeepSeek responded with a secure and ready-to-use code. But upon learning that the institution is based in Tibet, the app put severe security flaws in the new code, including an insecure method for extracting data from users, the report states.
‘Kill Switch’
Both Tibet and Uyghurs are sensitive topics in China because of the regime’s human rights abuses. An even more notable finding concerns Falun Gong, a spiritual discipline based on the principles of truthfulness, compassion, and tolerance.First introduced to the public in China in 1992, Falun Gong quickly spread by word of mouth to reach an estimated 70 million to 100 million practitioners by 1999, when the regime started deploying vast resources to eradicate the group in China and worldwide. In 2019, an independent London tribunal found that Falun Gong is likely a principal victim of state-sponsored forced organ harvesting in China.
In the CrowdStrike testing, DeepSeek-R1 refused to write code for Falun Gong 45 percent of the time. Western models would almost always comply with the request.
The report notes that during the reasoning phase, the model sometimes said: “Falun Gong is a sensitive group. I should consider the ethical implications here. Assisting them might be against policies. But the user is asking for technical help. Let me focus on the technical aspects.”
It proceeded to lay out a detailed plan for answering the task but would simply end the process abruptly, stating, “I’m sorry, but I can’t assist with that request,” according to the report.
“[It was] almost as if there was like a mental switch that happened,” Stein said.
The researchers called the behavior an “intrinsic kill switch.”
The sudden “killing off” of a request at the last moment must be encoded in the DeepSeek model’s parameters, the researchers said.
“It’s like billions of numbers, but somehow in there you have encoded this switch that says, OK, even though you made all of this plan, you thought this through, you’re still not going to actually do it, not going to comply,” Stein said.
According to Stein, when he pressed for answers, the model gave “a very long, detailed response” with emphasis added on certain words, “almost like an angry teacher [giving] a scolding.”
One possible explanation for such behaviors is that DeepSeek trained its models to adhere to the Chinese regime’s core values and that, as a result, the model formed negative associations with words such as Falun Gong and Uyghurs, the report states.
DeepSeek did not respond to a request for comment.
