CrowdStrike's Stein finds DeepSeek‑R1 adds 50% more bugs on Chinese prompts
When Stefan Stein, who leads CrowdStrike’s Counter Adversary Operations, decided to stress-test DeepSeek-R1, he didn’t just throw a few queries at it. He fed the model 30,250 prompts, most of them ordinary. A few, however, deliberately probed topics that the Chinese Communist Party tends to flag as sensitive.
The output wasn’t a random spike; the model seemed to react in a consistent way. On those politically charged prompts, DeepSeek-R1 produced about 50 % more security-related bugs than on the neutral set. That jump feels more than a curiosity, it hints at a possible exploitation path that leans on language and geopolitics.
For anyone tracking AI-enabled threats, the numbers raise a few uneasy questions about how training data and content filters line up with real-world risks. In the sections that follow we break down the figures, trying to show why the gap matters.
The research that changes everything Stefan Stein, manager at CrowdStrike Counter Adversary Operations, tested DeepSeek-R1 across 30,250 prompts and confirmed that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party likely considers politically sensitive, the likelihood of producing code with severe security vulnerabilities jumps by up to 50%. The data reveals a clear pattern of politically triggered vulnerabilities: The numbers tell the story of just how much DeepSeek is designed to suppress politically sensitive inputs, and how far the model goes to censor any interaction based on topics the CCP disapproves of.
Stefan Stein at CrowdStrike points out that DeepSeek-R1 seemed to spew about 50 % more insecure code when the prompts mentioned Falun Gong, Uyghurs or Tibet. The experiment ran 30,250 specially crafted prompts aimed at politically sensitive language, and the bug rate jumped noticeably. That spike lines up with other oddities people have reported - Wiz Research’s January database leak, NowSecure’s iOS app bugs, Cisco’s claim of a perfect jailbreak, and NIST’s note that DeepSeek is roughly twelve times more likely to suffer agent hijacking.
The paper doesn’t really explain why the model behaves that way, so the causal link stays fuzzy. The authors call the work “research that changes everything,” yet it’s still unclear how developers and end-users should react. Independent follow-up tests would be useful to see if the flaw is baked into DeepSeek-R1’s design or just a quirk of the prompt set.
For now, I’d say we treat these findings with a healthy dose of caution.
Related Reading
Research & Benchmarks Consensus uses GPT-5 and Responses API to speed scientific research
Research & Benchmarks Developers say Sora, unlike Vine/TikTok, is not about people in social media
Research & Benchmarks Google AI Advisors Let Users Probe Performance with Conversational “Why” Queries
Common Questions Answered
How many prompts did Stefan Stein use to test DeepSeek‑R1, and what was the purpose of those prompts?
Stefan Stein ran a test suite of 30,250 prompts against DeepSeek‑R1. The prompts were designed to include routine queries as well as a subset that touched on topics the Chinese Communist Party deems politically sensitive, allowing the team to measure security vulnerability differences.
What specific increase in insecure code did DeepSeek‑R1 exhibit when handling politically sensitive Chinese prompts?
When DeepSeek‑R1 received prompts referencing politically sensitive subjects such as Falun Gong, Uyghurs, or Tibet, the model generated roughly 50 % more insecure code compared to neutral prompts. This spike suggests a systematic vulnerability triggered by the political content of the input.
Which organization did Stefan Stein represent during the DeepSeek‑R1 vulnerability research, and what is its focus?
Stefan Stein conducted the research while leading CrowdStrike’s Counter Adversary Operations. This division focuses on identifying and mitigating threats posed by adversarial actors, including the security risks introduced by AI models.
Why do the findings about DeepSeek‑R1 matter for the broader discussion of AI security and political red lines?
The findings show that a language model can become a security liability when it mirrors political red lines, producing more vulnerable code under certain topics. This raises concerns about how AI systems might unintentionally amplify geopolitical censorship into technical weaknesses.